Assessing Risk in the Wake of SolarWinds Attack

Over the last couple of weeks, we have all watched the details surrounding the SolarWinds attack unfold. The full scope of the attack will continue to be determined over the coming weeks (and months), but it’s clear this was a highly sophisticated supply chain attack that focused on patience to accomplish a “one to many” attack path starting with SolarWinds and ending with potential access to a large number of organizations who leveraged SolarWinds solutions.

While it’s easy to get caught up in the wake of such a large-scale attack, our approach at MOXFIVE remains the same – assess and understand the reality of the situation specific to your organization, then form the most efficient plan to mitigate any impacts and reinforce against any future risks. While difficult, these are the precise moments where a slow and methodical response will yield the fastest and most accurate results.

Below is a quick overview of the SolarWinds attack and quick steps we recommend you take to better understand the risks to your organization.

What was the attack?

It is purported that Russian intelligence infiltrated SolarWinds, gained access to the code repository, and created a trojanized version of a legitimate file for the Orion platform. The trojanized version of the file effectively provided backdoor access to systems. As part of normal business processes, users of the Orion platform would have downloaded the trojanized version of the Orion software that would then have provided the threat actors the ability to interact with the system.  

How many organizations were impacted?

The full scope of the impact will continue to be determined over the coming weeks, or more likely, months. Currently an estimated 18,000 organizations may have been impacted by the trojanized Orion software. However, it is likely that only a small percentage of those may have post exploitation activity as the attackers were likely prioritizing further activity based on where they gained access.  Currently, public reports indicate the targets were technology companies, government agencies, and non-governmental organizations (NGOs).

What should I do to assess my organization’s risk?

Organizations should follow the below steps to determine the appropriate level of response and concern:

1.   Validate whether your organization uses the impacted SolarWinds software.

• Affected versions of the Orion Platform are 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1.

2.   If you do, confirm whether the malicious version of the SolarWinds binary is present on SolarWinds servers in your environment.

• If you were using impacted software, your organization could be “at risk” of unauthorized access into the environment

3.   If yes, conduct a compromise assessment of the environment to search for all known Indicators of Compromise (IOCs).

• A list of IoCs released by FireEye can be found here:  https://github.com/fireeye/sunburst_countermeasures

4.    If additional post exploitation IOCs are identified, organizations should conduct a full forensic investigation to determine the extent of unauthorized activity in the environment.

What can I do to be prepared to respond to this type of attack even if not impacted now?

Even if you’re not impacted by the current attack, we all know there’s always another attack on the horizon and the better prepared we are ahead of time, the quicker we’ll be able to respond. The goal for any organization is to reduce the time between detection and remediation to effectively create a smaller blast radius for potential attacks. MOXFIVE recommends that all organizations have the following tools and processes in place:

1.     Have a clear and defined inventory of devices and software used in the environment - solid asset inventory will help you quickly assess whether the systems or software in your environment are potentially at risk or not.

2.    Ensure your organization has the ability to quickly conduct enterprise-wide searches for IOCs -proper tooling and visibility will enable you more quickly assess the situation.

3.    Ensure proper security monitoring is in place to quickly identify and contain evidence of unauthorized access in your environment – again, visibility leads to rapid response.

Over the coming weeks, we’ll continue to monitor the fallout of the SolarWinds attack and keep you updated on any new recommendations. If you have any concerns about how to respond the current SolarWinds attack, want to discuss how your organization can better prepare for and respond to the latest threats, or need help implementing any solutions mentioned above, contact us and we’re happy to set up a call.