What You Should Know About the SolarWinds Nation-State Hack
Those of us in the IT community have likely heard that within the past two weeks, government agencies and private enterprises alike have suffered major information security breaches. At this time it has become clear that a sophisticated attack group, likely one associated with a nation-state such as Cozy Bear, is the probable culprit.
Lunavi has received numerous inquiries about our possible exposure to the supply chain vulnerabilities behind these attacks. We do not believe any of our systems are at risk. We have active tickets open with relevant partners and are keeping a close eye on the situation as it develops.
While our team is prepared to execute remediation efforts should they be required, your staff and leadership should also be aware of the full extent of this significant hack. Even if you are unaffected, this is a reminder that now is always the best time for a security audit.
Are Lunavi systems at risk?
Lunavi does not utilize the vulnerable Orion software but we do utilize N-Central software from SolarWinds. At this time, we have confirmed we are not impacted on version 2020.1.2.326 (2020.1HF2) and the older compromised version is 18.104.22.1680. We are in touch with SolarWinds and will be monitoring the situation as it continues to evolve.
What is the extent of the hacks?
On December 8th, information security software vendor FireEye reported a likely nation-state hack accessing infosec assessment tools which mimic cyber threat vectors. While the company did not report any evidence of the tools being used, it has come to light that this hack was perpetrated using compromised SolarWinds Orion network management software.
This software has apparently been used to breach numerous private companies and public agencies as large as the Treasury Department, the Pentagon, and the Department of Energy.
The full extent of the hack is not totally known, but the software is used by tens of thousands. The compromised software update used for the hack was distributed in March of 2020.
How were the hacks executed?
This is what is known as a supply chain attack, which intercepts legitimate software pipelines and injects malicious code. For users, the software package appears legitimate. In this specific case, the hackinggroup was able to get into SolarWinds development operations and insert malware in a software update.
Initial analysis reveals the attack processes used to access SolarWinds systems were highly sophisticated and potentially novel.
Once the compromised software is installed, hackers can execute code, sniff passwords, and compromise additional machines within the network.
What can I do if my systems are at risk?
Of course, this only applies if you are running a SolarWinds Orion product. You can view a helpful advisory of the affected versions here.
In addition to patching your SolarWinds products to the latest version, you should activate your incident response protocols and begin investigative forensics and remediation as needed.
CISA and DHS have provided a list of mitigation actions to take, including:
- Reimage system memory and/or host operating systems hosting all instances of SolarWinds Orion versions 2019.4 through2020.2.1 HF1, and analyze for new user or service accounts.
- Disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.
- Identify the existence of "SolarWinds.Orion.Core.BusinessLayer.dll"and "C:\WINDOWS\SysWOW64\netsetupsvc.dll".
- Block all traffic to and from hosts where any version of SolarWinds Orion software has been installed.
- Identify and remove threat-actor controlled accounts and persistence mechanisms.
- Reset all credentials used by SolarWinds software and implement a rotation policy for these accounts. Require long and complex passwords.
- See Microsoft guidance and documentation on kerberoasting
How can I be better prepared for cyberattacks?
Large scale attacks always serve as a strong reminder to bolster your information security posture. With this attack, you should implement a third-party risk management program to assess and monitor your vendors and software.
Your complete approach to information security should also include strong password policies including multi-factor authentication, regular user training and testing on common attack methods such as phishing, and security information and event management (SIEM) tools with visibility across your entire IT infrastructure and user devices.
If you need assistance executing any aspect of your infosec strategy, Lunavi would be happy to help you identify the right combination of tools and processes to strengthen your protection and response capabilities.