Acronis Security Advisory: SUNBURST breaches SolarWinds’ Orion software to launch supply-chain attack

Following reports that SolarWinds’ Orion business software was compromised and used in a supply-chain attack by SUNBURST malware. The distributed malware then used elevated credentials gained by compromising network traffic management systems to target FireEye, a cybersecurity firm, and several U.S. government agencies. Details of the attack are available from the Cybersecurity and Infrastructure Security Agency (CISA).

While not affected by this event, Acronis cybersecurity analysts examined the attack and made further enhancements to our secure software development processes and controls.

In response to the incident, the following steps were taken to ensure the security of our partners and customers:

• The experts at our global network of Acronis Cyber Protection Operations Centers (CPOC) have created signature-, behavior-, and AI-based detections for all files involved in this particular incident. Those detections are now active in our solutions to protect all Acronis users.
• Acronis issued a Smart alert to all users on December 15, 2020 to make them aware of the SolarWinds breach, advise them of the available hotfix, and recommended remediation actions they should take.

Acronis already develops its solutions with a strict, secure software development life cycle (SDLC) in place, which we continuously strengthen. During the past several years, we’ve proactively established build code defenses to ensure we have best-in-class protections in place:

• Our build system is isolated, restricting access.
• We use binary keys on hardware-backed private key storage, ensuring the private key cannot be exported or leaked.
• Signing a binary module is not permitted without a corresponding source code commit.
• All code changes are reviewed – self-approval of pull requests is not allowed.
• Multi-factor authorization, which is under constant improvement, is required for remote access to the network.

As part of the continuous improvement to our build code defenses, we have several enhancements scheduled for Q1 2021, including first-of-their-kind solutions that will:

• Require cryptographic signatures for all commits to Acronis’ source code
• Replace password-based authentication for critical systems with smartcards for single sign-on (SSO) authentication
• Layer additional self-defense measures designed to prevent manipulation of Acronis services – even by users who have local administrator roles

Acronis is committed to ensuring the security of our partners and customers, which means assuring the security and reliability of the solutions they rely on. We will continue to enhance our best-in-class protections for our development process.

Sincerely,

The Acronis Security Team