A number of organizations were recently made aware of a software supply chain attack that directly impacted a subset of customers using particular SolarWinds products. Detection and response guidance has been published by a number of public and private sector sources, with additional details on the malicious software and its capability. The scale and potential severity of this security issue are significant. For organizations running the vulnerable SolarWinds software components, the backdoor is designed to “phone home” to a Command and Control (C2) service over the internet and perform additional malicious activities as defined by the attacker such as dropping additional malware, stealing and abusing privileged credentials, and using the SolarWinds system as a beachhead to move laterally throughout the enterprise environment.
The situation can become even more problematic when security monitoring and control systems are not adequately in place and operational, providing attackers with an additional advantage. Do we have sufficient logging in place, in order to detect and alert on suspicious activity? Have we implemented endpoint detection and response (EDR) tools for enterprise visibility? Do we even have the right personnel in place to respond to adverse events in a timely manner? This year has not been without its challenges for businesses pivoting to Work from Home solutions, activating business continuity and disaster recovery plans, and updating incident response plans. Adding software supply chain attacks to the list may seem daunting for companies already struggling to move towards their business goals. However, these situations also present opportunities to reassess, learn, and refocus on ways to further transform your business and succeed in this environment.
Who is affected?
Based on the SolarWinds security advisory, customers that downloaded and installed the following Orion Platform software builds and versions are affected:
- 4 HF 5
- 2 with no hotfix installed
- 2 HF 1
More specific version details may also be found in the CISA government agency alert released on December 17, 2020. The product updates were released between March and June 2020. The advisory provides guidance on how to confirm which version and updates are currently installed. It also itemizes a number of products and their “affected” vs. “not affected” status. Therefore, organizations should review the current advisory and compare the list with internal information on deployed solutions within the enterprise. It is entirely possible that a SolarWinds customer may not be affected by this particular issue if they did not use the vulnerable software or failed to update their software to a compromised version that was released during the security event period. A Krebson Security article published December 14 includes a partial list of SolarWinds customers, illustrating the range of organizations using SolarWinds software products.
The Orion Platform version 2020.2.1 HF 2 hotfix is available for customers who are intended to address the known malicious software updates. On December 13, 2020, SolarWinds notified approximately 33,000 active maintenance customers with potential exposure during the March – June 2020 period. On December 14, 2020, the SolarWinds 8-K filing also mentioned that an estimated 18,000 or fewer customers may be affected.
How did this happen?
It is important to keep in mind that active investigations can result in additional discoveries that may alter the scope, timeline, or magnitude of these security events. Public information reported by SolarWinds indicates that the company email and productivity tools (Microsoft Office365) were targeted, and the build environment was affected. Attackers routinely target and compromise organizations, using a variety of techniques. Initial Access methods documented in the MITRE ATT&CK framework include phishing, supply chain compromise (relevant for some SolarWinds customers), and obtaining or abusing valid credentials.
What should I do – Activating your Incident Response Plan
For organizations directly affected by the SolarWinds vulnerability, digital forensics, and incident response (DFIR) processes should already be activated. Where organizations do not maintain internal DFIR competencies, experienced third parties can provide critical investigative support and incident response lifecycle guidance. Please refer to the Additional Resources section for links to detailed technical analyses and methods to detect malicious activity. The CISA government agency alert and DHS Emergency Directive include detailed, practical steps to mitigate the SolarWinds software vulnerabilities including forensic evidence preservation, system and network isolation, and recovery activities after completing containment and eradication procedures. These steps generally align with the Incident Response Life Cycle published by NIST (SP 800-61).
As mentioned in a Microsoft blog by the Microsoft 365 Defender Research Team on December 18, 2020, organizations need to focus not only on standard “preventative protections” but on ways to detect and respond to an active compromise within the organization’s enterprise. The following security monitoring and control areas should be considered, as you assess your internal environment:
- Digital Forensics/Incident Response (DFIR) Support – Are retainers or agreements in place with third parties, to augment internal staff and competencies prior to a significant security event?
- Endpoint detection and response (EDR) tools – Are any tools in place with enterprise visibility into active systems and processes? If you needed to find a malicious file by filename or hash value quickly, how would you do it? Are personnel actively involved in threat hunting activities?
- Incident Response Plan – Is the IR Plan and processes in place, up-to-date, and periodically tested? Are teammates trained periodically, prior to an actual incident?
- Identity & Access Management (IAM) – Are access controls in place to restrict access to internal resources based on the principle of least privilege? Is monitoring and alerting integrated with a SOC service? How are you ensuring that any deployed multi-factor authentication (MFA) or single sign-on (SSO) systems are not disabled or abused?
- Logging and monitoring solutions – Is logging configured on all active systems and devices? Do you have an inventory to confirm logging coverage? Are logs centrally aggregated and analyzed for suspicious activities? How long are logs retained? Are externally managed SOC services needed to address internal shortcomings?
- Network security controls and Network Traffic Analysis (NTA) – What solutions are in place to control ingress and egress traffic? Are intrusion detection/prevention systems (IDS/IPS) in place, tuned, and generating alerts? Are DNS calls being logged?
- Security Testing – Is periodic penetration testing and vulnerability scanning performed, to evaluate the security of systems, networks, and applications?
MegaplanIT Is Here To Help
MegaplanIT Holdings, LLC provides professional services and Managed SOC services to our clients, based on their specific needs. We partner with our clients and identify the right balance of products and support services to keep your business focused and moving forward in the right direction. Our team can provide professional services and implement managed endpoint detection and response solutions, support investigative activities, and conduct more routine security and compliance efforts. Whether you are looking for a Security Health Check, managed services, security testing, Incident Response support, or security and compliance controls guidance, our team is ready to help your business overcome challenges and become a more streamlined and resilient operation.
Additional Online Resources
FireEye detection tools: https://github.com/fireeye/sunburst_countermeasures
Microsoft technical writeup: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
Microsoft security blog: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/