Taking a risk-based approach to deal with this situation is advisable given the sophistication of the threat group associated with this complex attack. “Fixing” the initial entry point and not investigating to fully understand the extent of the incident will leave your organization in the dark about impact. However, while patching SolarWinds is an essential part of the process, it is not the end of the work needed. Specific steps to act upon and consider should include: What should you do? If you have or had a trojanized version of SolarWinds Orion on your infrastructure, Stroz Friedberg advises that you take a risk-based approach to the situation. Once the threat actor has successfully acquired this level of control and authority on a network, they could move within the company’s network, including to cloud infrastructure if the network extends to that space. The threat actor could leverage the global administrative user rights to impersonate any user, including administrative users, on the network. Once the threat actor gains access to the network, they could escalate their access to global administrative user rights.
#Solarwinds orion breach software
Foreign nation state threat actors have been seen using the impacted software to gain an initial foothold into the network. 2 with no hotfix or with 2020.2 HF 1 installed in your environment (see the list of “Known affected products” on SolarWinds’ website), your network is possibly impacted by the presence of the exploit and may have been subsequently compromised by the threat actors. ▪ This campaign may have begun as early as Spring 2020 and is currently ongoing.Īre you impacted? Based on the SolarWinds advisory updated as of December 15, 2020, if you had Orion Platform versions 2019.4 HF. ▪ Further reports indicate that the campaign is widespread, affecting public and private organizations around the world. 3 Each attack also appears to have been customized, tailoring malicious hostnames to match naming conventions within the target’s environment. ▪ According to reports, once compromised, the threat actor appears to leverage multiple techniques within an end-user environment to evade detection and obscure their activity. ▪ Companies, non-profits, and other organizations around the world that utilized the impacted SolarWinds software are at risk, as the software would potentially allow the threat actors to access their networks and compromise credentials. (Source: SolarWinds Security Advisory, updated December 15, 2020, 8:00am CST). 2 with no hotfix installed or 2020.2 HF 1. ▪ The impacted software is SolarWinds® Orion® Platform software builds for versions 2019.4 HF. ▪ The threat actors trojanized SolarWinds’ Orion business software updates in order to distribute malware to corporate and other enterprise end-users. Any client that installed an impacted version of Orion was then vulnerable to the exploit of the embedded malicious code.
#Solarwinds orion breach code
The attackers embedded malicious code into SolarWinds’ Orion product before its release to clients.
▪ The attack on SolarWinds is apparently a targeted supply chain attack attributed to foreign nation state threat actors. Overview.While this situation continues to develop, based on government advisories, releases from SolarWinds, and reporting from the threat intelligence community, here is what is known to date: 1 As the news developed, it became clear that all of the incidents appeared to share a common attack vector: the successful supply-chain compromise of a security tool developed and distributed by Austin, Texas-based IT company SolarWinds. Beginning on Tuesday, December 8th, and continuing into the afternoon of December 14th, news services reported several high-profile cyber security incidents, including those at a cyber security firm and other organizations and institutions such as the Department of Homeland Security, the United States Treasury and the Commerce Department.
0 kommentar(er)
