No one wants to be the next SolarWinds. Of course the SolarWinds attack that was conducted was a very methodical and well planned attack but at the end of the day it comes down to implementing and governing best security practices. And, yes, most companies are not equipped or prepared for this type of attack and the planned nature of the attack. The Russian group, Cozy Bear, is believed to have executed this software supply-chain attack.
In case you haven’t heard, malicious actors hacked into the IT company SolarWinds and used its software channel to push out malicious updates onto 18,000 of its Orion platform customers. This attack scenario is referred to as a supply-chain attack and is perhaps the most impactful and difficult to detect as it relies on software that is already trusted and that can be widely distributed at once. We know this attack currently affects SolarWinds, but the full scope of the attack is not currently yet known by the security community
As a result the assumed hacker group Cozy Bear, believed to be affiliated with the Russian government, gained access to computer systems belonging to multiple US government departments including the US Treasury and Commerce in a long-term compromise that is believed to have started back in March. The event and resulting news and media triggered an emergency meeting of the US National Security Council on Saturday. SolarWinds customers included 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, as well as hundreds of universities and colleges worldwide.
So, regardless if you use SolarWinds or not, we recommend, as best practice, your organization immediately take the following actionable steps for your environment(s):
• Perform a full scan of all endpoints within your environment and analyze results for any detections named Backdoor.Sunburst and Backdoor.WebShell.
• Review the Indicators of Compromise (IoCs) at the end of this article to search within your logs, and any other SIEM data you collect to accurately assess any timeline of any potential intrusion.
• Conduct a comprehensive security risk assessment to review and harden your physical and cloud infrastructure.
• If your organization uses the Orion platform immediately upgrade to SolarWinds Orion Platform version 2020.2.1 HF 2 and restore systems once you feel confident with steps outlined above.
To discuss the scope of your security risk assessment and pricing, please contact us at either email@example.com or 813-616-5101.
Indicators of Compromise (IOCs)
This list has been put together from several sources. Kudos to FireEye and Microsoft for sharing IOCs and TTPs so quickly.
Additional hunting rules: https://github.com/fireeye/sunburst_countermeasures/tree/main/rules