• United States
Senior Editor

SolarWinds Trojan: Affected enterprises must use hot patches, isolate compromised gear

News Analysis
Dec 15, 20206 mins
Network MonitoringNetworkingSecurity

SolarWinds is recommending that customers hit by the Trojan embedded in a version of its Orion network-monitoring platform update to a new release of the software as Microsoft, Cisco, others weigh in.

Hacking stealing password data
Credit: Thinkstock

Hot patching and isolating potentially affected resources are on the IT response schedule as enterprises that employ SolarWinds Orion network-monitoring software look to limit the impact of the serious Trojan unleashed on the platform.

The supply-chain attack, reported early this week by Reuters and detailed by security researchers at FireEye and Microsoft involves a potential state-sponsored, sophisticated actor gained access to a wide variety of government, public and private networks via Trojanized updates to SolarWind’s Orion network monitoring and management software. This campaign may have begun as early as spring 2020 and is ongoing, according to FireEye and others.

“SolarWinds confirmed that less than 18,000 of its 300,000 customers have downloaded the compromised update,” stated researchers at Cisco’s security research arm Talos. “Still, the effects of this campaign are potentially staggering, with the company’s products being used by several high-value entities. Victims reportedly include government agencies and consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East, according to FireEye. Several reports also indicate that the US Treasury and Commerce departments were also targeted in what is likely related to the same activity.”

In response to the attack, SolarWinds has issued one hot patch and another is expected today. As of this publication, SolarWinds stated: “An additional hotfix release, 2020.2.1 HF 2, is anticipated to be made available Tuesday, December 15, 2020. We recommend that all customers update to release Orion Platform 2020.2.1 HF 2 once it is available, as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security enhancements.”

“We have scanned the code of all our software products for markers similar to those used in the attack on our Orion Platform products and we have found no evidence that other versions of our Orion Platform products or our other products contain those markers. As such, we are not aware that other versions of Orion Platform products have been impacted by this security vulnerability. Other non-Orion Platform products are also not known by us to be impacted by this security vulnerability,” SolarWinds said in its advisory.

Experts say customers have a number of options in dealing with the Trojan. 

“Isolation is the strategy we are advocating to clients right now,” said John Pironti, president of the IP Architects consultancy. “Most of what SolarWinds does is monitoring, not necessarily a core network service, so isolating those resources is less impactful. The complication would be in enterprises that have deep automation features; that would be harder to isolate for longer periods of time.”

The problem is that hot fixes are not patches, so there’s going to be one today and maybe another on Friday so enterprises have to keep making changes that might impact other resources, Pironti said. “What’s needed is a fully vetted patch.”

The government’s Cybersecurity and Infrastructure Security Agency took its warnings further by instructing federal agencies via Emergency Directive 21-01 to “immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.”

“Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain. Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available. Additionally, agencies should block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.  In addition identify and remove all threat actor-controlled accounts and identified persistence mechanisms.”

Other mitigations are also recommended.  For example Microsoft suggested:

  • Run up to date antivirus or EDR products that detect compromised SolarWinds libraries and potentially anomalous process behavior by these binaries. Consider disabling SolarWinds in your environment entirely until you are confident that you have a trustworthy build free of injected code.
  • Block known [command-and-control] endpoints in [indicators of compromise] using your network infrastructure.
  • Follow the best practices of your identity-federation technology provider in securing your SAML token signing keys. Consider hardware security for your SAML token signing certificates if your identity-federation technology provider supports it.
  • Ensure that user accounts with administrative rights follow best practices, including use of privileged access workstations, JIT/JEA, and strong authentication. Reduce the number of users that are members of highly privileged Directory Roles, like Global Administrator, Application Administrator, and Cloud Application Administrator.

CISA recommended “reimaging system memory and/or host operating systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1, and analyze for new user or service accounts, as well as identifying the existence of “SolarWinds.Orion.Core.BusinessLayer.dll” and “C:WINDOWSSysWOW64netsetupsvc.dll.”  It also said to reset credentials used by SolarWinds software and implement a rotation policy for these accounts. Require long and complex passwords.

Supply chain attacks are nothing new though they are becoming more more sophisticated and perhaps more damaging, Pironti said.

A recent article from CSO noted major cyber breaches caused by suppliers:  The 2014 Target breach was caused by lax security at an HVAC vendor. Equifax blamed its 2017 giant breach to a flaw in outside software it was using.

“Supply chain compromises can expose an organization’s internal networks and data, and prevention, detection, and mitigation require mature, cross-functional security capabilities,” said Matt Ashburn, Head of Strategic Initiatives for security vendor Authentic8 in a statement.  “Mitigation and detection of supply chain threats require concerted coordination among traditionally disparate teams, including procurement, logistics, compliance, and security teams.”

Analysts with KuppingerCole suggested a strategic action plan for overall supply chain security. John Tolbert, lead analyst and managing director of KuppingerCole said customers should start focusing on supply chain security, specifically:  

  • Don’t whitelist security tools from anti-malware scans 
  • Don’t whitelist purported IPs/URLs of security vendor clouds from NTA/NDR scans 
  • Update business processes
  • Expect new regulations to address supply chain cybersecurity 
  • Make threat hunting an ongoing activity (if you don’t have the tools for this, get them) 
  • Avoid using passwords anywhere. Use Multifactor authentication FA wherever possible
  • Use privileged access management for all admin and service accounts