Solarwinds Hacked by Russians – Cybersecurity Experts Break It Down

ANN ARBOR – Cybersecurity experts Dan Lohrmann and Richard Stiennon provide details on how the Russians hacked the Solarwinds networking software used by US government and nearly all the Fortune 500 companies in America.

Russia’s hack of IT management company SolarWinds began as far back as March, and it only came to light when the perpetrators used that access to break into the cybersecurity firm FireEye, which first disclosed a breach on December 9. Since then, a cascading number of victims have been identified, including the US Departments of State, Homeland Security, Commerce, and the Treasury, as well as the National Institutes of Health. The nature of the attack—and the tremendous care taken by the hackers—means it could be months or longer before the extent of the damage is known. The impact is already devastating, though, and it underscores just how ill-prepared the US was to defend against a known threat—and to respond. It’s also ongoing, Wired magazine reported.

 

From <https://mitechnews.com/mitechtv/solarwinds-hacked-by-russians-cybersecurity-experts-break-it-down/>

SolarWinds Security Advisory

Recent as of December 18, 2020, 7:30am CST

SolarWinds was the victim of a cyberattack to our systems that inserted a vulnerability (SUNBURST) within our Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run. This attack was very sophisticated supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with a goal of being able to attack subsequent users of the software. In this case, it appears that the code was intended to be used in a targeted way as its exploitation requires manual intervention. We’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker.

The Cybersecurity and Infrastructure Security Agency (CISA) Computer Emergency Readiness Team (CERT) issued Emergency Directive 21-01 regarding the SUNBURST vulnerability on December 13, 2020. CERT issued Alert (AA20-352A), titled Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, as an update to ED 21-01 on December 17, 2020, based on our coordination with the agency.

A Frequently Asked Questions (FAQ) page is available here, and we intend to update this page as we learn more information.

First, we want to assure you we’ve removed the software builds known to be affected by SUNBURST from our download sites. 

We recommend taking the following steps related to your use of the SolarWinds Orion Platform:

SolarWinds asks customers with any of the below products listed as known affected for Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 2 as soon as possible to better ensure the security of your environment. This version is currently available at customerportal.solarwinds.com. Hotfix installation instructions are available in the 2020.2.1 HF 2 Release notes here.

SolarWinds asks customers with any of the below products listed as known affected for Orion Platform v2019.4 HF 5 to update to Orion Platform 2019.4 HF 6, which is available at customerportal.solarwinds.com. Hotfix installation instructions are available in the 2019.4 HF 6 Release Notes here.

All hotfix updates are cumulative and can be installed from any earlier version. There is no need to install previously released hotfix updates.

If you are running a version prior or equal to Orion Platform version 2019.4 HF 4, we do not believe that your system was compromised with this vulnerability and therefore are not recommending that any action is required to protect against this vulnerability.

You may need to synchronize your license prior to applying the hotfix. Please follow the steps here to kick off the synchronization of your license.

If you have disabled outward communication from your Orion license, please follow the “Activate License Offline” section from here.

Once you have successfully synched your license, please run the installer to install the hotfix.

Additionally, we want you to know that, while our investigations are early and ongoing, based on our investigations to date, we are not aware that this inserted vulnerability affects other versions of Orion Platform products. Also, while we are still investigating our non-Orion products, we have not seen any evidence that they are impacted by SUNBURST.

If you aren’t sure which version of the Orion Platform you are using, see directions on how to check that here. To check which hotfix updates you have applied, please go here.

If you cannot upgrade immediately, please follow the guidelines available here for your Orion Platform instance. The primary mitigation steps include having your Orion Platform installed behind firewalls, disabling internet access for the Orion Platform, and limiting the ports and connections to only what is required to operate your platform. Security and trust in our software is the foundation of our commitment to our customers. We strive to implement and maintain appropriate administrative, physical, and technical safeguards, security processes, procedures, and standards designed to protect our customers.

audit-behind-scenes

 

Known affected products: Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1, including:

Application Centric Monitor (ACM)

Database Performance Analyzer

Integration Module* (DPAIM*)

Enterprise Operations Console (EOC)

High Availability (HA)

IP Address Manager (IPAM)

Log Analyzer (LA)

Network Automation Manager (NAM)

Network Configuration Manager (NCM)

Network Operations Manager (NOM)

User Device Tracker (UDT)

 

Network Performance Monitor (NPM)

NetFlow Traffic Analyzer (NTA)

Server & Application Monitor (SAM)

Server Configuration Monitor (SCM)

Storage Resource Monitor (SRM)

Virtualization Manager (VMAN)

VoIP & Network Quality Manager (VNQM)

Web Performance Monitor (WPM)

 

*NOTE: Please note DPAIM is an integration module and is not the same as Database Performance Analyzer (DPA), which we do not believe is affected.

