A new document – CISA Insights – has been released by The Cybersecurity and Infrastructure Security Agency (CISA) on the SolarWinds vulnerability providing details on the risk and actions that can be taken to remediate affected organizations. Below is further a highlight of information regarding details of the incident:
“CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform. Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified. CISA is working to confirm initial access vectors and identify any changes to the TTPs. CISA will update this Alert as new information becomes available. Refer to CISA.gov/supply-chain-compromise for additional resources.”
For more information, visit CISA’s recent activity release here.
SolarWinds Orion Products Compromised Original Alert Date: December 13th
SolarWinds Orion products are currently being exploited by malicious actors. The Cybersecurity and Infrastructure Security Agency (CISA) has determined that this exploitation is a serious threat to Federal Civilian Executive branch agencies and requires emergency actions to be taken. CISA has issued Emergency Directive 21-01 in response to the compromise. The directive is urging all federal civilian agencies to review their networks for any indications of suspicious activity and to immediately disconnect or power down any or all SolarWinds Orion products. SecuLore concurs that all traffic to any of the SolarWinds devices should be extensively analyzed for potential command and control, infiltration or exfiltration to external sources.
The versions of the SolarWinds Orion products currently being exploited are 2019.4 through 2020.2.1 HF1. The tactic being used permits the attacker to gain access to network traffic management systems and is believed to being using a variety of persistent methods to maintain a foothold. Disconnecting the affected devices is the only known mitigation measure currently available at this point-in-time until patches are available.
“CISA understands that the vendor is working to provide updated software patches. However, agencies must wait until CISA provides further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software in their enterprise.”
See full report for detailed CISA required actions: Emergency Directive 21-01
The SecuLore approach allows us to fully analyze the traffic and not only determine if any new compromises occur but would also detect such behaviors when it first started based on anomalous behavior from the any device and specifically the SolarWinds devices. The SOC analysis also can extend back to any previous communications with the SolarWinds devices to determine if the devices had previously communicated in a methodology that would now be categorized as part of this compromise. This method allows us to determine if and how the SolarWinds devices were compromised and provide the details of the compromise and how much data was infiltrated or exfiltrated and to what external devices the data was sent.
SecuLore Solutions provides Emergency Directive 21-01 by deploying a Paladin device to passively capture all traffic traversing the monitored network. The raw packets are captured and stored locally on the device for up to a week to provide full forensic captures of all traffic. Simultaneously the Paladin processes the data and sends the meta-data back to the 24×7 SOC (Security Operations Center). The data is processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
SecuLore Support Team