Select Page
Security Threat Alert: SolarWinds Orion Compromise

The Threat: SolarWinds Orion has been compromised.

Confidence: High |  Severity: High | Breadth: High

SolarWinds Orion Experienced A Supply Chain Attack Which Has Exposed Customers Network Traffic Management Systems

A supply chain attack is where the threat actor is able to inject malicious code into a vendor’s trusted code. Customers running that software, receive the affected code during the standard software update process. Supply chain attacks often evade signature-based threat engines as they are legitimate, albeit compromised, software updates from trusted vendors.

This attack started in March 2020 and appears linked to the group “Cozy Bear” based in Russia. Due to the large install base of Solar Winds Orion, the exposure of this attack is large.

With this attack, the attackers are able to gain elevated privileges that can be used to create their own credentials into the network allowing “trusted” access to customer networks and systems.

Complicating this attack is that Solar Winds recommended, in its own service advisory, that its products may not work properly unless their file directories are exempted from antivirus scans and group policy object restrictions.

This compromise has been heavily reported in the press and numerous threat research teams from the likes of Cisco, Microsoft and the United State Department of Homeland Security have offered commentary and the attack and consequences. A list of indicators of compromise and recommended system level changes can be found on the Cisco Talos Intelligence blog https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html

According to industry experts, this attack was very sophisticated and hard to identify. To find it, the typical infosec team would either need to monitor all outbound connections from all on-premises vendor tools and do a deep inspection of the traffic, or simply block all outbound connections from these tools, except for specifically defined IPs at specific times.

Due to the nature of the access control provided, the severity of this compromise is high and requires immediate action.

In alignment with the federal government’s guideline to look for indicators of compromise in SolarWinds environments, Cerium Networks recommends and can assist you in the following ways:

Identify if data is being exfiltrated
Leverage Cisco Umbrella

While firewalls have explicit ACLs and Web Proxys looking at port 80/443, Umbrella looks at all traffic regardless of port. The majority of threats leverage DNS to connect their exploit kit to a command-and-control infrastructure. Umbrella will quickly identify hosts making questionable connections and help you to ascertain if your environment has been affected by attacks such as the SolarWinds compromise.

Identify non-standard files, behaviors and take forensic snapshots of compromised hosts
Leverage Cisco Secure Endpoint (FKA AMP for Endpoints)

CSE’s threat engines can look for memory resident malware, look for behaviors that align with known threat behaviors, can map questionable to the M&TRE framework and look for malicious payload inside your environment. Further, it can leverage its Orbital OSQueery engine to take forensic snapshots of targeted systems. Upon discovery, remediation can occur based on policy or through manual intervention.

Leverage Cisco Network and Workload Analytics

Cisco’s Network Analytics can quickly be deployed to evaluate encrypted and unencrypted traffic flow to identify non-standard traffic flows, flows which map know indications of compromise and geolocating the source/destination of these flows. Cisco Workload Analytics goes deeper into the workload itself to examine its behaviors to identify non-standard system read/writes and port/protocol usage. For systems experience heavy compromise, analytics can help you identify nefarious behavior from trustworthy assets.

Ensure the trustworthiness of your users
Leverage Duo by Cisco

Leveraging multi-factor authentication is critical to ensure the identity of your users. The Solar Winds compromise has seen instances where a customer’s MFA token store has been accessed and thus standing up a new MFA environment may be prudent and is critical if not in production.

Cerium Networks can assist you in obtaining and deploying a free trial of Umbrella, Cisco Secure Endpoint, Cisco Network Analytics and/or Duo to assist you in validating your data integrity

Related Articles

A sampling of other articles you may enjoy if you liked this one.

Threat of the Month: IcedID Malware
Jul 29, 2021

About Threat of the Month Series With the rise of cyberattacks, it’s impossible for security and ...

Read More
Cybersecurity Myth – DEBUNKED: My job is to simply keep the bad guys out
Jul 15, 2021

We have to accept that simply trying to keep the bad guys out is no longer good enough. In this epis...

Read More
Cybersecurity Myth – DEBUNKED: “We have an EA and it has all the security services we need”
Jul 6, 2021

Enterprise agreements can provide a lot of access and flexibility, however there is a lot to conside...

Read More
For Emergency Support call: (877) 423-7486
For other support requests or to access your Cerium 1463° portal click here
Stay in the Know

Stay in the Know

Don't miss out on critical security advisories, industry news, and technology insights from our experts. Sign up today!

You have Successfully Subscribed!