Get a FREE Report of the Software Running in Your Environment - Including Risks & Countries of Origin
Use Case:

SolarWinds Orion Attack

A malicious cyberattack was perpetrated against SolarWinds, a U.S.-based software firm that produces and maintains IT tools utilized by large companies and government entities, which exploited the SolarWinds Orion software.

Zero-Day Vulnerability and SolarWinds Orion Attack

SolarWinds Orion was the target of a software supply chain attack against American software company SolarWinds, which develops and maintains network monitoring tools used by major corporations and governments. The hack was carried out by threat actors outside of the nation and exploited SolarWinds’ Orion software updates. The updates that were exploited ended up being installed by more than 250 of SolarWinds’ customer base, including Fortune 500 businesses.

How the Attack Unfolded

  1. Initial Compromise: The attackers breached SolarWinds' build environment, where software updates are created and compiled. They inserted a malicious backdoor into the Orion software updates, specifically into the Orion Improvement Program (OIP) module.
  2. Malicious Code Execution: SolarWinds unwittingly distributed these compromised updates to its customers through its software update mechanism. When customers installed these updates, the malicious code was executed on their systems.
  3. Backdoor Access: The malicious code acted as a backdoor, providing attackers with unauthorized access to the compromised systems. This access allowed the attackers to move laterally within the network, escalate privileges, and conduct reconnaissance to identify high-value targets.
  4. Data Exfiltration and Espionage: Once inside the network, the attackers exfiltrated sensitive data, such as credentials, emails, and other proprietary information. They also deployed additional tools and malware to maintain persistence and further infiltrate the network.
  5. Stealth and Evasion Techniques: The attackers employed various stealth and evasion techniques to avoid detection, including disguising their malicious activities as legitimate traffic, encrypting communications, and using trusted system utilities to blend in with normal network traffic.
  6. Long-Term Impact: The SolarWinds Orion attack had far-reaching consequences, affecting thousands of organizations worldwide, including government agencies, technology firms, and Fortune 500 companies. The scale, sophistication, and duration of the attack underscored the need for enhanced supply chain security and vigilance against advanced persistent threats (APTs).

How ThreatLocker® Mitigated This Exploit

ThreatLocker® mitigated the SolarWinds Orion attack by limiting what the application was able to do, which was accessing the internet. The code that was placed in the SolarWinds Orion software would reach out to the internet, which happened to be an A-to-B server in the United States. By using the Ringfencing™ solution, the SolarWinds Orion application was unsuccessful because the attack was blocked from interacting with the internet or browser applications that hindered its ability to download the intended malware.
Illustration of ThreatLocker blocking solarwinds from interacting with PowerShell, files, and internet

ThreatLocker® Key Uses

Proactive Approach to Cybersecurity

Unlike antivirus or traditional EDR, ThreatLocker® Allowlisting solution puts you in control of what software, scripts, executables, and libraries can run on your endpoints and servers. This approach stops not only malicious software in its tracks but also stops other unpermitted applications from running. This process greatly minimizes cyber threats and other rogue applications from running on your network.

Preventing the Weaponization of Legitimate Tools

Normally, applications have access to all the same data as the end user. If an application is absolutely necessary, ThreatLocker® Ringfencing™ can implement Zero Trust controls comparable to, but more granular than, traditional application containment toolsThreatLocker® Ringfencing™ controls what applications are able to do once they are running. By limiting how software can interact on your devices, ThreatLocker® can reduce the likelihood of an exploit being successful or an attacker weaponizing legitimate tools such as PowerShell. These controls can prevent applications from interacting with another application, your files, data, or the internet.

Limiting Application Hopping for Administrators

Elevation Control puts IT administrators in the driver’s seat, enabling them to control specific applications that can run as a local admin without giving users local admin rights. With applications such as QuickBooks that need to run with local admin access, elevation control can limit that access without impacting operational workflow, which can prevent the further spread of an attack, like application hopping, in case there is a breach in the endpoint.

Control Over Storage Devices and Data Access

ThreatLocker® Storage Control provides policy-driven control over storage devices, whether the storage device is a local folder, a network share, or external storage such as a USB drive. Storage Control allows you to set granular policies, such as blocking USB drives or blocking access to your backup share except when your backup application is accessed.

ThreatLocker® Benefits

Increased Security

Increasing endpoint security coverage and reduce the risk of potential security breaches

24/7 Cyber Hero® Support

Resolve any questions or issues with our ThreatLocker® Cyber Heroes®, who are available within 30 seconds via the admin portal chat or telephone 24/7/365

Save Time & Money

Reduce time dedicated to endpoint security by 25% and reevaluate annual spending on multiple licensing for antivirus and EDR solutions.

Seamless Onboarding & Deployment

ThreatLocker® Learning Mode and Unified Audit simplifies setting up your Zero Trust environment during the initial onboarding and deployment.