SolarWinds Hack: Further Recommendations For Enterprises
Attacks targeting supply chains are some of the most complicated to mitigate against because usually the threat actors penetrate the environment and tamper with the company’s continuous integration processes, including digital trust and delivery of compromised software updates. Here are our recommended responses related to the recent SolarWinds hack:
The first step security professionals should take is find out to what extent their infrastructure is affected. SolarWinds posted instructions for determining which version of the Orion product you might have running.
- SolarWinds Orion Platform versions 2019.4 HF 5 through 2020.2 HF 1
- SolarWinds Orion Platform versions prior to 2019.4 HF 6
- SolarWinds Orion Platform versions prior to 2020.2.1 HF 2
If you are able to, check any internet web proxy, DNS proxy, or firewall logs for connections to the legitimate Solarwinds update site of downloads.solarwinds.com. This may help in identifying possible Orion Suite products. (Note, this will likely identify any SolarWinds products, not just the Orion Suite).
We then recommending saving an image of operating systems and system memory for each case where a vulnerable SolarWinds product was running, analyse for new user or service accounts, and inspect stored network traffic for indicators of compromise. Further recommendations from CISA https://cyber.dhs.gov/ed/21-01/
The next step is to remove, upgrade, or isolate the affected SolarWinds Orion systems. CISA recommends complete removal, while SolarWinds recommends upgrading and patching. In those instances where an upgrade or patch is not immediately feasible, SolarWinds recommends isolating the system as much as possible.
Recommendations include running Orion behind a firewall, disabling its internet access, and limiting ports and connections to only those that are absolutely necessary.
Next, enterprises need to remove all compromised user accounts and communication channels, including shutting down all access to known compromised domains and IP addresses.
All credentials that the SolarWinds systems had access to should be reset, as well as all privileged accounts and authentication keys and tokens.
Sophos put out an extremely detailed incident response playbook for the SolarWinds compromise and has been continuously updating it as new information becomes available.
After the cleanup is completed, organisations can restore systems to a last known good state or reinstall from trusted sources.
Microsoft has also released a detailed SolarWinds response advisory.
For the future
To help businesses strengthen resiliency against supply chain attacks, our security team recommends the following:
- Conduct risk assessments to identify potential security gaps and weaknesses across your entire supply chain.
- For organisations that develop software, implement software procedures that require validation through multiple reviews before new code reaches production.
- For organisations with production software environments as part of their core business, incorporate periodic security testing that looks for anomalous processes and network traffic behaviours in addition to classic application bugs.
Smarttech247 will continue to support our customers, partners and the security community the best we can from threat actors who work tirelessly to steal data, extort and cause harm.