Critical Insight Q&A on the SolarWinds Attack

The high-profile SolarWinds Orion Platform security breach that became public earlier in December continues to be the source for new reports about the organizations affected. We can expect more information on how broad and deep this cyber-attack goes well into 2021. Due to the emergent nature of this threat with new information surfacing every day, many organizations are concerned about how the SolarWinds breach might impact on their networks and systems.

The Critical Insight team have been researching and analyzing the information available to cybersecurity professionals since the breach was made public. The Security Operations Center (SOC) has been working with our customers to assess the SolarWinds Orion Platform breach's impact. We are also working with clients to assist them to clean any impacted systems, identify any ongoing compromises, and protect others from infection by the original vulnerability or the associated Malware instances.

This intensive work and interaction with multiple organizations has generated a set of frequently asked questions about the SolarWinds Orion Platform vulnerability. Critical Insight CISO Mike Hamilton sent an advisory email to all our clients last week to address these questions, and the need-to-know information is recapped in this article. If you have any questions about Critical Insight cybersecurity solutions or how we are helping customers with this unprecedented supply chain compromise, then see our solutions page, or use the contact page to get in touch.

What is the SolarWinds & FireEye Connection?

FireEye is a security product and services vendor which is independent of SolarWinds. FireEye's only connection is as a customer who uses the SolarWinds Orion Platform within their own IT operations. It was FireEye who first made the SolarWinds Orion Platform breach public. FireEye noticed abnormal activity on their network, and upon investigation discovered the SolarWinds security breach.

Cyber criminals also used the SolarWinds breach to steal the FireEye Red Team toolkit. This is the toolkit used by FireEye to perform security testing and analysis on their customer's networks and systems. FireEye has disclosed what tools where stolen, and have made countermeasures available via this blog post. None of the stolen tools contained any secret or zero-day exploits that could have been quickly used by the cybercriminals who now hold them, assuming all targeted systems are at current patch levels.

The vulnerability introduced into SolarWinds Orion that allowed access to the FireEye tools is known as "Sunburst". When you see Sunburst referred to with the SolarWinds breach it relates to this backdoor used against FireEye, and which may be used against other impacted organizations. Another malware exploit that is named Supernova has also been discovered. It was designed to be installed via the SolarWinds Orion Platform vulnerability. You can find details of the original breach, the associated malware variants, and all the latest information on the SolarWinds Security Advisory page.

How is Critical Insight affected?

We do not use SolarWinds within CI. The original breach mechanism, and the subsequent malware attacks that exploit it, cannot impact our SOC or other operations. We continue to operate normally to monitor client networks and respond to any issues that arise.

Within our customer networks, the SOC team searched for the known indicators of compromise associated with the breach and contacted any organization where they have been discovered. At the time of writing, we have seen zero evidence of the vulnerability being exploited within the Critical Insight customer base. We continue to work with at-risk customers to monitor activity on their systems.

Should I be worried?

The SolarWinds investigation into the breach, and how it was distributed via an infected software update, identified approximately 18,000 organizations who had downloaded the compromised updates. However, the evidence so far indicates that only high-value targets such as Federal government agencies have been actively attacked using the breach. It is believed that cybercriminals actively exploited the vulnerability in about 50 organizations. Critical Insight CTO Mike Simon recommends this Data Breach Today article on this topic.

Now that the intrusion and infected customer base is public, there is a possibility that the bad actors who were using it in secret to access critical Federal and Governmental systems will pass it on to others who will exploit it for malware, ransomware, or cyber-terrorism.

We use SolarWinds Orion Platform - what should we do?

If you, or a partner in your supply chain, use the SolarWinds Orion Platform, it is essential you follow the advice from SolarWinds, as outlined on their Security Advisory page.

Both FireEye and Microsoft have published extensive analysis and advice on how to proceed:

• FireEye - https://www.fireeye.com/blog/threat-research.html
• Microsoft - https://msrc-blog.microsoft.com/ 

If you are a Critical Insight customer, our SOC team will monitor your network and reach out to you. If you are not a customer and would like to have our SOC team monitor your network, then contact us.

Are other SolarWinds Products safe to use?

SolarWinds do not think that this breach impacts any other products in their portfolio beyond the Orion Platform. A full list of those tools affected, and those not, is on their Security Advisory page.

In an interesting development, the SolarWinds subsidiary SolarWinds MSP, which is in the middle of being spun out as a standalone company, have announced that they will be changing their name.

Where can I learn more about this breach?

The SolarWinds Security Advisory page and the FireEye and Microsoft resources linked above are the primary sources for the latest updates on the breach and its impacts.

Senior Critical Insight team members participated in an online discussion about the SolarWinds Orion Platform breach, and what it could mean going forward. The hour-long discussion is available to view on-demand on YouTube. Technical discussion and analysis start about three minutes into the video.