> SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020.
The “Delivery and Installation” section covers this. It’s a very short section, the subtext of which is that there’s basically no defense for malware delivered with a valid signature from a trusted vendor.
It’ll be pretty interesting to find out what happened at SolarWinds in the coming days: whether this malware was smuggled into the update via employee collusion with attackers or a hack of SolarWinds itself.
Thanks. I had read that, but I figured I must be missing something. I assumed that if the vendor was genuinely signing malware, that would be headline of the story.
The “Delivery and Installation” section covers this. It’s a very short section, the subtext of which is that there’s basically no defense for malware delivered with a valid signature from a trusted vendor.
It’ll be pretty interesting to find out what happened at SolarWinds in the coming days: whether this malware was smuggled into the update via employee collusion with attackers or a hack of SolarWinds itself.