As you may be aware, Austin-based software company SolarWinds recently experienced the largest security compromise in U.S. history. This breach affects SolarWinds’ Orion products and is rapidly evolving. SecurityMetrics does NOT use SolarWinds Orion’s Network Management System tools (NMS) products.
We want to brief you on the SolarWinds situation and notify you of the steps we are taking to protect your business. We have several partners we utilize for threat intelligence, including but not limited to, the Cybersecurity and Infrastructure Security Agency (CISA), the United States Department of Homeland Security, Utah Statewide Information and Analysis Center (SIAC), and our local Fusion Center, among others.
SolarWinds Compromise Background
- On December 13th, Chris Bing at Reuters broke the news that a sophisticated threat adversary compromised the U.S. Treasury Department.
- Ellen Nakashima and Craig Timberg at the Washington Post followed with more details, including that hackers specifically targeted Orion products and the threat group was believed to be APT29 (Cozy Bear / Russian SVR).
- SolarWinds offers a wide range of tools for IT management and monitoring, including their very popular and widely used Network Management Systems (NMS) Tools.
- These tools monitor and manage servers, networks, workstations, and devices. They communicate with multiple devices and if compromised, give threat actors opportunities to monitor and respond to events on the network, access network’s assets, and allow man in the middle (MitM) attacks.
How was SolarWinds Breached?
- Sources continue to provide details, including what kinds of information was accessed, as the situation evolves.
- Our threat sources indicate malware was deployed as an update for Orion from SolarWinds’ own server–digitally signed by a valid digital certificate.
- The malicious Orion update was downloaded automatically to over 18,000 SolarWinds customers in March 2020.
- This is not the only time we have seen state-backed, advanced persistent threats (APT) targeting software vendors or masquerading as an update.
What is SecurityMetrics doing? What should you do?
- SecurityMetrics does NOT use SolarWinds Orion’s Network Management System tools (NMS) in our environment. SecurityMetrics network integrity has not been compromised.
- The SecurityMetrics Threat Intelligence Center has partnered with several internal and external threat intelligence sources to maintain situational awareness of this dynamic situation.
- Threat actors involved in this breach have changed their indicators of compromise (IoC) and are retooling, so the SecurityMetrics Threat Intelligence Center will stay informed of the behavior, tactics, techniques and procedures.
- SecurityMetrics utilizes a variety of threat intelligence sources, including but not limited to, CISA, DHS, Utah SIAC, and the Fusion Center.
- SecurityMetrics has partnerships with several threat intelligence sources who are providing even more intelligence on the situation and evolving indicators of compromise (IoC).
- On Friday, December 18th, 2020, the SecurityMetrics Security Operations Center will release an episode of SecurityMetrics News, explaining the details of the hack along with a deeper explanation of mitigations and remediations.
According to FireEye, If you use SolarWinds Orion Platform, you should assume compromise. Consider blocking or limiting Orion NMS access to the net (zero trust). This should include checking your logs as far back as March 2020. Please realize NMS East/West netflow will be of limited value in your research and monitoring of network activity.
- If you use other SolarWinds products, map your attack surface and keep a close eye on any malicious activity.
- Use multi-factor authentication (MFA) and change your passwords regularly.
- Perform extra diligence and please reach out to SecurityMetrics for any questions.
SolarWinds Breach Advisories and Mitigations
- CISA Current Activity Alert “Active Exploitation of SolarWinds Software”
- CISA Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise”
- SolarWinds Security Advisory
- FireEye Advisory: “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor”
- FireEye GitHub page: “Sunburst Countermeasures”
Matt Heffelfinger–"Heff" is preferred–is a Utah based cybersecurity professional and serves as SecurityMetrics Director of SIEM Operations. His primary wheelhouse includes leading the SecurityMetrics Security Operations Center (SOC) and Threat Intelligence Teams for multiple clients both in the USA and globally. With over 15 years of global cybersecurity experience, his career stops include Caesars Entertainment, TJX, Inc., General Electric, NBC Television and the Las Vegas Sands Corp.