To say the cybersecurity community is a buzz over the recent news of the highly-sophisticated data breaches at many U.S. government agencies this month due to vulnerabilities in the SolarWinds Orion IT management platform is an understatement. Experts believe that Russian government hackers are behind this global espionage which may have started as early as last spring. The threat actors conducted a supply chain attack on SolarWinds Orion Platform with a backdoor through a FireEye software update. The SolarWinds versions impacted are 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1. Agencies affected include the Pentagon, the Department of Homeland Security and the Department of the Treasury.
SolarWinds, FireEye and the Cybersecurity and Infrastructure Security Agency (CISA) all urge customers running these software versions to upgrade immediately and pay close attention to continued advisories from organizations involved in the investigations.
Microsoft has also issued an advisory in their Microsoft Security Response Center which provides details on how the hackers gained access to networks through compromised SAML token signing certificates.
Very “sleuthy” and sophisticated, this NPR article talks about how careful the threat actors were to cover their tracks. Quotes Glenn Gerstell, former National Security Agency general counsel, "It's as if you wake up one morning and suddenly realize that a burglar has been going in and out of your house for the last six months.” He continues “You couldn't tell that they came in, you couldn't tell that they left the back door open. You couldn't even tell necessarily when they came in, took a look around and when they left."
SolarWinds continues to update their Security Advisory Alert and customers are urged to immediately upgrade impacted versions.
SolarWinds recommends the following immediate steps:
- SolarWinds asks customers with any of the below products listed as known affected for Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 2 as soon as possible to ensure the security of your environment.
- SolarWinds asks customers with any of the below products listed as known affected for Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6, which is available for download here.
SolarWinds has also issued a helpful FAQ that is being continuously updated.
FireEye is currently tracking the software supply chain compromise and related post intrusion activity as UNC2452. FireEye’s threat research explains exactly how the backdoor compromise occurred.
Vigilance is critical here. Although it appears there was nothing SolarWinds customers could have done to prevent this hack, everyone involved in protecting their networks and data must heed the warnings for continued vigilant security practices
Known affected products: Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1, including:
Application Centric Monitor (ACM)
Database Performance Analyzer
Enterprise Operations Console (EOC)
High Availability (HA)
IP Address Manager (IPAM)
Log Analyzer (LA)
Network Automation Manager (NAM)
Network Configuration Manager (NCM)
Network Operations Manager (NOM)
Network Performance Monitor (NPM)
NetFlow Traffic Analyzer (NTA)
Server & Application Monitor (SAM)
Server Configuration Monitor (SCM)
Storage Resource Monitor (SRM)
User Device Tracker (UDT)
Virtualization Manager (VMAN)
VoIP & Network Quality Manager (VNQM)
Web Performance Monitor (WPM)