Summary and quotes of developing news related to Solarwinds' hack
· March 2020, highly sophisticated threat actor and ATP [repeated emphasis in the industry i.e. no protection would have identified it]
· It installed a Solarwinds digitally signed backdoor (DLL) in Solarwinds Orion platform versions 2019.4 to 2020.2.1 [however, no version is safe] and HF1 may (or not) be affected
· Rather than an exploit but instead embeddedown configuration data into the Solarwinds config files
· Backdoor and/or injected code allowed full Admin rights to Solarwinds Orion Platrom and all service accounts and local accounts, and likely hosts monitored by SW Orion i.e. 18,000 of possible 33,000 customers at the least may have been affected
· Vulnerability discovered as a result of forensics analysis of FireEye compromise
· Microsoft took over domain name avsvmcloud.com used by the hacker to communicate with compromised backdoor
· CISA issued Directive 21-01 to government as well as private industry and will post additional IOCs to their website as more is known
· Leveraged / elevated privileges then APT that cleaned up so even if DLL is not found, compromise is still possible
· Emphasis "keys to the kingdom" services and need for greater collaboration between IT and InfoSec
· FireEye's IOC have not seen false positive nor true positives (as of yesterday?) but/and IOCs will change (and attackers didn't use same patterns)
· Lawsuits are coming including legal/regulatory fallouts to be uncovered
Consideration and Countermeasures
· Isolate or block traffic otherwise disconnect solarwinds system from the rest of the network
· Take forensics evidence of Solarwinds system
· Start threat hunting (and anomaly analysis) dating back from March 2020
· Remove all accounts in scope of compromise
· Review other Network Management tools and evaluate with caution e.g. access level and access to management interface
No comments:
Post a Comment