SolarWinds Incident Response: 4 Essential Security AlertsFederal Agencies Ordered to Immediately 'Disconnect or Power Down' SolarWinds Orion
Numerous security alerts have been issued regarding the supply chain attack targeting software vendor SolarWinds and, by extension, its customers.
The full scope of the attack campaign, which was first revealed Sunday by FireEye - one of its victims - remains unclear, as does the complete roster of victims. The U.S. Treasury and Commerce Department have acknowledged they have been affected by these attacks, and on Monday, the Washington Post and Reuters reported that the Department of Homeland Security might have been affected as well. Plus, late Monday news reports said the Department of Homeland Security, State Department and National Institutes of Health were also hit.
In addition, Alexei Woltornist, assistant secretary for public affairs at Homeland Security, released a statement Monday, noting: "The Department of Homeland Security is aware of cyber breaches across the federal government and working closely with our partners in the public and private sector on the federal response."
Also on Monday, SolarWinds filed a report with the Securities and Exchange Commission noting that of the company's 33,000 customers using the Orion network monitoring software, about 18,000 are believed to have been using the version that is vulnerable to the attack the company disclosed Sunday.
Government cybersecurity agencies, national computer emergency response teams and security experts are warning all organizations that use the hacked Orion network monitoring software to immediately take defensive steps. Advice includes running full antivirus scans on all systems and looking for indicators of compromise. Federal civilian U.S. agencies, meanwhile, were ordered to deactivate SolarWinds Orion by the end of Monday until full fixes can be tested and deployed.
To help incident responders grappling with what appears to be a sophisticated attack that began in March and may still be underway, here are four essential security alerts to review.
CISA: 'Disconnect or Power Down'
The U.S. Cybersecurity and Infrastructure Agency on Sunday issued Emergency Directive 21-01 - only the fifth such directive it has ever issued - which it updated on Monday, ordering "all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately."
“The compromise of SolarWinds’ Orion network management products poses unacceptable risks to the security of federal networks,” says CISA Acting Director Brandon Wales. He says the directive "is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners - in the public and private sectors - to assess their exposure to this compromise and to secure their networks against any exploitation.”
Last night we issued an emergency directive to mitigate the compromise involving SolarWinds Orion products: https://t.co/VFZ81W2Ow7. We urge all our partners - in the public & private sectors - to assess their exposure to this compromise and to secure their networks.— Cybersecurity and Infrastructure Security Agency (@CISAgov) December 14, 2020
"Disconnecting affected devices … is the only known mitigation measure currently available," according to CISA's alert.
SolarWinds: Essential Update Coming Tuesday
SolarWinds published its own advisory on Sunday, warning Orion users that the software had been subjected to "a highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020."
SolarWinds asks all customers to upgrade immediately to Orion Platform version 2020.2.1 HF 1 to address a security vulnerability. More information is available at https://t.co/scsUhZJCk8— SolarWinds (@solarwinds) December 14, 2020
SolarWinds says: "We are recommending you upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment," which is available via its customer portal.
The SolarWinds advisory also includes additional recommended mitigations and workarounds, including "having your Orion platform installed behind firewalls, disabling internet access for the Orion platform and limiting the ports and connections to only what is necessary."
The software vendor says it plans on Tuesday to release another hotfix - 2020.2.1 HF 2 - which "replaces the compromised component" and also "provides several additional security enhancements."
FireEye Describes IOCs
Last week, cybersecurity firm FireEye disclosed that it had suffered a hack attack, apparently launched by a foreign government. It said that attackers may have stolen its penetration-testing tools.
On Sunday, FireEye disclosed that it was hacked as part of a much wider, previously undiscovered campaign, which involved the SolarWinds Orion software being subverted by attackers, who altered the software to gain remote access to customers' networks. The attack appears to have begun in March, meaning it has run for up to nine months.
FireEye's security alert says the Trojanized software, which it refers to as SUNBURST, could steal files and profile systems as well as disable system services.
FireEye's alert includes essential details of how attacks unfold, including indicators of compromise that organizations can use to help block future attacks as well as to scan their systems and network logs for signs of undetected, lingering attacks or for indications that it may have been breached in the past as part of this attack campaign.
"The C2" - command-and-control - "traffic to the malicious domains is designed to mimic normal SolarWinds API communications," FireEye warns.
Via GitHub, FireEye has also released "signatures to detect this threat actor and supply chain attack in the wild," which are in "a mix of Yara, IOC, and Snort formats."
FireEye says multiple versions of the SUNBURST backdoor have been seen in the wild.
"We are releasing detections and will continue to update the public repository with overlapping detections for host and network-based indicators as we develop new or refine existing ones," it says. "We have found multiple hashes with this backdoor and we will post updates of those hashes."
Microsoft Outlines Essential Defenses
Researchers at Microsoft, who contributed to FireEye's investigation, have issued an alert to customers via the company's Security Response Center. The alert contains technical details about how attackers could take advantage of the flaws in the SolarWinds Orion product to gain access to a network and then escalate privileges.
Microsoft's alert also includes suggested defenses, including running a full-disk scan using an antivirus scanner that has signatures for spotting these attacks - Microsoft notes that all of its antivirus product signatures have been updated - as well as blocking known command-and-control IP addresses tied to the attack, which are detailed in FireEye's IOC lists.
Microsoft has also released detection updates for its cloud-based security information and event manager tool Azure Sentine and says these can be easily applied to other SIEM tools, as well.
Stay Tuned for Updates
The CISA, FireEye, SolarWinds and Microsoft updates all cross-reference each other. All of the organizations have also promised to continue to update their mitigation guidance, as well as to continue to update customers on their investigations.
In other words, all SolarWinds Orion customers should keep a close eye on each of these updates to get the latest IOCs, mitigation advice and other essential information.
Nick Carr, a security and intelligence researcher for Microsoft who was one of more than three dozen individuals FireEye thanked for working around the clock to help investigate the attack campaign, says that this "massive software supply chain intrusion" was "the most carefully planned, complex espionage I’ve ever helped uncover."
Uncovering the full details of this elaborate attack campaign won't happen overnight.
Please read the above blog to appreciate multiple backdoors used, careful & unique tradecraft used on-premise...— Nick Carr (@ItsReallyNick) December 14, 2020
We just published more details on what we’ve been finding post-compromise: https://t.co/UX1wCkhhYu
ADFS key material compromise, SAML shenanigans, OAuth keys added... pic.twitter.com/j7xhcKBnEK
Already, incident responders have their work cut out for them.