SolarWinds products NOT KNOWN TO BE AFFECTED by this security vulnerability:

8Man

Access Rights Manager (ARM)

AppOptics

Backup Document

Backup Profiler

Backup Server

Backup Workstation

CatTools

Dameware Mini Remote Control

Dameware Patch Manager

Dameware Remote Everywhere

Dameware Remote Manager

Database Performance Analyzer (DPA)

Database Performance Monitor (DPM)

DNSstuff

Engineer’s Toolset

Engineer’s Web Toolset

FailOver Engine

Firewall Security Monitor

Identity Monitor

ipMonitor

Kiwi CatTools

Kiwi Log Viewer

Kiwi Syslog Server

LANSurveyor

Librato

Log & Event Manager (LEM)

Log and Event Manager Workstation Edition

Loggly

Mobile Admin

Network Topology Mapper (NTM)

Papertrail

Patch Manager

Pingdom

Pingdom Server Monitor

Security Event Manager (SEM)

Security Event Manager Workstation Edition

Server Profiler

Service Desk

Serv-U FTP Server

Serv-U Gateway

Serv-U MFT Server

Storage Manager

Storage Profiler

Threat Monitor

Virtualization Profiler

Web Help Desk

SQL Sentry

DB Sentry

V Sentry

Win Sentry

BI Sentry

SentryOne Document

SentryOne Test

Task Factory

DBA xPress

Plan Explorer

APS Sentry

DW Sentry

SQL Sentry Essentials

SentryOne Monitor

BI xPress

 

SolarWinds MSP Products:

N-central – Probe

N-central – Topology

N-central – NetPath

N-central

NetPath – Server

RMM

Backup Disaster Recovery

M365 Backup

Backup

Mail Assure

SpamExperts

MSP Manager

PassPortal

Take Control

Patch

Automation Manager

Webprotection

 

From <https://www.solarwinds.com/securityadvisory>

The Solarwinds SEC mandated filings all are in order. Q1, Q2, Q3 and the quarterly profits seem to reflect a willingness to compile to regular auditing. The Banking sector is rightly separated from the well-regulated and tax payer subsidized banking industry.  However, the network infrastructure  we rely one for practically everything else in society goes un regulated.  Why are there now auditing requirements for large technology providers?  Microsoft has become the latest victim of the ever-widening SolarWinds-driven cyberattack that has impacted rafts of federal agencies and tech targets. Its president, Brad Smith, warned late Thursday to expect many more victims to come to light as investigations continue.

From <https://threatpost.com/microsoft-solarwinds-spy-attack-federal-agencies/162414/>

Note: Microsoft Was not compromised but the their Internal and External auditing processes have enabled them to assist 40 customer oganizations in shutting down the related exploits.  Seraching for references on this

 

In an SEC filing, SolarWinds says “the vulnerability was not evident in the Orion Platform products’ source code but appears to have been inserted during the Orion software build process.” d18rn0p25nwr6d.cloudfront.net/CIK-0001739942…

 

*SWI-2020.3.31-EX99.1 (q4cdn.com)

Most cyber security frameworks such as NIST CSF document the need for continuous risk management and inspection of data and software. This, in turn, includes the need that all third party and open source software, whether built internally or externally, be continually inspected for tampering, malicious content, or any unwanted characteristics that clash with an organization’s acceptable policies.

From <https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth>

How the hackers gained access to SolarWinds systems to introduce the malicious code is still uncertain. The company said that its Microsoft email accounts had been compromised and that this access may have been used to glean more data from the company’s Office productivity tools.

From <https://www.wsj.com/articles/hack-suggests-new-scope-sophistication-for-cyberattacks-11608251360?mod=e2tw>

On Friday, congressional Republicans serving on the House Armed Services Committee issued a statement saying that the country “must respond” after it was discovered that the software company SolarWinds—which is used by top government agencies and Fortune 500 companies—had been allegedly breached by Russian hackers.

From <https://www.newsweek.com/republicans-say-us-must-retaliate-solarwinds-hack-while-trump-stays-mum-1556033>

“The scale of the hackers’ attack is a much bigger thing than the new information about Navalny,” Arkady Moshes, director of the EU’s Eastern Neighbourhood and Russia program at the Finnish Institute of International Affairs think tank, told Newsweek.

From <https://www.newsweek.com/russia-hack-cybersecurity-navalny-sanctions-1554837>

What is to be Done?

While Microsoft’s call-to-action likely will stand out among the more unique responses as the private sector continues to assess the damage, it buries the lede—the status of the breach and the steps the company is taking to respond. The following notice appears at the very bottom of the 3,500-word blog post:

“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”

From <https://www.prnewsonline.com/microsofts-solarwinds-breach-response-offers-a-cybersecurity-pr-blueprint/?utm_source=dlvr.it&utm_medium=twitter>

More to come soon:  Update on Solarwinds exploit and what to do. | Tekuser.com by Tekmar Solutions Inc.