On December 8th, we learned that a threat actor compromised security firm FireEye and other US Government agencies in a sophisticated supply-chain cyber attack. Threat actors compromised IT monitoring company SolarWinds and were able to get malicious code compiled into a build that reportedly published to 18,000 customers. Without a doubt, this type of attack is the work of a well planned and well-disciplined threat actor.
SolarWinds Orion products compromised in sophisticated breach.
On a dedicated security advisory page, SolarWinds stated they have scanned all their products for indicators similar to the compromise of the Orion platform. According to their security advisory, SolarWinds says it is not aware of any other code compromise other than the Orion platform.
The product that is impacted by this compromise is Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1, including:
- Application Centric Monitor (ACM)
- Database Performance Analyzer Integration Module (DPAIM)
- Enterprise Operations Console (EOC)
- High Availability (HA)
- IP Address Manager (IPAM)
- Log Analyzer (LA)
- Network Automation Manager (NAM)
- Network Configuration Manager (NCM)
- Network Operations Manager (NOM)
- Network Performance Monitor (NPM)
- NetFlow Traffic Analyzer (NTA)
- Server & Application Monitor (SAM)
- Server Configuration Monitor (SCM)
- Storage Resource Monitor (SRM)
- User Device Tracker (UDT)
- Virtualization Manager (VMAN)
- VoIP & Network Quality Manager (VNQM)
- Web Performance Monitor (WPM)
CISA issues Emergency Directive 21-01, others should follow
As a result of the SolarWinds breach, the Cybersecurity and Infrastructure Security Agency (CISA) issued a rare Emergency Directive 21-01. The clear directive from CISA calls on all federal civilian agencies to review their networks for indicators of compromise (IoCs) and disconnect or power down SolarWinds Orion products immediately. Anyone with this product installed on their network, public or private organization, should take similar steps to contain this compromise.
It’s time to reduce the attack surface and threat actor opportunity space.
There will be many detailed technical articles about the SolarWinds attack, the compromise, and the code used to execute this attack. There needs to be just as much conversation about basics. If the attackers did not have this cheap and easy information available, how much harder would it have been for them to succeed? How much more effort would it have taken to achieve the same level of success? How many more opportunities would have there been to detect and mitigate the front side activities? We do know one thing for sure; less is more. The less digital footprint and open source intelligence threat actors can discover, it will take them more time, resources, effort, and mistakes to successfully compromise their targets.
Use DigitalStakeout Scout to detect digital risk and exposures
Organizations should use DigitalStakeout Scout to monitor and detect digital footprint and exposures. DigitalStakeout will help you understand how to take steps to reduce your digital exposure in a manner that does not prohibit your employees and organization to thrive in a digital driven world and economy. If you need immediate help with this concern, please contact us and a member of our team will get back to you ASAP.