SolarWinds says a compromise of its widely used Orion network-monitoring platform endangers the networks of public and private organizations that use it and that the problem should be remediated right away.\nIn a security advisory, SolarWinds said customers should upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure their environment is safe. An additional hotfix release that both replaces the compromised component and provides several additional security enhancements is expected in the next day or two.\nThe company\u2019s managed services tools appear to be uncompromised, and the company said it isn\u2019t aware of any similar issues with its non-Orion products, like RMM, N-Central, and SolarWinds MSP products.\nFireEye, which discovered the compromise, said it has updated its scanning software to watch for known altered SolarWinds Orion binaries. In addition, Microsoft said its Defender security software has been updated to detect malicious code and has issued its own security guidance along with extensive research of the Trojan causing the problem.\nFireEye\u2019s CEO Kevin Mandia wrote in his blog that the attack was likely carried out by a nation. \u201cThe campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors,\u201d he wrote. He did not identify the actors, but Reuters said it was the work of Russian hackers.\nOrion is part of the SolarWinds suite of network and computer management tools that includes monitoring capabilities and the ability to automatically restart services. The compromise means the attackers can bypass the security, install malicious content and restart infected systems without anyone knowing it.\nThe company says it has over 300,000 customers, including more than 425 of the U.S. Fortune 500, all of the top telecom, consulting, and accounting firms, the Pentagon, the State Department, the National Security Agency, the Department of Justice, and the White House. The company has 33,000 Orion customers.\nMeanwhile, the federal watchdog Cybersecurity and Infrastructure Security Agency (CISA) issued a directive to federal agencies calling for them to immediately disconnect or power down Orion products, versions 2019.4 through 2020.2.1 HF1, from their networks. Agencies are prohibited from rejoining enterprise domains until CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package.\nThe CISA also ordered a block of all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed. It further ordered all non-military governmental systems running the Orion software to both stop running it and to disconnect compromised computers from the rest of the network by noon Monday. That was before a fix was issued.\nFireEye and Microsoft have both examined the Trojan and determined that around March of this year someone managed to modify the SolarWinds Orion software during the build process. The modification included a sophisticated Trojan program, designed to remotely control any computer that had SolarWinds Orion installed.\nWhen customers installed the latest Orion update, the Trojan was also installed. This is referred to as a \u201csupply chain attack,\u201d because it came through the trusted SolarWinds supply chain.\nAccording to analysis, the Trojan would wait 12 to 14 days, then communicate with a command-and-control server, where it could install additional software and perform other tasks, including accessing an Active Directory service or monitoring network traffic.