What happened at SolarWinds?
On Monday, December 14, SolarWinds Inc. published a statement advising that selected SolarWinds® Orion® Platform software builds have been compromised. A cyberattack on their systems inserted a vulnerability into versions 2019.4 HF 5, 2020.2 with no hotfix installed, or 2020.2 HF 1.
The compromise appears to have been created by cyber attackers who quietly tampered with Orion software updates. The compromised updates contained secret “backdoor” malware called SUNBURST, bundled within legitimate Orion software patches and hotfixes provided to target victims by third parties. Orion software released between March and June of 2020 may have been affected.
According to a detailed analysis by FireEye, the backdoor malware sits dormant after installation for up to two weeks, after which it “retrieves and executes commands, called ‘Jobs,’ that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services.” It is believed that this vulnerability is behind the serious email system breach recently discovered at the U.S. Treasury and Commerce Departments.
As of December 14, some 25 compromised companies have been identified, but SolarWinds advises that up to 18,000 public and private entities around the world may have downloaded the malicious code.
How has SolarWinds responded to the breach?
SolarWinds has centralized their communication about the incident through their security advisory page. The advisory page provides a list of the affected platforms and specific, current instructions for SolarWinds customers to follow.
SolarWinds is working with FireEye (who discovered the compromise in the course of investigation their own security breach), Microsoft, the FBI, the U.S. government, and local law enforcement in conducting an extensive investigation.
SolarWinds has reassured customers that no other versions of Orion Platform products are known to be affected by this security vulnerability. Other non-Orion products are also not known to be affected by this security vulnerability.
What recommendations does ISA have for me as a customer?
For our customers who use SolarWinds Orion products, we strongly encourage you to assess your implementation of those products in order to determine your potential exposure, and follow the SolarWinds recommendations as soon as possible. Customers are strongly encouraged to follow direction from the SolarWinds security advisory page at https://www.solarwinds.com/securityadvisory directly, as it will contain the very latest news, hotfixes, and customer instructions.
As of December 15, 2020:
SolarWinds asks customers with any of the below products listed as known affected for Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment. A second hotfix version 2020.2.1 HF 2, which replaces the compromised component and provides several extra security enhancements, is expected shortly. The latest versions of the software are available at customerportal.solarwinds.com.
SolarWinds asks customers with any of the below products listed as known affected for Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6, which is available at customerportal.solarwinds.com.
If you are unsure of which version of the Orion Platform you are using, SolarWinds has provided directions on how to check in their customer success portal. Similarly, they have provided instructions on how to check your hotfix versions in the portal.
SolarWinds warns that if you cannot upgrade immediately, at a minimum you should ensure your existing installation has been fully secured. Documentation and best practices are in the portal. The primary mitigation steps include having your Orion Platform installed behind firewalls, disabling internet access for the Orion Platform, and limiting the ports and connections to only what is necessary.
Additionally, SolarWinds recommend that customers scan their environments for the compromised file: SolarWinds.Orion.Core.BusinessLayer.dll. If you locate this dll, you should immediately upgrade to safely remove it, and follow security protocols to protect your environment.
Rest assured that ISA does not currently employ SolarWinds Orion products, so the compromise does not present a direct threat to ISA services or operations.
McAfee has released new binaries and defenses against compromise in their Knowledge Center. ISA has deployed these updated defenses internally. FireEye has released a blog providing technical background and guidance on the intrusion campaign, along with a set of recommended SUNBURST countermeasures on GitHub. Microsoft has published a list of indicators of compromise (IOCs) on their blog. The Canadian Centre for Cyber Security has issued an alert, and the U.S. Department of Homeland Security has also released an emergency directive on responding to the incident.
Protecting Our Customers
At ISA, our CIOC is on high alert for any signs of unexpected behaviour on our systems or environment. We will continue to monitor the investigation of the hacking incident, as well as any updates from SolarWinds. We will advise our customers of any relevant updates as they become available.
If you have further questions, or require assistance or guidance in assessing your exposure, please do not hesitate to contact us to discuss any concerns. We are here to help.
Kevin Dawson, CEO & President, ISA Cybersecurity