The SolarWinds Hack: Resources and Guidance from Cybersecurity Experts
News broke to the public on Sunday, December 13th, that the SolarWinds Orion network monitoring platform had been hacked. In this sophisticated attack, SolarWinds Orion software updates had been trojanized to deliver malware, now called SUNBURST, into servers hosting the SolarWinds Orion software. Using this compromised server, the attacker is then able to move laterally in the network to compromise other assets and perform data theft.
Attack-at-Scale
This attack is part of a global intrusion campaign that began as early as March 2020 and is currently ongoing. The threat actors are identified as a nation-state advanced persistent threat (APT), with analysts suggesting that the data points to Russia. The victims have included government, consulting, technology, telecom, and extractive entities in North America, Europe, Asia, and the Middle East, and it is anticipated there will be additional victims in other countries and verticals. Included in this list are several US Federal agencies, such as the Department of Homeland Security and the State, Commerce, and Treasury Departments. Microsoft has also reported they were a victim of this attack, but they “have not found evidence of access to production services or customer data.”
Advice
If you use SolarWinds Orion software, you will want to take immediate action to mitigate the effects of SUNBURST and determine if there are any indicators of compromise (IOC). If you don’t use SolarWinds software, you may still want to take action to understand to what extent your vendors and partners use SolarWinds.
Although news around this attack is still developing, SolarWinds has since released patches to mitigate this vulnerability. SolarWinds advises:
- Customers with any products for Orion Platform version 2020.2 with no hotfix installed, or version 2020.2 HF 1, should upgrade to Orion Platform version 2020.2.1 HF 2 as soon as possible to better ensure the security of your environment.
- In the event that you are unable to upgrade immediately, ensure that SolarWinds servers are isolated from the network – disconnected or powered down.
Note that before following the steps above, imaging system memory and/or host operating systems hosting SolarWinds Orion is recommended to aid in forensic analysis. Furthermore, we recommend rebuilding SolarWinds Orion from scratch rather than patching a potentially compromised host. See CISA recommendations below.
Next, as part of your incident response plan, a comprehensive investigation should be performed and, if attacker activity is discovered in your environment, remediation steps should be taken based on the investigation findings. This will likely include removing threat-actor controlled accounts and persistence mechanisms.
The emergency directive from CISA recommends:
- Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed.
- Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.
- Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.
- Take actions to remediate kerberoasting, including, as necessary or appropriate, engaging with a third party with experience eradicating APTs from enterprise networks.
Resources
Resources listed below are in the recommended order of reading for organizations that do have SolarWinds Orion monitoring software in their environment.
Overwhelmed?
This is a global-scale hack with potentially dire consequences for your organization and its or its customers’ data. If your organization does run SolarWinds but does not have the time or expertise to perform any of the suggested steps above, please call VPLS. We offer free consultation on how our team of certified security experts can become an extension of your IT staff and drive these necessary incident response procedures.
Read More from this Author