SolarWinds Breach Disclosure

December 14, 2020 | 4 min read

BlueVoyant

By Milan Patel

Global Cyber Attack Update: What’s Going On?

Over the course of the last several days there has been a flurry of vendor announcements and media reports about what now appears to be a series of major, interrelated cyber attacks:

  1. On Dec. 8, 2020, FireEye disclosed it had been breached by what it described as a nation-state attacker who stole a number of proprietary tools that could be used to conduct new types of cyber attacks.
  2. Shortly after the FireEye announcement, multiple news agencies began reporting that both the U.S. Departments of Treasury and Commerce had been breached.
  3. Soon thereafter, SolarWinds, a large IT services provider, announced that they had been breached by what also appeared to be a nation-state actor.

Details continue to emerge about what exactly took place. Response teams from Microsoft, FireEye, SolarWinds, and multiple law enforcement agencies have determined that SolarWinds was breached by nation-state threat actors in early 2020. Upon breaching SolarWinds, the attackers made use of software development tooling to craft malicious updates to the SolarWinds Orion software suite, which were then provided to SolarWinds’ customers as part of a standard software update package. The number of impacted companies is unknown at this time, but is suspected to be in the thousands based on the known size of Solarwinds’ ​customer base​. Given the serious nature of this attack against U.S. government agencies, the Department of Homeland Security’s Cybersecurity, and Infrastructure Security Agency (CISA) has issued an emergency directive​ ordering all federal agencies to immediately disconnect SolarWinds’ Orion products from their networks.

What Should I Do Now?

A number of organizations, including BlueVoyant, have provided guidance on steps that you should take immediately in order to protect your company:

  • Immediately patch your SolarWinds applications with the most recent update.
    • If you are unable to patch these systems, disable the applications and the systems hosting them ​immediately​.
  • Ensure that all of your systems (especially critical infrastructure systems) have up-to-date antivirus installed.
  • Consider changing passwords for all of your accounts that have access to SolarWinds servers / infrastructure.
  • Follow the best practices of your identity provider in securing your SAML token signing keys. Consider hardware security for your SAML token signing certificates if your identity federation technology provider supports it. Consult with your identity federation technology provider for specifics.
  • Ensure that user accounts with administrative rights follow best practices, including the use of privileged access workstations, JIT/JEA, and strong authentication.
  • Reduce the number of users that are members of highly privileged directory roles, such as Global Administrator, Application Administrator, and Cloud Application Administrator.
  • Ensure that service accounts and service principals with administrative rights use high entropy secrets, like certificates, that are stored securely.
  • Monitor for changes to secrets used for service accounts and service principals as part of your security monitoring program.
  • Monitor for anomalous use of service accounts.
  • Monitor your sign-ins for anomalous activity.
  • Remove/disable unused or unnecessary applications and service principals.
  • Reduce permissions on active applications and service principals, especially application (AppOnly) permissions.

What Is BlueVoyant Doing for Our Customers?

  • FireEye has released an updated set of indicators and detection criteria to identify the presence of the malware deployed via SolarWinds (dubbed: “SunBurst”). We have integrated these indicators into our detection repository. These rules are available on FireEye’s GitHub repository.
  • We are actively reviewing historical client data to identify any interaction with known command and control infrastructure or backdoor deployment.
  • We are re-evaluating public and private documentation of methodologies employed by known espionage groups associated with the assumed nation state attacker out of an abundance of caution to ensure robust detections are in place and functional for all of our customers.
  • We have deployed the yara rules provided by FireEye in our threat intelligence infrastructure and third party tools to identify future variants and previously unknown samples of FireEye’s red team tools. Results from these persistent searches will be appended to our existing detection capabilities.
  • We have deployed EDR and SIEM hunt logic for our customers, as appropriate.

Bottom line: If you are a BlueVoyant customer, we have taken the necessary steps to ensure you are up to date and protected.

Where Can I Learn More?

BlueVoyant will publish additional details as they become available via our customer portal, blog and/or social media channels. In addition, you can also learn more by reading the following:FireEye:

Initial public breach announcement Details of stolen Red Team toolsIndicators and detection criteria to identify stolen tools in your environment

Research article: “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor"Microsoft:Article: “Customer Guidance on Recent Nation-State Cyber Attacks”Best practices for securing ADFS (Active Directory Federation Services)SolarWinds:

Security Advisory

Media & industry coverage

Associated Press

The Guardian

Krebs on Security

Milan Patel is the Global Head of Managed Security Services at BlueVoyant. Prior to joining the company, he served as the CTO of the FBI’s Cyber Division and as a Special Agent focused on investigating cyber crimes.