Return to the list of client alerts
UPDATE 12-18-20 – There have been reports that the hackers behind the Solar Winds invasion used other attack vectors to break into companies’ networks. Brian Krebs is reporting that one additional vector is the VMWare flaw in Workspace ONE that the NSA reported on December 7th was being used by Russian state hackers. Credit: Brian Krebs
UPDATE 12-17-20 PM – Microsoft says that they have identified 40+ who have been compromised by the Solar Winds hack. These were detected by Microsoft’s Windows Defender software, now that we have indicators of compromise. They are in the process of notifying each of them. While 80% of the victims were U.S., the rest were in Canada, Mexico, Belgium, The UK, Israel, and the UAE. Russia really did cast a wide net. Credit: ZDNet
UPDATE 12-17-20 – See today’s blog post here for today’s update.
UPDATE 12-16-20 PM – FireEye has identified a “Kill Switch” in the Sunburst malware that starts the attack of the Solar Winds software UNDER THE RIGHT CONDITIONS, but it will not impact systems that are already infected. Solar Winds issued a “hot fix” today, but again, it will not protect already infected systems. The Feds have stood up their incident response process called a Unified Coordination Group. Everything here tells us this is bigger than we have been told. Credit: Dark Reading
UPDATE 12-16-20 – A number of sources are reporting that security researcher Vinoth Kumar reported to Solar Winds last year that their update server could be accessed using the password SolarWinds123. This password was exposed in Solar Winds public Git Repository. So, in addition to picking a stupid password, they exposed it publicly. They fixed this issue, he said and replied back to him in November. Apparently, the problem existed for over a year before they fixed it. Maybe this played a role in the attack and maybe not.
In addition, Reuters is reporting that multiple criminals on underground forums had offered to sell access to SolarWinds’ computers. Credit: The Register
UPDATE 12-15-20 – The government has added two more agencies to the list of federal government departments that the Russians hacked and those are the State Department and the National Institutes of Health. The Telegraph is reporting that the British government is looking to see if the Russians attacked them also.
UPDATE 12-14-20 – DHS released the first 2021 emergency cyber directive 21-01 (maybe it is fiscal year 2021?). It requires all agency heads to take a number of actions including forensically imaging systems and analyzing network traffic, if they have that skill. Whether the agency can do that or not, they are ordered to POWER DOWN or DISCONNECT FROM THE NETWORK all Solar Winds systems running the affected/infected versions of software and wait for instructions from CISA for how to REBUILD or crush these systems, block ALL TRAFFIC, in and out, to all Solar Winds systems, and by 12 noon today, provide a sit-rep to CISA, along with other actions. Read the details here. IT ALSO REQUIRES THE AGENCIES TO ASSUME THAT ALL SYSTEMS MONITORED BY SOLAR WINDS ARE COMPROMISED, REBUILD THEM AND RESET ALL PASSWORDS.
UPDATE 12-13-20 – The CEO of Solar Winds says that their current understanding is that likely 18,000 enterprises have been infected and compromised by the Russians. Whether the Russians have been able to harvest all that goodness is unknown. For now.
UPDATE: (This one is moving quickly)
Solar Winds CEO says that this attack was done by subverting their software update process and FireEye says the exploit is rampant, not targeted as previously stated. Credit: The Register
One of the things that drives me crazy about alerts that come from the government is that sometimes they are so generic that you don’t understand their severity. I actually deleted this one and had to retrieve it after I understood what was happening.
IMPORTANT NOTE: THIS ONLY AFFECTS SOLAR WINDS ORION CUSTOMERS. OTHER SOLAR WINDS CUSTOMERS ARE IN THE CLEAR
DHS’s CISA put out the seemingly benign alert that says:
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of SolarWinds Orion Platform software versions 2019.4 through 2020.2.1, released between March 2020 and June 2020.
CISA encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures: Link to the alert is here
What is important but missing from this announcement is that the feds think that Russia used this bug to compromise the Treasury Department, Commerce Department and possibly other agencies including the FBI.
It is also likely that we will hear about more federal agencies being compromised, possibly this week (credit: USAToday).
Chris Krebs, former director of CISA tweeted:
If you’re a SolarWinds customer & use the below product, assume compromise and immediately activate your incident response team. Odds are you’re not affected, as this may be a resource intensive hack. Focus on your Crown Jewels. You can manage this. (credit: Twitter)
Suffice it to say, if you are an Orion customer, you should upgrade as soon as you can and start looking for signs of compromise.