The Threat: SolarWinds Orion has been compromised.
Confidence: High | Severity: High | Breadth: High
SolarWinds Orion Experienced A Supply Chain Attack Which Has Exposed Customers Network Traffic Management Systems
A supply chain attack is where the threat actor is able to inject malicious code into a vendor’s trusted code. Customers running that software, receive the affected code during the standard software update process. Supply chain attacks often evade signature-based threat engines as they are legitimate, albeit compromised, software updates from trusted vendors.
This attack started in March 2020 and appears linked to the group “Cozy Bear” based in Russia. Due to the large install base of Solar Winds Orion, the exposure of this attack is large.
With this attack, the attackers are able to gain elevated privileges that can be used to create their own credentials into the network allowing “trusted” access to customer networks and systems.
Complicating this attack is that Solar Winds recommended, in its own service advisory, that its products may not work properly unless their file directories are exempted from antivirus scans and group policy object restrictions.
This compromise has been heavily reported in the press and numerous threat research teams from the likes of Cisco, Microsoft and the United State Department of Homeland Security have offered commentary and the attack and consequences. A list of indicators of compromise and recommended system level changes can be found on the Cisco Talos Intelligence blog https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html
According to industry experts, this attack was very sophisticated and hard to identify. To find it, the typical infosec team would either need to monitor all outbound connections from all on-premises vendor tools and do a deep inspection of the traffic, or simply block all outbound connections from these tools, except for specifically defined IPs at specific times.
Due to the nature of the access control provided, the severity of this compromise is high and requires immediate action.
In alignment with the federal government’s guideline to look for indicators of compromise in SolarWinds environments, Cerium Networks recommends and can assist you in the following ways:
Identify if data is being exfiltrated
Leverage Cisco Umbrella
While firewalls have explicit ACLs and Web Proxys looking at port 80/443, Umbrella looks at all traffic regardless of port. The majority of threats leverage DNS to connect their exploit kit to a command-and-control infrastructure. Umbrella will quickly identify hosts making questionable connections and help you to ascertain if your environment has been affected by attacks such as the SolarWinds compromise.
Identify non-standard files, behaviors and take forensic snapshots of compromised hosts
Leverage Cisco Secure Endpoint (FKA AMP for Endpoints)
CSE’s threat engines can look for memory resident malware, look for behaviors that align with known threat behaviors, can map questionable to the M&TRE framework and look for malicious payload inside your environment. Further, it can leverage its Orbital OSQueery engine to take forensic snapshots of targeted systems. Upon discovery, remediation can occur based on policy or through manual intervention.
Leverage Cisco Network and Workload Analytics
Cisco’s Network Analytics can quickly be deployed to evaluate encrypted and unencrypted traffic flow to identify non-standard traffic flows, flows which map know indications of compromise and geolocating the source/destination of these flows. Cisco Workload Analytics goes deeper into the workload itself to examine its behaviors to identify non-standard system read/writes and port/protocol usage. For systems experience heavy compromise, analytics can help you identify nefarious behavior from trustworthy assets.
Ensure the trustworthiness of your users
Leverage Duo by Cisco
Leveraging multi-factor authentication is critical to ensure the identity of your users. The Solar Winds compromise has seen instances where a customer’s MFA token store has been accessed and thus standing up a new MFA environment may be prudent and is critical if not in production.
Cerium Networks can assist you in obtaining and deploying a free trial of Umbrella, Cisco Secure Endpoint, Cisco Network Analytics and/or Duo to assist you in validating your data integrity