By now, if you follow the news at any level there's a good chance that you've heard of the "SolarWinds" exploit. Even non-technical news sources including Bloomberg, Newsweek, MSNBC, CNN, Fox News, and the BBC all have stories pertaining to the attack. There are also exceptional blog articles, like the FireEye blog or the Volexity blog, that describe what happened in great technical detail. Our goal at LogicHub, is not to cast any vendor in a negative light, but to provide understandable and actionable information to help you.
What actually happened?
The SolarWinds exploit is attributed to a group known as "UNC2452" by FireEye. Other security companies (like Volexity) attribute the attack to a group they call "Dark Halo" and say this is the third attack by the group- while yet other companies (Obsidian) attribute the attack to APT29 -aka Cozy Bear- which has a long history of attacks.
Regardless of the name, the group compromised the software developed by SolarWinds- corrupting the supply chain and causing a modified DLL to be deployed to customers running certain versions and products within the SolarWinds product line. The compromised DLL-nicknamed Sunburst- was a digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services.
How do I know if I'm impacted?
SolarWinds has released an advisory detailing the specific product lines and versions that have the compromised DLL. Specifically, the impacted platforms include those running: Orion Platform versions 2019.4 hotfix 5; 2020.2 with no hotfix; or 2020.2 hotfix 1. The full list of 18 affected components along with those components not affected is in the SolarWinds advisory. If you are not running one of the three impacted Orion Platform versions, then you are not impacted by this exploit.
What should I do immediately?
The list of actions below has been collected from various sources-and while lengthy-it offers a robust set of response actions that should be considered if your organization is impacted:
- SolarWinds recommends all customers immediately upgrade to Orion Platform release 2020.2.1 HF 1.
- Further secure your SolarWinds platform following their hardening instructions.
- If you are running a vulnerable version of the SolarWinds Orion Platform, ensure the SolarWinds servers are isolated / contained until a further review and investigation is conducted. This should include blocking all Internet egress from SolarWinds servers.
What can we do if we can't isolate our Solarwinds environment?
- Restrict scope of connectivity to endpoints from SolarWinds servers, especially those that would be considered Tier 0 / crown jewel assets
- Restrict the scope of accounts that have local administrator privileges on SolarWinds servers.
- Block Internet egress from servers or other endpoints with SolarWinds software.
- Consider (at a minimum) changing passwords for accounts that have access to SolarWinds servers / infrastructure. Based upon further review / investigation, additional remediation measures may be required.
- If SolarWinds is used to manage networking infrastructure, consider conducting a review of network device configurations for unexpected / unauthorized modifications. Note, this is a proactive measure due to the scope of SolarWinds functionality, not based on investigative findings.
- Resetting all credentials used by or stored in SolarWinds Orion.
- Rebuilding all hosts monitored by SolarWinds Orion from trusted sources (required if evidence of compromise is found)
What should we do moving forward?
- Monitor O365/SaaS authentication activity (e.g. misuse of SAML tokens; unusual geographic locations)
- Monitor administrative activity (e.g. new MFA devices being added to accounts; new privileged accounts; new permissions assigned). Review and verify administrative activity made as far back as the Spring of 2020 to validate the change was expected.
- Active Directory administrators should also review account creation and deletion activity, since the organization deployed compromised versions of Orion, and pay close attention to anomalous patterns, especially around accounts with privileged/admin access.
- Monitor file activity (e.g. new file hashes; new executable names). If uncommon hashes or processes are found and remain untrusted, submit samples to online sandbox/analytical websites for analysis.
- Monitor command line activity - especially powershell activity.
- All secret keys associated with multi-factor authentication or application integrations housed on devices managed or monitored by Orion should be considered compromised and reset.
- Research blogs starting with those listed and add the IP subnets, domain names, and file hashes to your threat intelligence platform. Monitor your SIEM for activity matching an IOC. A good place to start is with the FireEye Github repo.
- Perform threat hunting against attack IOCs to see if there is historical activity indicating attacker activity.
- If you run an on-premise Exchange environment, consider adding alerting mechanisms to any EDR solutions for processes using the Exchange Management Shell PowerShell cmdlets listed in the Appendix B in the Volexity blog. This may or may not be a valid detection approach depending on how frequently this is used within your organization.
- More generally, if the Exchange Management Shell is rarely used in a legitimate Administrative context, it may be worth investigating any historical use of this shell.
How do I protect my organization from the next major exploit?
To be transparent, no single security product or security control can prevent every attack. That said, many of the recommendations in the previous section apply not only to this attack- but serve as recommended practices for the next attack. So to begin, review the suggested actions to determine what you are able to do to protect yourself.
Ultimately, protection comes through a combination of deploying preventative and detective controls in a scalable fashion.
What if we're not resourced to do all of that?
If you find certain actions in the list above are highly repetitive and taxing on your internal staff, you should look at ways of automating as many of the repetitive tasks as possible. This may be possible in some instances using built-in capabilities included in your existing security solutions. If you are looking for solutions, we would suggest considering a security automation platforms like a SOAR platform. If the overhead of implementing, building and managing another enterprise platform is prohibitive, there are many managed solutions worth looking at, particularly managed detection and response (MDR) services.
LogicHub helps on both sides of this dichotomy. In our SOAR offering, we offer hundreds of integrations with dozens and dozens of security and operational tools. We support the interaction and automation of actions from your existing tools. In the detection space, we have an automation-driven MDR+ service with a growing library of hundreds of detection rules that use advanced techniques to learn normal behaviors and alert on deviations- along with traditional indicator based detections based on known attack behavior.
To learn more about how effective and affordable it can be to use automation to detect and respond to cyber incidents, please contact us.
CEO & Co-Founder