SolarWinds Active Exploit – Summary and Links

 In Dispatch

What we know

An advanced hacking group, used a popular Network Management Software, SolarWinds Orion, to comprimise organizations around the world. It appears to have started back in March 2020. SolarWinds has issued patches but you should be remove the software if at all possible. Read the FireEye post then follow the Emergency Directive.

Summary from FireEye:

FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.

An oversimplified and preliminary explanation

Some very advanced attackers, likely Russia, put out an SolarWinds update back in the spring that looked like it came from SolarWinds but also included their hacking tools. Once installed it stayed quiet for a bit and then very discretely started to investigate the network and called home for further instructions. It could steal credentials and data if so instructed. Lots of organizations run this software so its big and bad.

//My Take:

If you are running Solarwinds Orion you need to follow the Emergency Directive from CISA.link I always recommend that clients follow the ED if at all possible, if you can’t follow their advice in the ED you need to document your business justification and additional mitigation actions. Yes, a Federal Directive is only binding for federal agencies but unless your Security Team gave you better intel by Sunday Night you should start here. If you aren’t running SolarWinds then use this as a crucial reminder of the importance of Supply Chain Risk Management and maybe even run a Tabletop exercise (TTX).

Links

Read these 2 first:

More

In the News

For more info follow me on Twitter where I’ll try to share more information and analysis in the coming days. Also put FireEye on you Christmas card list. We owe them a big Thank you.

Recommended Posts
Comments
pingbacks / trackbacks

Leave a Reply

Start typing and press Enter to search

Subscribe

Get the //security Dispatch to receive news and analysis in your inbox.