SolarWinds Supply-Chain Attack – What you need to know and do!
A major breach has been announced concerning network management and monitoring software published by SolarWinds. This breach is highly publicized due to this software being configured in such a way that it can talk to every device on an entire network by design, which can allow for pivot attacks against an entire organization. To make matters even worse, these attacks can be made against any company that utilizes SolarWinds from anywhere on the internet! SolarWinds has noted the Orion Platform is the vulnerable application and that the following conditions must be met for it to be exploited:
1) The exploit affects the SolarWinds Orion Platform only (as far as the company currently knows), which includes any of the following tools:
- Application Centric Monitor (ACM)
- Database Performance Analyzer Integration Module* (DPAIM*)
- Enterprise Operations Console (EOC)
- High Availability (HA)
- IP Address Manager (IPAM)
- Log Analyzer (LA)
- Network Automation Manager (NAM)
- Network Configuration Manager (NCM)
- Network Operations Manager (NOM)
- Network Performance Monitor (NPM)
- NetFlow Traffic Analyzer (NTA)
- Server & Application Monitor (SAM)
- Server Configuration Monitor (SCM)
- Storage Resource Monitor (SRM)
- User Device Tracker (UDT)
- Virtualization Manager (VMAN)
- VoIP & Network Quality Manager (VNQM)
- Web Performance Monitor (WPM)
2) You must have had an active product support agreement with SolarWinds to have been receiving updates within the 2020 year (as the exploit was deployed to SolarWinds clients through one of its own updates and dates back as far as March of 2020).
3) The exploit will only activate on a machine that has access to the internet.
If you meet the above conditions, you likely have software on your network that is highly susceptible to an attack from anywhere on the internet. At a high level, an attacker has embedded malware with (for lack of a better term) a “call home” feature that allows complete remote access to a system running this vulnerable software.
What actions should you take if you have vulnerable software? The following guidelines come from the Department of Homeland Security and from the SANS Institute:
- If you run any of the software packages above, assume you have been compromised and treat this as a breach. Firewall logs should be reviewed, network event logs should be investigated, and forensic teams should be hired if in-house staff are not knowledgeable to perform their own review.
- Install published patches available by SolarWinds for the vulnerable software.
- If the machines on which the software is installed do not require internet access, do not allow them to access the internet.
- If the machines running this software do require internet access, consider firewall rulesets which restrict where on the internet this software can communicate on a least privilege basis. In other words, create firewall rules to only allow this software package to communicate where it is needed, and block all other destinations.
- Establish firewall or IDS (intrusion detection system) rulesets to alert or block access to known “bad” sites. The SANS Internet Storm Center, for example, is publishing updates to listings of known bad sites at this URL: https://isc.sans.edu. Further, this website also has instructions for how to restrict access to such known malicious domains.
- Watch the news and SolarWinds’ website to ensure you have the latest up-to-date information about the breach and suggestions by the vendor or other organizations.
- Be aware that SolarWinds is likely the first of many software package companies that will be attacked. This supply-chain based attack will grow in popularity. Therefore, it is strongly urged that you ensure your firewall is established with both inbound and outbound traffic restrictions to only allow traffic to and from sources that you need and block all others as much as possible.