What the SolarWinds Compromise Means to You

Rafal Los

12.16.2020

A Summary Analysis of the SolarWinds Breach

What happened?

In the simplest of terms, SolarWinds – a company synonymous with Network Management Systems (NMS) that is used almost universally across ~300,000 customers worldwide – was compromised through what is being labeled a “supply-chain” attack. This means that attackers from what appears to be a nation state-sponsored APT (Advanced Persistent Threat) group executed an attack against the software company that allowed them to insert code into SolarWinds’ most popular platform called Orion.

Between March and June 2020, the attackers were able insert code into the build system of Solarwinds’ Orion tool and push out updates which contained what is effectively a trojan horse. This means that the attackers were then able to use the compromised update of the Orion platform to then pull down malware (Sunburst) onto systems that were compromised with this update. From there, attackers had what is effectively free-range on the victim’s network. Since they were operating from a tool that is meant to reach out and monitor/manage network and system infrastructure, their compromised allowed them virtually limitless capabilities on most networks they infected.

It should be noted that while the attack appears to be targeted to the government sector and it’s providers, such as FireEye in one documented case, it is being relayed that any customer who had the relevant software installed should assume compromise.

*Please keep in mind that this situation is actively evolving with significant global effort to provide more information as it becomes available. The information contained in this advisory is subject to change at any time, and we encourage you to do additional research.

Why is the situation critical?

SolarWinds’ Orion is one of the most popular NMS (Network Management System) platforms out there. As a result, it’s confirmed install base is some 18,000+ networks worldwide. If you have the tool installed you are advised to assume breach and immediately enact your breach protocols and procedures. Work your incident response processes through, and in the event that you have evidence of no compromise you will have peace of mind and certainty. Even though your organization may not have the tool installed, it’s highly likely that one of your partners or suppliers may, leading to a third-party risk management nightmare that requires urgent attention. Now is the time to reach out to your close partners, particularly those that have assets connected into your physical or virtual network, and obtain certainty on their current state relevant to this compromise.

Organizations that find themselves compromised with this attack should assume that the attacker has had full access to all NMS and connected systems, assets, and data, and could move around the network undetected and exfiltrate sensitive data at will. There have been no detection capabilities prior to this breach going public, and new indicators of compromise (IOCs) are being published as researchers around the world work to uncover them. It should be noted that attackers will adapt and change their signatures to avoid detection. It is highly advised that companies review their logs for signs of long-term compromise based on the IOCs known at this point.

What should you do now?

If your organization does have SolarWinds’ Orion installed, you can take immediate steps to mitigate while you investigate. At minimum we urge all customers to review their logging, network access, and security strategies at this time to minimize potential impact and mitigate risk. Additionally, we provide the following suggestions:

1. If you have Orion installed on your network and rely on it for monitoring/management you must immediately disable it’s access to the Internet. If you are unable to do so, access should be limited to absolutely only those IP addresses that are required to operate,
   1. Additionally, perform in-depth log analysis going back to March for the IOCs being published including domains that are using in the attack. Keep in mind now that the attack has been uncovered, these will likely change as the attackers pivot their attack to avoid discovery.
   2. Monitor closely all Orion NMS network activity, and perform packet-capture logging for evidentiary purposes, is possible.
2. If you do not have Orion installed you should not necessarily assume your organization is safe. Consider your 3^rd party suppliers and connected partners and perform due-diligence to understand whether these have the tool installed and could have a potential compromise.

What can Lightstream do for you?

Right now

• Lightstream’s security team can assist in assessment or analysis of the situation to understand potential impact to your organization
• Lightstream’s teams should be alerted immediately via ticket if your organization has SolarWinds’ Orion installed so that we can take additional measures for investigation
• If your organization has minimal, none, or insufficiently operationalized endpoint or network security monitoring and response capabilities, Lightstream can help by deploying, managing, and detecting and responding to threats such as this both today and in the future

Near and Long-term

• Lightstream’s Edge Defense and Endpoint Defense services are optimized to identify, protect against, detect and respond to, and recover from threats to your organization’s IT infrastructure, systems, and applications. Enterprises large and small can use our fully managed platform to supplement their own security operations (SOC) or fully outsource the management, detection and response 24x7x365
• Lightstream’s expertise in Zero Trust architecture can be used to evolve your physical and virtual network to minimize the damage and business impact from even sophisticated attackers. We offer this service to our managed and new customers
• Lightstream’s Security Advisory Services can perform a Security Strategy Program Framework (SSPF) assessment to understand how your existing security strategy would be impacted in cases such as this. This is offered to both new and existing customers.

Additional Links and Resources

• SANS Write-up: https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/
• US CISA (Cybersecurity and Infrastructure Security Agency) information: https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network
• CISO Emergency Directive 21-01: https://cyber.dhs.gov/ed/21-01/
• FireEye Blog: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
• Bloomberg: https://www.bloomberg.com/news/articles/2020-12-15/fireeye-stumbled-across-solarwinds-breach-while-probing-own-hack
• ZDNet: https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/

SHARE