Most of today’s IT leaders take a Best of Breed approach to procuring solutions and toolsets for their enterprises. They
A Summary Analysis of the SolarWinds Breach
In the simplest of terms, SolarWinds – a company synonymous with Network Management Systems (NMS) that is used almost universally across ~300,000 customers worldwide – was compromised through what is being labeled a “supply-chain” attack. This means that attackers from what appears to be a nation state-sponsored APT (Advanced Persistent Threat) group executed an attack against the software company that allowed them to insert code into SolarWinds’ most popular platform called Orion.
Between March and June 2020, the attackers were able insert code into the build system of Solarwinds’ Orion tool and push out updates which contained what is effectively a trojan horse. This means that the attackers were then able to use the compromised update of the Orion platform to then pull down malware (Sunburst) onto systems that were compromised with this update. From there, attackers had what is effectively free-range on the victim’s network. Since they were operating from a tool that is meant to reach out and monitor/manage network and system infrastructure, their compromised allowed them virtually limitless capabilities on most networks they infected.
It should be noted that while the attack appears to be targeted to the government sector and it’s providers, such as FireEye in one documented case, it is being relayed that any customer who had the relevant software installed should assume compromise.
*Please keep in mind that this situation is actively evolving with significant global effort to provide more information as it becomes available. The information contained in this advisory is subject to change at any time, and we encourage you to do additional research.
SolarWinds’ Orion is one of the most popular NMS (Network Management System) platforms out there. As a result, it’s confirmed install base is some 18,000+ networks worldwide. If you have the tool installed you are advised to assume breach and immediately enact your breach protocols and procedures. Work your incident response processes through, and in the event that you have evidence of no compromise you will have peace of mind and certainty. Even though your organization may not have the tool installed, it’s highly likely that one of your partners or suppliers may, leading to a third-party risk management nightmare that requires urgent attention. Now is the time to reach out to your close partners, particularly those that have assets connected into your physical or virtual network, and obtain certainty on their current state relevant to this compromise.
Organizations that find themselves compromised with this attack should assume that the attacker has had full access to all NMS and connected systems, assets, and data, and could move around the network undetected and exfiltrate sensitive data at will. There have been no detection capabilities prior to this breach going public, and new indicators of compromise (IOCs) are being published as researchers around the world work to uncover them. It should be noted that attackers will adapt and change their signatures to avoid detection. It is highly advised that companies review their logs for signs of long-term compromise based on the IOCs known at this point.
If your organization does have SolarWinds’ Orion installed, you can take immediate steps to mitigate while you investigate. At minimum we urge all customers to review their logging, network access, and security strategies at this time to minimize potential impact and mitigate risk. Additionally, we provide the following suggestions: