By Michelle A. Schaap, Chiesa Shahinian & Giantomasi PC In December, we learned that the SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1*, released between March 2020 and June 2020, were compromised by an advanced persistent threat actor (or APT). The perpetrators of this sophisticated attack implanted a Trojan into a legitimate update to the Orion Platform that was released in March. Once the Trojan was activated, it allowed the threat actor to not only have high level credentials into the Orion Platform, but to potentially move across other areas of the compromised target’s network and systems. Until recently, the SolarWinds’ site listed representative clients, including such companies as CISCO, AT&T, Ford Motor Company and all five top US accounting firms, to name a few. Its federal (government) clients include all five branches of the US Military, the US Pentagon, State Department, the Treasury Department, NASA, and NSA. Many local governments also use SolarWinds’ products. If a firm was using the impacted SolarWinds Orion platform, that does not necessarily mean that the malware had been activated. DHS and CISA both recommend that businesses concerned that they may have been impacted should:
It is important to follow specific steps in working to investigate, eradicate and rebuild/restore impacted systems. Please see the CISA website for the most up-to-date guidance and information. As of, January 7, 2021, this link provides the most up-to-date information from CISA: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations | CISA While SolarWinds released two hot patches the week of December 14, 2020, as of the day of this writing, DHS and CISA continue to recommend that firms exercise caution in applying the patches and restoring or continuing to run the Orion Platform. To be clear, CISA and DHS mandated that all impacted federal agencies had to update their Orion instances by December 31, 2021. Note also that FireEye released a kill switch that was reported to stop the continued attack. However, impacted entities will have a long road to restore impacted systems and determine what was already compromised. As CISA has repeatedly advised in its updates, restoring impacted systems and removing all traces of malware is not a simple task. Prior to the New Year, a further vulnerability in SolarWinds’ Orion product was reported by Carnegie Mellon. The report indicated that the Orion API authentication bypass can allow a hacker to remotely execute commands. While there is a patch available to address this, we recommend caution still as further vulnerabilities in the product may come to light in the coming weeks. Rumors were circulating that Microsoft’s cloud environment had been compromised, too, as a result of the Orion Trojan. CISA and DHS explained in a briefing on Friday, December 18, 2020, that Microsoft Cloud was not compromised. However, the Trojan hidden in the Orion March 2020 upgrade allowed the bad actors to steal credentials to impacted entities’ other accounts – including Microsoft Cloud access credentials. With the legitimate (stolen) credentials, the bad actors were able to access data in entities’ Microsoft cloud accounts. Potentially impacted firms are advised to examine their active directories in their Microsoft account for anomalous activity. In CISA/DHS’s latest update, they highlighted another problem with the Orion compromise. Because of the access within a company’s systems that the Orion product needed for it to properly function, it allowed bad actors to take over administrative level credentials potentially giving hackers “God access" or a "God door" to impacted systems. What this means is that not only could the hackers compromise systems that the Orion product interacted with, but would allow hackers to migrate throughout an infected system and access other tools, programs, etc. In short, omni-access, if you will. As such, eradicating these hackers will require companies where the trojan was deployed to carefully assess all systems and tools used in their networks. Business emails of high level officials and roles within an organization have been observed as particular targets of the APT. As such, refresher training of personnel to heighten awareness of business email compromises are in order. Even if your entity was not running one of the impacted products, check with key vendors to ascertain whether they were impacted. If so, either their access to your systems may have been compromised and/or their ability to provide their services to your organization may be impacted. Other Notables and Tips:
If you have questions regarding the foregoing, or would like referrals to additional resources, please contact your attorney or the author of this blog post, Michelle A. Schaap of Chiesa Shahinian & Giantomasi PC’s Privacy & Data Security Group. *Impacted Products:
0 Comments
Leave a Reply. |
Guest Blog
Archives
March 2024
Categories |