SUNBURST Vulnerability in SolarWinds Orion

The week before the holidays is normally a slower week for most organizations. It was anything but for IT personnel the week of December 13, 2020, when organizations were scrambling to triage the cybersecurity attack that has had a series of hashtags and names associated including SUNBURST, SoloriGate, SUPERNOVA, etc. This article discusses what occurred, what steps should be taken (if you haven’t already) and considerations for assessing how well your organization did in dealing with this major threat.

Summary of what happened

It was revealed on December 13, 2020, that popular computer network monitoring software, SolarWinds Orion, was compromised, which has led to a security breach at multiple companies and government agencies. What is unique about this particular incident is that the threat actor made this possible by inserting malicious code into a legitimate update in the software, which has been dubbed SUNBURST. Based on research by cybersecurity firm FireEye (who revealed that they too were victims of this breach), it appears as though this activity started as early as Spring of 2020 and made its impact come to a head the week of December 13^th. The means of execution was largely thwarted by December 16^th when a collaborative effort between GoDaddy (a domain name registrar), Microsoft and FireEye took control over a domain name that was supporting the command and control (C2) efforts for this vulnerability. While this ‘killswitch’ neutralized further spread, the response efforts shifted to identifying any and removing any measures attackers may have utilized to persist in an affected environment by compromising other resources.

According to FireEye, in their incident, the threat actor had stolen hacking tools and focused on information pertaining to FireEye’s governmental clients. This led FireEye to conclude that this was a targeted attack by a nation state, although the vulnerability now exists for any organization using the product. The widespread usage of the product has attracted significant attention from IT and cybersecurity professionals in order to investigate and begin mitigating the incident.

The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is actively involved in the response effort for federal agencies and has issued a summary of details and continues to monitor and aggregate relevant information related to this supply chain compromise.

What advice has been given

According to an advisory from SolarWinds, the first step is to make sure that you’re using Orion Platform v2019.4 HF 5 or Orion Platform v2020.2.1. HF 1, the two versions currently available on their customer portal. According to this advisory, the hotfixes addressing the SUNBURST vulnerability were released on 12/14/2020, and 12/15/2020, for these versions respectively.

According to the research released by FireEye on December 13^th, they recommend isolating and containing SolarWinds servers or restricting the servers that SolarWinds is connected to only those that do not contain sensitive information or perform mission critical functions. FireEye also recommended changing passwords on any accounts with access to SolarWinds servers. And, if SolarWinds is used to manage any network infrastructure, they recommend reviewing those devices for unauthorized configuration changes.

Governmental organizations should review the emergency directive issued by CISA to all federal agencies. A series of very restrictive and specific measures are outlined in its directive including powering down and removing SolarWinds Orion from agency networks, conducting a series of forensic procedures including searching for indicators of compromise, and procedures required to rebuild systems that were previously connected to SolarWinds Orion. CISA continues to update the directive with additional instructions as they learn more about the versions of SolarWinds Orion that were compromised.

Post-incident considerations

An incident of this magnitude and impact will have senior leadership and board members of any organization asking questions of IT management about how we did and whether we are set up well to address incidents like this in the future. As part of a post-incident review, we would recommend considering the following questions:

• This was a fire drill for many, did you have the right artifacts available to your team to investigate?
  • DNS, Netflow
  • Identity Sources (including DHCP)
  • Domain Controller
• This attack started as early as nine months prior to its discovery. As a result, investigation analysis required a several months look back. Did you have the data retention for logs to support those inquiries?
• Did the playbook for incident response hold up while dealing with SUNBURST?
  • Was it updated (or does it need to be) for any COVID-19, remote work considerations?
• Does Cyber Risk Management for your organization recognize or consider Supply Chain Risk?
  • Would the definitions, scope, applicability have captured an incident like this with a software provider?
  • Knowing what we know now, how might your organization reconsider the risks posed by malicious or faulty updates being provided by trusted software vendors?
• Do asset inventories reflect all critical components?
  • In this case, how long did it take to confirm whether SolarWinds Orion was or was not utilized by the organization and whether the version used was affected by this compromise?
  • How difficult was it to determine which systems managed by SolarWinds Orion contain sensitive information or perform critical functions?

While the details are still unfolding, Weaver is committed to engaging with and assisting our clients with their cybersecurity posture. If you would like to further discuss, please contact us.