{
	"id": "9ce95483-a4c0-41eb-a309-a83cdde31876",
	"created_at": "2026-04-06T03:37:45.359936Z",
	"updated_at": "2026-04-10T13:11:47.133022Z",
	"deleted_at": null,
	"sha1_hash": "f7bafef3d35ab4278cc39d738b5ed96781be31c7",
	"title": "VERT Alert: SolarWinds Supply Chain Attack | Tripwire",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54160,
	"plain_text": "VERT Alert: SolarWinds Supply Chain Attack | Tripwire\r\nBy Tyler Reguly\r\nPublished: 2020-12-18 · Archived: 2026-04-06 02:53:05 UTC\r\nVulnerability Description\r\nThe United States Cybersecurity \u0026 Infrastructure Security Agency (CISA) has advised that an advanced persistent\r\nthreat (APT) actor was able to insert sophisticated malware into officially signed and released updates to the\r\nSolarWinds network management software. The attacks have been ongoing since at least March 2020 and CISA\r\nhas warned that many high-value targets within government, critical infrastructure, and the private sector have\r\nbeen compromised. Private security firm FireEye has also disclosed that the attackers were able to steal their\r\nprivate collection of hacking tools and techniques used for security audits.\r\nExposure and Impact\r\nSuccessful compromise through the SolarWinds Orion backdoor could lead to complete compromise of a targeted\r\nnetwork. Compromised network management software (NMS) provides deep access for an attacker to move\r\nlaterally through a network and obtain credentials. Although not all organizations installing the backdoored\r\nversion of the SolarWinds Orion software were necessarily compromised, all such organizations must assume that\r\ntheir network may be fully compromised.\r\nTripwire VERT recommends that all organizations review their systems for indicators of compromise related to\r\nthe malicious SolarWinds updates as well as the FireEye Red Team Tools. Detected compromises should be\r\nhandled through a security incident response process.\r\nTripwire IP360 users should have received ASPL updates.\r\nTo manually download this ASPL and/or its release notes: visit the Product Downloads section of the Tripwire\r\nCustomer Center, select CONTENT \u003e choose either the \"VERT Ontology\" link under NAME or the desired ASPL\r\nnumber link under TW UPDATE.\r\nFor Tripwire Enterprise users, we have released Tripwire Enterprise policy with tests for SUNBURST IoCs\r\nincluding file hashes for various versions of the compromised SolarWinds.Orion.Core.BusinessLayer.dll files and\r\ncode signing certificates. Additionally, the policy contains file hash tests for FireEye’s red team tools that were\r\naccessed by attackers.\r\nTo manually download this Tripwire Enterprise content, visit the Product Downloads section of the Tripwire\r\nCustomer Center.