Earlier this week, Texas-based IT software vendor SolarWinds issued a critical security advisory, acknowledging that a “highly sophisticated” hacker had inserted a vulnerability in an updated version of SolarWinds’ Orion product that was released to customers between March 2020 and June 2020. “If present and activated, the vulnerability could allow an attacker to compromise the server on which the Orion products run,” the advisory noted.
While the full scope of the intrusion remains unclear, the New York Times and Washington Post have reported that the attack appears to have been carried out by a Russian foreign intelligence services agency colloquially known as “Cozy Bear” or “APT29.” The attack appears to have occurred through the insertion of malicious code into Orion product updates. This allowed the threat actors to gain access to and control highly privileged network accounts.
In a filing with the U.S. Securities and Exchange Commission, SolarWinds stated that it had notified approximately 33,000 of its 300,000 worldwide customers about the attack, but that the company believes the actual number of affected customers to be fewer than 18,000. Notifications to the 33,000 customers included containment and mitigation steps, such as a hotfix update to address the vulnerability, and SolarWinds has since updated their security advisory to provide additional measures organizations can implement to secure their systems.
According to a page that has now been taken down on SolarWinds’ website, the company’s clients include all five branches of the U.S. Military, more than 400 of the U.S. Fortune 500, and the top 10 U.S. telecommunication companies. Known victims of the attack include prominent cybersecurity firm FireEye and several federal agencies, including the Department of Homeland Security, the Treasury Department, and the Department of Commerce.
As federal agencies and companies scramble to determine whether they were impacted by the attack, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a rare emergency directive on December 13, 2020 in response to the attack. The directive — which is only the fifth directive in CISA’s history — calls on federal civilian agencies to review their networks and disconnect or power down versions 2019.4 through 2020.2.1 HFI of the Orion product from their network. FireEye similarly published an alert with measures organizations can take to determine whether they were impacted by this attack.
SolarWinds has advised customers using the Orion product to immediately take certain steps if they believe they have been impacted by the attack, including:
- Upgrade to Orion Platform version 2020.2.1 HF 2
- If a company is using Orion Platform v2019.4 HF 5, upgrade to 2019.4 HF 6
Other steps that SolarWinds customers can take to contain and remediate the attack include:
- Isolate and block all traffic to any portions of your network where Orion software is installed
- Immediately remove any anti-virus software exemptions for Orion software and run a deep scan on your network
- Attempt to identify, isolate and remove any possible threat actor controlled accounts
- Continue to carefully monitor potentially affected networks for suspicious activities
- Monitor and review any new or updated advisories — including those from SolarWinds, FireEye and relevant U.S. government agencies like CISA — about how the attack was initiated and remediation efforts
- Work closely with your IT, security and legal departments to ensure they are prepared to act quickly if your network is potentially impacted