- The number of organizations operating SolarWinds Orion directly on the internet dropped 25% between mid-December and Feb. 1, according to a report by RiskRecon, a division of Mastercard, published Friday. The figures fell from 1,785 organizations on Dec. 13 to 1,330 as of Feb. 1.
- Vendors of RiskRecon's third-party risk management customers have reduced their use of Orion on the internet by 52%, according to the report. The figures demonstrate the impact of the SolarWinds hack on the software supply chain risk.
- Only 8% of organizations that continued to operate Orion on the internet upgraded their versions to 2020.2.4 from the earlier versions 2019.4 and 2020.2.1 HF1. A large number of universities, local governments and a small number of major companies remain vulnerable to further compromise, according to the report.
While operating a SolarWinds administration interface visible to the internet is a poor practice, it gives researchers a good window into how some companies operate amidst such a high profile threat, according to RiskRecon officials.
For the report, RiskRecon scanned the internet for SolarWinds Orion administration interfaces. For each discovered Orion system, RiskRecon then analyzed the HTML of the Orion administration interface to determine the version.
"It's encouraging that we saw 25% of those companies shut down their SolarWinds environment on the internet," Kelly White, founder and CEO of RiskRecon said. "What's discouraging is we continue to see 75% of the companies remaining still operating on the internet and really having taken no action."
About 4% of the organizations running Orion directly on the internet use a version that contains the Sunburst malware, which allows bad actors to remotely gain control of the environment, according to RiskRecon. About one-third operate a version that is vulnerable to Supernova.
A variety of organizations are operating vulnerable instances of Orion, including a handful of Fortune 500 companies, a number of higher education institutions as well as state and local governments in the U.S. and overseas, according to White.
Additionally, a number of foreign data center operators are hosting the systems of other companies, he said.
The overall data shows that while most of the 18,000 organizations impacted by Orion were protected by going offline and proper patching, potentially hundreds of other organizations remain unpatched.
"This doesn't require insider privileged information or access in order to identify those potential targets that continue to operate insecure versions of SolarWinds," White said.
Some of the organizations operating Orion directly on the internet are using old versions as early as the 9.0.0 release, which dates back to 2008, according to RiskRecon. The most common version that is visible is version 2020.2.1 HF2, comprising about 31% of the visible versions.
SolarWinds officials said the data from the report confirms customers are following the instructions it provided after the initial attack was disclosed in mid-December. At the time CISA also advised all civilian federal agencies to power down or disconnect from SolarWinds.
"When we became aware of this broad and highly sophisticated attack, we took immediate action to protect our customers by recommending they disconnect their Orion servers from the internet and issuing updated versions of the affected software as quickly as possible," a SolarWinds spokesperson said in an emailed statement. "This report confirms that many of our existing customers, who are continuing to operate Orion, disconnected the platform from the internet as we recommended."
SolarWinds is encouraging its customers to upgrade to the latest version of Orion using previously announced hotfixes that were released in December.
FireEye, which initially identified the SolarWinds attack, later identified the killswitch that disabled the Sunburst malware.
The RiskRecon report is contradicted somewhat by a cybersecurity startup Censys, a firm backed by GV (formerly Google Ventures) and Greylock Partners. Censys researchers observed an increase in the number of internet-facing Orion hosts from late December through Jan. 31, based on queries from its Universal Internet DataSet.
The Censys data showed a decrease in internet facing-Orion hosts during the holiday season in December and an increase during the month of January. Censys officials argue the organizations may have torn down SolarWinds in December, patched them up and brought them back online, and then may have misconfigured the servers by directly exposing them to the internet.
Censys officials could not be immediately reached for comment. When asked about the contradictory data, RiskRecon officials pointed out that Censys appears to have changed their data gathering methodology in late December.