\r\nDetection\r\nhttps://www.tripwire.com/state-of-security/vert/vert-alert-solar-winds-supply-chain-attack/\r\nPage 1 of 3\n\nASPL-920 includes the following Windows DRT checks related to the SolarWinds backdoor and associated\r\nexploitation:\r\nSolarWinds netsetupsvc.dll Library Installed (ID: 467518)\r\nSolarWinds SolarWinds.Orion.Core.BusinessLayer.dll Library Backdoor (ID: 467516)\r\nASPL-920 also includes the following checks for all vulnerabilities exploited by the FireEye hacking tools:\r\nCVE-2019-11510\r\nTitle: SA44101 - 2019-04: Pulse Connect Secure CVE-2019-11510 Arbitrary File Reading\r\nVulnerability\r\nID: 432095 (non-DRT)\r\nCVE-2020-1472\r\nTitle: MS-2020-Aug: Netlogon Elevation of Privilege Vulnerability\r\nID: 451635 (Windows DRT)\r\nSSH-DRT IDs: 459913, 459873, 459499, 459474, 459423, 459367, 459366, 459365, 459318,\r\n459212, 459211, 459179\r\nCVE-2018-13379\r\nTitle: FortiOS CVE-2018-13379 Path Traversal Vulnerability\r\nID: 466495 (SSH-DRT \u0026 Non-DRT)\r\nCVE-2018-15961\r\nTitle: APSB18-33: Adobe ColdFusion Unrestricted File Upload Arbitrary Code Execution\r\nVulnerability\r\nID: 447353 (Windows DRT), 447352 (SSH-DRT), 447310 (WebApp)\r\nCVE-2019-0604\r\nTitle: MS-2019-Feb: Microsoft SharePoint Remote Code Execution Vulnerability I\r\nID: 416822 (Windows DRT)\r\nCVE-2019-0708\r\nTitle: MS-2019-May: Remote Desktop Services Remote Code Execution Vulnerability\r\nID: 422448 (Windows DRT \u0026 Non-DRT)\r\nCVE-2019-11580\r\nTitle: Atlassian Crowd CVE-2019-11580 pdkinstall Vulnerability\r\nID: 35222 (Non-DRT \u0026 WebApp)\r\nCVE-2019-19781\r\nTitle: Citrix ADC Application Arbitrary Code Execution CVE-2019-19781 Vulnerability\r\nID: 437315 (Non-DRT)\r\nCVE-2020-10189\r\nTitle: Zoho ManageEngine CVE-2020-10189 Cewolfservlet RCE Vulnerability\r\nID: 467510 (Non-DRT)\r\nCVE-2020-10189\r\nTitle: Zoho ManageEngine CVE-2020-10189 Cewolfservlet Deserialization Vulnerability\r\nID: 467515 (Non-DRT)\r\nCVE-2014-1812\r\nhttps://www.tripwire.com/state-of-security/vert/vert-alert-solar-winds-supply-chain-attack/\r\nPage 2 of 3\n\nTitle: MS14-025: Group Policy Preferences Elevation of Privilege Vulnerability\r\nID: 94146 (Windows DRT)\r\nCVE-2019-3398\r\nTitle: Atlassian Confluence Security Advisory 2019-04-17: Downloadallattachments Resource Path\r\nTraversal Vulnerability\r\nID: 422182 (WebApp)\r\nCVE-2020-0688\r\nTitle: MS-2020-Feb: Microsoft Exchange Memory Corruption Vulnerability\r\nID: 440153 (Windows DRT \u0026 Non-DRT)\r\nCVE-2016-0167\r\nTitle: MS16-039: Win32k Elevation of Privilege Vulnerability\r\nID: 226259 (Windows DRT)\r\nCVE-2017-11774\r\nTitle: MS-2017-Oct: Microsoft Outlook Security Feature Bypass Vulnerability\r\nID: 313178 (Windows DRT)\r\nCVE-2018-8581\r\nTitle: MS-2018-Nov: Microsoft Exchange Server Elevation of Privilege Vulnerability\r\nID: 412491 (Windows DRT)\r\nCVE-2019-8394\r\nTitle: Zoho ManageEngine Service Desk Plus CVE-2019-8394 File Upload Vulnerability\r\nID: 467517 (Windows DRT \u0026 Non-DRT)\r\nSource: https://www.tripwire.com/state-of-security/vert/vert-alert-solar-winds-supply-chain-attack/\r\nhttps://www.tripwire.com/state-of-security/vert/vert-alert-solar-winds-supply-chain-attack/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.tripwire.com/state-of-security/vert/vert-alert-solar-winds-supply-chain-attack/"
	],
	"report_names": [
		"vert-alert-solar-winds-supply-chain-attack"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446665,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7bafef3d35ab4278cc39d738b5ed96781be31c7.pdf",
		"text": "https://archive.orkl.eu/f7bafef3d35ab4278cc39d738b5ed96781be31c7.txt",
		"img": "https://archive.orkl.eu/f7bafef3d35ab4278cc39d738b5ed96781be31c7.jpg"
	}
}