On December 13, 2020, SolarWinds Orion quickly made headlines as the victim of a major security breach that affected government agencies, Fortune 500 companies, educational institutions, and many others.
Here's everything your organization needs to know about the attack:
Hackers breached SolarWinds’ network and created an update for the Orion software that was laced with malware. Update versions 2019.4 through 2020.2.1 were affected, SolarWinds confirmed. The malware was named SUNBURST by FireEye and Solorigate by Microsoft, although they refer to the same malware.
The breach was so severe that the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive that mandated all federal civilian agencies to review their networks for evidence of compromise and immediately power down their SolarWinds Orion products.
It’s believed the hackers are operating on behalf of a foreign government; many sources suspect it to be APT29, although that has yet to be officially confirmed.
What's at stake?
Since the Orion platform is utilized for centralized monitoring and management, this breach put a significant amount of data at risk. It’s a highly sophisticated supply chain attack, so any organization utilizing SolarWinds is at risk.
“The campaign is widespread, affecting public and private organizations around the world” FireEye reported.
For example, the Washington Post reported that the U.S. Treasury and U.S. Commerce Departments were breached though SolarWinds. Additional victims of the attack include government, consulting, technology, telecom, and extractive entities in North America, Europe, Asia, and the Middle East.
SolarWinds currently has 320,000 customers across 190 countries, including 499 of the Fortune 500 companies, all military branches, and almost a dozen government entities – giving the hackers access to some of the world’s most sensitive network data.
What should organizations do in response?
SolarWinds will be releasing a new update (2020.2.1 HF 2) to replace the affected component and provide additional security features. Any affected organizations should be on the lookout for that update this week and install it immediately.
In the meantime, FireEye and Microsoft have both issued guidance for SolarWinds customers looking to mitigate their risks.
FireEye released countermeasure rules that are freely accessible to the community. They include Production rules that perform with minimal tuning and Supplemental rules that need to be tweaked for specific environments. You can find the countermeasure rules on GitHub here.
Microsoft also released guidance for detecting the attack in your environment. Windows Defender Antivirus will detect the Slorigate threat, but Microsoft also recommends running a full scan. The full guidance includes ways to detect and remove the malware using Windows Defender Antivirus, Microsoft Security Essentials, and Microsoft Safety Scanner.
Where can my organization get assistance?
A major security breach is overwhelming for security teams already tasked with the daily challenges of keeping their environment secure. If your organization needs assistance in determining the potential impact of this attack, tracing the damages it caused, or even protecting your data from any future breaches, we’re here to help.
Adhering to CISA guidelines and powering down SolarWinds may leave many organizations without visibility into their network and system performance. Vandis can act as your eyes and ears in your environment during this time - our Network monitoring and security platform can help you maintain your current Netflow, Sflow, and SNMP environment visibility.
Reach out to firstname.lastname@example.org or call 516-281-2200 with any questions or concerns.