BLOG

A groundbreaking cyberattack against the Texas-based IT network solutions provider SolarWinds has resulted in unauthorized access to a wide range of government and private sector organizations. The extent, scale, and impact of the attack are still being assessed; however, initial indications are that the attack will have lasting security impacts for months and possible years to come.

This attack exposes the dependencies that organizations have on their supply chains and the security risks that can be introduced through third- and fourth-party access to networks and information. According to a security advisory issued by SolarWinds, “this attack was very sophisticated supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with a goal of being able to attack subsequent users of the software.”[1] SolarWinds and the US Cybersecurity and Infrastructure Security Agency (CISA)[2] have issued alerts and guidance that should be reviewed for all affected organizations.

This blog provides a summary of the attack as well as recommendations for organizations to assess and take mitigation actions relative to this attack for their own organizations and the third- and fourth-party vendors in their supply chain that may be affected.

Background

The sophisticated attack leverages a compromise of the SolarWinds Orion software updates to create a backdoor into the networks that leverage the popular network monitoring solution. The malicious code was embedded in SolarWinds software updates and pushed down to unsuspecting organizations from March through June 2020. The Orion platform is reportedly used by over 18,000 organizations in the public and private sectors.

The attack is being attributed Russian state-sponsored actors by several sources, although a formal investigation is still underway.

Initial indications are that the majority of impacted entities are US federal and governmental entities. However, several high-profile private sector organizations including FireEye, Microsoft, and VMWare have been impacted.

Microsoft, in particular, has taken aggressive response and mitigation measures following the detection of the attack. Specifically, they have removed the digital security certificates used in the attack, which essentially instructs Windows-based devices not to trust communications from the attackers. They also took over one of the primary network domains used in the attack, which is referred to as creating a “sinkhole” to redirect traffic away from malicious actors.

Assessing and Mitigation SolarWinds Supply Chain Risks

The following is a checklist of activities to perform if you leverage vendors that may be impacted by the SolarWinds attack:

CORL Customers Only:

1. Connect with your CORL Client Engagement representative to determine if your organization has a confirmed third- or fourth-party relationship with SolarWinds.
2. If so, work with the CORL team to coordinate with the affected vendors to validate their assessment and remediation process in alignment with the recommendations below for impacted organizations.

Assessment Criteria for Vendors (All Organizations):

3. Determine if the vendor has SolarWinds configured in their environment, specifically the Orion product.
4. Request evidence that an assessment and remediation plan are in place that address the mitigation steps listed below; request routine updates on the status of related corrective action plan(s).
5. If vendors have the capability and skill sets in house, then recommend that they take a forensics image or snapshot of the operating systems for host systems running the Orion solution. If such capabilities are not available in the short-term then proceed to other recommendations listed below.
6. Advise vendors to consider a full uninstall or disabling of SolarWinds in your environment if feasible or if they are uncertain as to their potential exposure and consider a clean reinstallation of SolarWinds with a new build on the latest software versions if they require the software for critical functions.
7. Validate that the vendor has updated the Orion software to the latest patched version if they plan to continue active use of SolarWinds.[3]
8. Verify that the vendor has reset passwords for service accounts and other credentials used in support of the SolarWinds application and service.
9. Confirm that the vendor has set up monitoring of activity related to SolarWinds accounts to determine if any abnormal activity has occurred (e.g. connections to unrelated systems and services, user or system account creation or modification).
10. Validate that the vendor has established monitoring of known Indicators of Compromise (IoCs) for the attack. See the SolarWinds alert and CISA alert for the latest IoCs and response activities.
11. If vendors have indications or concerns of active compromise of their network related to this attack, then confirm that they have contracted a third-party forensics analysis firm to conduct an assessment of the network to determine the extent and nature of compromise for their environment.
12. Verify that vendors have isolated affected systems and other critical systems from the network using firewalls and network segmentation capabilities.
13. Request that the vendor reset local administrative passwords on workstations and servers where feasible.
14. Assess the vendor’s privileged access controls and monitoring capabilities; confirm that the vendor is monitoring activity for privileged accounts for any abnormal or suspicious behavior.
15. Validate the vendor’s use of multi-factor authentication for all external network connections.

We will continue to monitor the attack and provide updates as this situation unfolds. Contact us to learn more about the attack and ways you CORL can protect your organization and third-party supply chain.

---

[1] https://www.solarwinds.com/securityadvisory
[2] https://us-cert.cisa.gov/ncas/alerts/aa20-352a
[3] https://www.solarwinds.com/securityadvisory