Hackers directed by a foreign nation-state, reportedly Russia, managed to use a vulnerability in a network monitoring program to launch cyberattacks against US government agencies and other organizations. The attackers took advantage of a flaw in the way updates are delivered to SolarWinds’ Orion networking monitor platform.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Due to the breach, the hackers were able to monitor internal email traffic at the US Treasury and Commerce departments, according to Reuters. Security firm FireEye, which itself was the target of a recent state-sponsored breach, said that the victims also included government, consulting, technology, and telecom firms, as well as other entities in North America, Europe, Asia, and the Middle East.
However, the number of affected organizations may be larger than reported as the SolarWinds Orion platform is a popular product among government agencies and Fortune 500 companies.
SolarWinds reported that the flaw affects Orion Platform builds for version 2019.4 HF 5, version 2020.2 with no hotfix installed, and version 2020.2 HF 1. If exploited, the vulnerability could allow an attacker to compromise the server on which the Orion products run.
In response, SolarWinds issued an advisory on Wednesday with several recommendations.
- Customers running the Orion Platform version 2020.2 with no hotfix or version 2020.2 HF 1 are urged to upgrade to Orion Platform version 2020.2.1 HF 2 as soon as possible to ensure the security of your environment.
- Customers running Orion Platform version 2019.4 HF 5 are urged to update to 2019.4 HF 6.
- Further, the hotfix release 2020.2.1 HF 2 is available in the SolarWinds Customer Portal. SolarWinds advises all customers to update to release 2020.2.1 HF 2 as this hot-fix version replaces the compromised component and offers additional security enhancements.
- Before you install the hotfix, you may need to synchronize your license. After the synchronization, you can then run the installer to apply the fix.
- Follow these steps if you’re not sure which version of Orion you currently run. Follow these steps to verify which hotfixes you’ve applied. Consult this FAQ from SolarWinds for further details on the vulnerability.
- Organizations that can’t immediately update to the latest version of the Orion platform should read SolarWinds’ page on Secure Configuration for the Orion Platform.
For organizations that want to protect themselves from similar exploits, security firm Cycode published a blog post on Tuesday offering lessons learned from the SolarWinds incident. Among other recommendations, Cycode advises you to harden your infrastructure’s access controls through the following five steps.
- First, inventory your infrastructure assets.
- Ensure all of your pipeline services are not publicly accessible.
- Audit all systems to remove default credentials.
- Then require MFA for all users.
- Lastly, enforce least privilege policies across the entire process.
Tempered Networks recommendations
To help any organization bolster their security defenses, security firm Tempered Networks suggests a zero-trust approach.
“Organizations need to start thinking about a security methodology that relies less on blocking specific traffic by policy and actively moving towards a zero trust, positive security model that explicitly states which traffic between users and hosts can be allowed, or whitelisted,” Tempered Networks CTO Bryan Skene said in an advisory.
“They also need to be much more granular in network design, adopting microsegmentation techniques that can be implemented at scale,” Skene added. “Microsegmentation and zero trust security implementations limit internal damage and compromise when an attacker gains a foothold in the network. The specifically allowed access points and credentials can prevent the lateral spread for the attacker or malicious code.”
Skene also suggests a more streamlined approach to security.
“Perhaps the biggest obstacle to responding to an attack such as this SolarWinds vulnerability is the complexity and scale of our existing cybersecurity infrastructure,” Skene said.
“Layers of existing security policies, distributed to potentially hundreds of devices across a large organization, from different vendors and providing a myriad of security services usually requires weeks to update in the best of times,” he explained. “A clean, clear, centralized store of whitelist policies to access otherwise invisible network hosts and assets provides the most advanced and easy-to-manage infrastructure for organizations going forward.”
Finally, FireEye has already taken measures of its own to try to block the actual malware that took advantage of the SolarWinds Orion flaw. Identifying this malware by the name Sunburst, a FireEye spokesperson said that the security firm was able to find a kill switch to prevent it from continuing to operate.
Working with GoDaddy and Microsoft, FireEye used the kill switch to deactivate and disable new and previous Sunburst infections and deployments. However, FireEye acknowledged that the attackers have been able to set up other means to access the networks of victims beyond the Sunburst backdoor. As such, the kill switch won’t remove the culprits from such networks but will make it harder for them to leverage previously distributed versions of Sunburst.