SolarWinds MSP Security Update

Please Note: SolarWinds MSP products were not impacted as part of the December SUNBURST attack nor the SUPERNOVA vulnerability, based upon our current investigation. Read the full FAQ below for more information.

Is SolarWinds MSP impacted?

  • SolarWinds MSP products were not impacted as part of the December SUNBURST attack nor the SUPERNOVA vulnerability, based upon our current investigation.
  • We have been continually working with Crowdstrike and KPMG who are conducting comprehensive threat investigations of the full SolarWinds environment, including SolarWinds MSP. Based on the investigation to date:
    • There is no evidence of lateral movement into the build environment.
    • The threat actor did not modify MSP product source code and these products are not impacted by SUNBURST.
  • This FAQ provides a list of all products known to be impacted by SUNBURST related to SolarWinds® Orion® Platform versions 2019.4 HF 5, 2020.2 unpatched, and 2020.2 HF 1. It also includes a list of all products not known to be affected, which includes all SolarWinds MSP products.

What is SUNBURST?

  • SolarWinds was the victim of a cyberattack that inserted a vulnerability (SUNBURST) within the SolarWinds Orion Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run. More information is available here.

Who was the target of the SUNBURST attack?

  • This was a highly sophisticated nation-state attack which inserted a vulnerability within SolarWinds Orion Platform software.
  • SolarWinds and other companies were victims of this attack; SolarWinds was not alone.

What is SUPERNOVA?

  • Shortly after SUNBURST was announced, third parties and the media publicly reported on a malware, now referred to as SUPERNOVA. Based on our investigation, this malware could be deployed through an exploitation of a vulnerability in the Orion Platform. More information is available here.

How do you know SolarWinds MSP products weren’t breached?

  • We have been continually working with Crowdstrike and KPMG who are conducting comprehensive threat investigations of the full SolarWinds environment, including SolarWinds MSP; there has been no evidence of malicious SUNBURST code in MSP products, nor any evidence of the lateral movement of SUNBURST threat actors into the SolarWinds MSP environment.
  • This FAQ provides a list of all products known to be impacted by SUNBURST related to SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 unpatched, and 2020.2 HF 1. It also includes a list of all products not known to be affected, which includes all SolarWinds MSP products.

What do I tell my customers when they ask if they can trust SolarWinds MSP products?

  • SolarWinds MSP was not impacted as part of the December SUNBURST attack nor the more recent SUPERNOVA vulnerability, which is separate from SUNBURST.
  • We have been continually working with Crowdstrike and KPMG who are conducting comprehensive threat investigations of the full SolarWinds environment, including SolarWinds MSP; there has been no evidence of malicious SUNBURST code in MSP products, nor any evidence of the lateral movement of SUNBURST threat actors into the SolarWinds MSP environment.
  • This FAQ provides a list of all products known to be impacted by SUNBURST related to SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 unpatched, and 2020.2 HF 1. It also includes a list of all products not known to be affected, which includes all SolarWinds MSP products.
  • SolarWinds MSP products are secure by design; they follow a rigorous incident management process, and they adhere to a secure development lifecycle.

Do SolarWinds MSP products share code with Orion?

  • SolarWinds MSP is a wholly owned subsidiary of SolarWinds; our product and R&D teams have their own leadership, standalone roadmaps, and separate code repositories and build environments.
  • We have been continually working with Crowdstrike and KPMG who are conducting comprehensive threat investigations of the full SolarWinds environment, including SolarWinds MSP; there has been no evidence of malicious SUNBURST code in MSP products, nor any evidence of the lateral movement of SUNBURST threat actors into the SolarWinds MSP environment.

What if my customer says they are required to remove all SolarWinds products?

  • Neither CISA, CERT, nor SolarWinds have recommended removal of SolarWinds products.
  • This FAQ provides a list of all products known to be impacted by SUNBURST related to SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 unpatched, and 2020.2 HF 1. It also includes a list of all products not known to be affected, which includes all SolarWinds MSP products.
  • If you or your customer is a SolarWinds Orion customer we recommend you visit SolarWinds Security Advisory and SolarWinds CERT Advisory for more detailed information, including details on the Orion-specific SUPERNOVA mitigations.
  • We have been continually working with Crowdstrike and KPMG who are conducting comprehensive threat investigations of the full SolarWinds environment, including SolarWinds MSP; there has been no evidence of malicious SUNBURST code in MSP products, nor any evidence of the lateral movement of SUNBURST threat actors into the SolarWinds MSP environment.

