Earlier this month, we learned that the SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1*, released between March 2020 and June 2020, were compromised by an advanced persistent threat actor (or APT). The perpetrators of this sophisticated attack implanted a Trojan into a legitimate update to the Orion Platform that was released in March. Once the Trojan was activated, it allowed the threat actor to not only have high level credentials into the Orion Platform, but to potentially move across other areas of the compromised target’s network and systems.
Until recently, the SolarWinds’ site listed representative clients, including such companies as CISCO, AT&T, Ford Motor Company and all five top US accounting firms, to name a few. Its federal (government) clients include all five branches of the US Military, the US Pentagon, State Department, the Treasury Department, NASA, and NSA. Many local governments also use SolarWinds’ products.
If a firm was using the impacted SolarWinds Orion platform, that does not necessarily mean that the malware had been activated. DHS and CISA both recommend that businesses concerned that they may have been impacted should:
- Mirror impacted systems to preserve forensic data for further investigation
- Deactivate the platform
- Retain the services of a firm with expertise in cyberthreat hunting to actively look for anomalies in the business’ systems and networks
- Change all passwords and account credentials
- Implement multifactor authentication
- For firms currently using 128-bit encryption, upgrade to 256-bit encryption
- To the extent that the Orion Platform was part of an entity’s cyber risk management strategy, alternative processes and procedures should be implemented.
It is important to follow specific steps in working to investigate, eradicate and rebuild/restore impacted systems.
Please see the CISA website for the most up to date guidance and information. As of, December 23, 2020, this link provides the most up-to-date information from CISA: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations | CISA
While SolarWinds released two hot patches the week of December 14, 2020, as of the day of this writing, DHS and CISA continue to recommend that firms exercise caution in applying the patches and restoring or continuing to run the Orion Platform. Note also that FireEye released a kill switch that was reported to stop the continued attack. However, impacted entities will have a long road to restore impacted systems and determine what was already compromised.
However, over this past weekend, a further vulnerability in SolarWinds’ Orion product was reported by Carnegie Mellon. The report indicated that the Orion API authentication bypass can allow a hacker to remotely execute commands. While there is a patch available to address this, we recommend caution still as further vulnerabilities in the product may come to light in the coming weeks.
Rumors were circulating last week that Microsoft’s cloud environment had been compromised, too, as a result of the Orion Trojan. CISA and DHS explained in a briefing on Friday, December 18, 2020, that Microsoft Cloud was not compromised. However, the Trojan hidden in the Orion March 2020 upgrade allowed the bad actors to steal credentials to impacted entities’ other accounts – including Microsoft Cloud access credentials. With the legitimate (stolen) credentials, the bad actors were able to access data in entities’ Microsoft cloud accounts.
Potentially impacted firms are advised to examine their active directories in their Microsoft account for anomalous activity.
Business emails of high level officials and roles within an organization have been observed as particular targets of the APT. As such, refresher training of personnel to heighten awareness of business email compromises are in order.
Even if your entity was not running one of the impacted products, check with key vendors to ascertain whether they were impacted. If so, either their access to your systems may have been compromised and/or their ability to provide their services to your organization may be impacted.
If you have questions regarding the foregoing, or would like referrals to additional resources, please contact your attorney or the author of this blog post, Michelle A. Schaap of Chiesa Shahinian & Giantomasi PC.
- Orion Platform 2019.4 HF5, version 2019.4.5200.9083
- Orion Platform 2020.2 RC1, version 2020.2.100.12219
- Orion Platform 2020.2 RC2, version 2020.2.5200.12394
- Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432