CISA: Threat actors behind SolarWinds hack pose ‘grave risk’ (updated)

CISA: Threat actors behind SolarWinds hack pose 'grave threat'

The Cybersecurity and Infrastructure Security Agency (CISA) has warned the recent compromise by threat actors of SolarWinds poses a ‘grave risk’ to critical infrastructure, government and private sector organizations.

In response to the threat, The National Security Agency (NSA) also released a cybersecurity advisory on detecting abuse of authentication mechanisms.

The new alert comes after a major supply chain attack on SolarWinds Orion Platform software earlier this week. It was later surmised that the SolarWinds compromise may have led to the breach of thousands of SolarWinds customers within the federal and private sectors.

CISA issued an update on the SolarWinds attack in a new Alert (AA20-352A) on December 17, 2020:

“The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020.”

CISA also confirmed the ongoing threat poses a ‘grave risk‘:

CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations. 

Moreover, the cybersecurity experts said the threat actor has “demonstrated sophistication and complex tradecraft in these intrusions.” The actors also possess a strong knowledge of how to exploit software supply chains and Windows networks.

Emergency Directive

On Sunday night December 13, 2020, CISA issued an Emergency Directive 21-01 in response to malicious actors exploiting SolarWinds Orion products:

“This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”

SolarWinds also added new updates as of December 18 in a security advisory:

“SolarWinds asks customers with any of the below products listed as known affected for Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 2 as soon as possible to better ensure the security of your environment.”

Moreover, SolarWinds updated list of products affected and confirmed other products not impacted by the threat.

SolarWinds customer victims

FireEye previously published a threat research report on the major SolarWinds attack this past Sunday. The security firm said they had discovered a “global intrusion campaign” and identified the bad actors as UNC2452.

FireEye said the supply chain attack trojanizes SolarWinds Orion business software updates and then distributes malware FireEye called “Sunburst.”

Five days later, the breadth and impact to SolarWinds customers continues to grow.

In a recent SEC filing, SolarWinds stated that out of a customer base of 300,000 customers, “the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000.”

In a blog post, Brad Smith, President of Microsoft, said the tech giant identified and notified more than 40 customers “that the attackers targeted more precisely and compromised through additional and sophisticated measures.”

The tech giant said nearly 80% of those victims are in the United States.

Microsoft and industry partners also helped take down domains used by SolarWinds hackers in escalating malware infections and make new victims, according to a ZDNet report this past Wednesday.

Furthermore, Symantec also published new analysis of a Teardrop second-stage malware, an example of a post-compromise attack chain.

Symantec had identified more than 100 of its customers had received Trojanized SolarWinds software updates. 

Politico also reported that the Energy Department and National Nuclear Security Administration (NNSA), that maintains the U.S. nuclear weapons stockpile, has “evidence that hackers accessed their networks as part of an extensive [SolarWinds] espionage operation.”

According to separate Forbes and Bloomberg reports, Cisco and Equifax have reported incidents involving the SolarWinds cyberattack. However, the impact of those malware infections may have been limited.

Key takeaways from attack

As part of the latest alert, CISA summarized the following key takeaways from the SolarWinds threat:

  • This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.
  • The SolarWinds Orion supply chain compromise is NOT the only initial infection vector this APT actor leveraged.
  • Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.
  • Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.

The NSA also issued a new Cybersecurity Advisory for detecting and defending against the abuse of authentication mechanisms. This advisory describes “tactics, techniques and procedures” used by malicious cyber actors to gain unauthorized access to protected data in the cloud.

Update on December 19, 2020: This article includes new updates on affected SolarWinds Orion customers to include: Cisco, Equifax and the National Nuclear Security Administration (NNSA).

Update on December 19, 2020: CISA posted a new advisory on December 19, which includes new details on indicators of compromise (see STIX file) and specific steps for SolarWinds Orion Specific Mitigations.

For instance, steps include details on taking forensics images of systems running SolarWinds Orion, disconnecting affected SolarWinds systems, blocking external traffic on affected systems, and removing compromised accounts, just to name a few.

According to the new CISA advisory (AA20-352A), for all network devices (e.g., routers, switches, firewalls) managed by affected SolarWinds servers that also have ‘indications of additional adversary activity’, organizations should take the following steps:

  • Device configurations
    • Audit all network device configurations, stored or managed on the SolarWinds monitoring server, for signs of unauthorized or malicious configuration changes.
    • Audit the configurations found on network devices for signs of unauthorized or malicious configuration changes. Organizations should ensure they audit the current network device running configuration and any local configurations that could be loaded at boot time.
  • Credential and security information reset
    • Change all credentials being used to manage network devices, to include keys and strings used to secure network device functions (SNMP strings/user credentials, IPsec/IKE preshared keys, routing secrets, TACACS/RADIUS secrets, RSA keys/certificates, etc.).
  • Firmware and software validation
    • Validate all network device firmware/software which was stored or managed on the SolarWinds monitoring server. Cryptographic hash verification should be performed on such firmware/software and matched against known good hash values from the network vendor. CISA recommends that, if possible, organizations download known good versions of firmware.

Related Articles