Do you have any resources we can point customers to who are still concerned?

  • You may share the link to this site externally.
  • This blog post, authored by the CrowdStrike team engaged by SolarWinds, provides additional details and contains valuable information intended to help the industry better understand attacks of this nature.
  • This blog post contains updated information on the findings of our investigation.

What have you been doing to address partner concerns following the attack?

  • We remain committed to transparency to our partners and to address concerns.
    • We scanned our code to ensure there was no trace of the SUNBURST and SUPERNOVA vulnerabilities that were present in the Orion Platform.
    • We communicated proactively, beginning on the day we learned of the attack.
    • We obtained a new digital certificate with a unique thumbprint for SolarWinds MSP products, separate from Orion.

What additional steps are you taking to protect your partners?

  • We are focusing on specific initiatives to:
    • Further secure our internal environment.
    • Enhance our product development environment.
    • Further ensure the security and integrity of the products we deliver.

Are you working with third parties to help you and who are they?

Why did you change the MSP digital certificates if you aren’t impacted by the attack?

  • In line with industry best practices, and to provide additional assurance to all of our customers, we made the decision to digitally re-sign our products and have requested (and received) a new digital certificate, which reflects a recertification of the authenticity of SolarWinds products, both current and future.
  • We will be continually updating product-specific recommendations and technical details on the Release Notes site, which serves as a centralized resource. Please subscribe for the latest updates: https://status.solarwindsmsp.com/release-notes

How can I get copies of the certifications for SolarWinds MSP?

Are you still spinning off as your own company?

  • Last August, SolarWinds MSP announced a potential spinoff and in continuing that momentum, on December 28, we announced our new name, N-able.
  • The proposed spin-off, we believe, would enable us to further focus on supporting MSPs directly, allowing for even greater investments in R&D for new products, new partner success programs, and new market-building resources.

Was the name change because of the Orion incident?

  • The name change is part of our continued motion to explore a spinoff of the SolarWinds MSP business and was not related to the SolarWinds attack.
  • N-able extends the roots of who we are as a company. It’s all about the performance, protection, and partnership you need to power your clients—and your business—forward.

Where can I get more information?

We also encourage you to visit:
DHS: https://cyber.dhs.gov/ed/21-01/
CISA: https://www.cisa.gov/supply-chain-compromise
SolarWinds 8K: https://sec.report/Document/0001628280-20-017451/

If you are a SolarWinds Orion customer we recommend you visit SolarWinds Security Advisory and SolarWinds CERT Advisory for more detailed information.

Also, read external coverage here:
https://arstechnica.com/information-technology/2021/01/30-of-solarwinds-hack-victims-didnt-actually-use-solarwinds/

What is the role of CISA and the DHS?

The Cybersecurity and Infrastructure Security Agency (CISA) Computer Emergency Readiness Team (CERT), part of the Department of Homeland Security (DHS), CERT issued Emergency Directive 21-01 on December 13, 2020 regarding this issue. CERT issued Alert (AA20-352A), titled Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, as an update to ED 21-01 on December 17, 2020, based on our coordination with the agency. DHS released Supplemental Guidance to ED 21-01 on December 18, 2020, CERT revised its Alert AA20-352A on December 19, 2020, DHS released Supplemental Guidance v2 on December 30, 2020, and released Supplemental Guidance v3 on January 6, 2021 as part of our ongoing coordination with the agency. Additionally, CISA released a malware analysis report of SUPERNOVA on January 27, 2021. The latest information can be found here at the CISA Supply Chain Compromise page at https://www.cisa.gov/supply-chain-compromise , or at:

How can I stay up-to-date on all of this?

  • Please visit this page for regular updates and if you have questions please reach out to your customer success manager directly.

Can I talk to your security team?