As I’m sure many of you are aware, there was a major supply chain hack discovered in SolarWinds main product, Orion. Odds are good that this tool is in use somewhere on your network as it’s an NMS that is in pervasive use across the industry. Below are some of the notes I’ve gathered regarding this hack and what you need to know about it and how to respond.
What Is A Supply Chain Attack?
A supply chain attack is when an attacker gets access to the code or product before it gets delivered to you as a consumer. In this case, the attacker was able to add malicious code to the product using the same tools and repositories that SolarWinds use to develop the software. The malicious code was undetected and distributed to customers as a portion of official patches distributed to customers. Customers would have had no way to know or detect that this malicious code had been inserted into the product.
Who Is Responsible?
At this time, multiple credible sources believe this attack to be the work of a nation-state attacker. Specifically, suspicion seems to be pointed at Russia and their APT29 state-sponsored hacking group. Attribution of attacks like these tend to be a bit murky though as politics often gets involved. In this case, many independent sources are agreeing about the source so the probability of accuracy is higher than normal for an attack like this.
When Did This Happen?
SolarWinds has confirmed that the first compromised software was released in March of 2020 (version 2019.4 HF 5) and continued through June of 2020 (version 2020.2.1).
What Is The Implication?
The malicious code introduced a back door into the system for the remote attackers and provided an avenue for the download and execution of additional code for further compromise. The intent appears to be to utilize the SolarWinds Orion NMS to harvest information about target networks, collect credentials for managed devices, and then pivot from the NMS into compromising other systems within the network. Being as this appears to be a state sponsored attack, a majority of the focus is being applied to military, government, and critical infrastructure networks. That being said, anyone who runs SolarWinds Orion should be taking mitigations to reduce the impact to your networks and systems.
What Should You Do?
The below steps are summarized and adapted for a broader audience from CISA Emergency Directive 21-01.
- If possible it would be prudent to isolate SolarWinds products from your network until you can verify if you are running a compromised version or not. It is better to disable communication to the network than shutting down the system though, as some of the potential attack vectors reside exclusively in system memory and will disappear if the system is shut down. The best thing you can do is disable network connections, either by shutting down the physical port(s) that SolarWinds products are connected to or disabling the vNICs if your SolarWinds implementation(s) are virtualized.
- If possible, take a forensic image of the system for future analysis. If you don’t know to do this effectively, consult a professional who does.
- Audit administrative accounts and systems for compromise. Disable any administrative accounts that you don’t recognize.
- Assume that any credential used by the SolarWinds system for the purposes of monitoring or administration have been compromised. Change these credentials immediately.
- After you are confident that all potential means of access for remote attack have been mitigated, assume all hosts that were monitored by SolarWinds Orion to have been a target. Review your infrastructure for signs of compromise. Rebuild compromised hosts with trusted sources.
Where Can You Learn More?
Jordan Martin, CCIE #43772, is a Technical Solutions Architect at World Wide Technology focusing on SD-WAN and enterprise networking. Jordan also co-founded and hosts the popular Network Collective podcast.