Major Software Supply Chain Attack

December 14, 2020 CyberCecurity Leave a comment

Solar Winds Software Compromised – Potentially 18,000 Enterprises Affected

Last week FireEye filed a report with the SEC saying that they had been hacked – by Russia and not China – and that the hackers got away with FireEye’s entire suite of offensive hacking tools. This is not exactly what you would want your adversary to have, but I kind of filed that away in the “interesting” category.

Over the weekend, I heard that the National Security Council convened at the White House because, reports said, that hackers had compromised the email services (Office 365, but this is not Microsoft’s fault) at both Treasury and Commerce. Okay, this is getting a little more interesting.

Information came out late yesterday that the hackers had been inside the email and networks of these agencies for many months (6-9 months) undetected.

Then the bombshell hit. The CEO of Solar Winds, one of the biggest network monitoring tool companies in the industry, said that hackers had compromised their software update process and had, somehow, managed to get several malicious updates to the Solar Winds Orion software digitally signed and distributed to almost 20,000 companies including almost every federal government agency and 495 of the Fortune 500. Not a good thing.

Earlier today we sent out an alert to our customers giving them as many details as we had (the initial alert said the attack was tightly targeted and then the Solar Winds CEO blew up that theory).

Right now what we know is that multiple government agencies have been compromised and likely even more private companies have also been compromised. Now that this is public, likely more agencies and companies will admit that they have been compromised.

If you are running Solar Winds high end ORION product and you have support, meaning that you get software updates, or you downloaded a new version in 2020. YOU SHOULD ASSUME THAT YOU HAVE BEEN COMPROMISED.

Chris Krebs, former director of DHS’ CISA said “if you run this product, assume you have been compromised and stand up your incident response team”. Hopefully you have not been, but hope is not a strategy.

If you are running different Solar Winds products, at least based on what we know know, you are not at risk.

I have no evidence that the White House’s continuous downplaying of Russia as an adversary is the reason for this attack, but it likely made them more brazen. In a web briefing I just attended, the speaker said that the attack code did not even slightly try to hide itself, which is certainly an indication that they were not very worried. On the other hand, the communications from the infected systems to the command center, while not cloaked, was very minimal, indicating that the attacker was concerned that its communications could give it away.

I know I continue to harp on supply chain risk, but this is a perfect example of the problem and in this case, it likely caused major damage to the United States – both at the government level and the private industry level. If the Russians had months to wander through the files and email communications of more than 10,000 enterprises, that is a problem.

If you do not have supply chain risk on your radar, now would be a good time to add it.

If you have questions or concerns, please contact us.