It’s only been a few weeks since news broke on the SolarWinds hack, but it could take months, and even years, to fully understand the damage done by the sophisticated nation-state cyber attack on the federal government and private companies.
The U.S. Cybersecurity and Infrastructure Agency (CISA) said the malicious activity poses a grave risk to the federal government.”
The attack seems to have touched just about every department and agency in the federal government including Homeland Security, the State Department, the Pentagon, and the National Security Agency.
How the SolarWinds Hack Took Place
Texas-based SolarWinds says that 18,000 of its government and private users downloaded a software update that hackers had embedded with malicious code. The “Trojan horse” in SolarWinds’ Orion software update gave hackers access to compromised users’ systems.
The hack appears to have started as far back as March and not discovered until recently when it was detected by cyber security firm FireEye, who found the malware in their system.
SolarWinds has 300,000 customers including most of the Fortune 500. Some 33,000 use the popular Orion software to monitor network activity.
The CISA also said that the SolarWinds Orion software update may not be the only avenue the hackers used to gain access to systems with these key takeaways:
- This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.
- CISA is investigating other initial access vectors in addition to the SolarWinds Orion supply chain compromise.
- Not all organizations that have the backdoor delivered through SolarWinds
Orion have been targeted by the adversary with follow-on actions. - Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.
What Should My Company Do?
Even if your company does not use SolarWinds Orion software, you should remain vigilant that the malware has not affected other third-party vendors that you use in your system and network.
For SolarWinds Orion users, CISA has identified activity on the following versions:
- Orion Platform 2019.4 HF5, version 2019.4.5200.9083
- Orion Platform 2020.2 RC1, version 2020.2.100.12219
- Orion Platform 2020.2 RC2, version 2020.2.5200.12394
- Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
CISA has observed the threat actor adding authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism. In many instances, the tokens enable access to both on-premises and hosted resources.
CISA recommends three levels of mitigation for SolarWinds Orion software owners:
- Category 1: Owners who do not have the malicious code. They can “patch their systems and resume use as determined by and consistent with their internal risk evaluations.”
- Category 2: Owners who have the malicious code, but no outside activity detected. They can “harden the device, re-install the updated software from a verified software supply chain, and resume use as determined by and consistent with a thorough risk evaluation.”
- Category 3: Owners who have the malicious code, and detect outside activity that suddenly ceased prior to Dec. 14, 2020, then they can “assume the environment has been compromised, and initiate incident response procedures immediately.”
Mitigation Efforts are Crucial
Companies with systems and devices affected with malware should forensically image system memory and host operating systems with versions of SolarWinds Orion. They should immediately disconnect or power down all affected versions of SolarWinds Orion from their network.
Other mitigation efforts should include:
- Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that the threat actor has deployed further persistence mechanisms.
- Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.
- Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.
Companies should also do an audit of all network device configurations for routers, switches, firewalls, and other devices that are managed or stored by affected SolarWinds servers.
Going forward, all companies need to identify and mitigate the risk in their software supply chain.
Employer Flexible can help your Texas-based company with all your HR needs, including risk management. Contact us today to find out how our experienced risk consultants can help safeguard your business.