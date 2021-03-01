Incident Response to SolarWinds Orion Software Compromise for SMEs
In early December 2020, it was revealed that a state-sponsored cyber attack had been launched through a supply chain compromise of the
SolarWinds' Orion monitoring software, initially affecting FireEye, a cybersecurity company. The cyber threat worked by inserting a backdoor, known as Sunburst, into the software to enable hackers
to remote control the SolarWinds platform and use it to exfiltrate sensitive data from private-sector businesses, organizations, and government agencies. The attacks appear to have started in
September 2019 and were discovered almost a year later.
More recently, it was learned that a separate, unconnected attack -- also believed to be state-sponsored -- was launched at the same time on certain government payroll systems. Now, others have been attacked. While SolarWinds announced it has patched the vulnerabilities, investigations into the incidents are ongoing, especially in light of additional attacks via Microsoft 365 and the Azure cloud environment.
"These hacks present ongoing risks to businesses and organizations, with the potential to compromise networks, employee and consumer data, and intellectual property," said Chris Clements, vice president, solutions architecture, Cerberus Security Officer, Cerberus Sentinel. "Small and mid-sized enterprises (SMEs) can be particularly vulnerable, often operating with smaller staffs and limited budgets."
Cerberus Sentinel Corporation (OTC: CISO), a cybersecurity consulting and managed services firm based in Scottsdale, Ariz., reinforces the need for all organizations to be vigilant in keeping their cybersecurity defenses up to date. Specifically, the company offers the following counsel to SMEs to ensure protection against exploitation of mission-critical operations, resources, and software by the SolarWinds attack.
Questions for IT Teams
- Do you know if your organization has a SolarWinds product installed in production or if IT has tested it in a free trial demo?
If not, do the following:
- Contact your IT department and ask if the SolarWinds Orion product suite is or has ever been in use in your environment. The known affected software of the
Orion platform are as follows:
- Application Centric Monitor (ACM)
- Database Performance Analyzer Integration Module (DPAIM)
- Enterprise Operations Console (EOC)
- High Availability (HA)
- IP Address Manager (IPAM)
- Log Analyzer (LA)
- Network Automation Manager (NAM)
- Network Configuration Manager (NCM)
- Network Operations Manager (NOM)
- Network Performance Monitor (NPM)
- NetFlow Traffic Analyzer (NTA)
- Server & Application Monitor (SAM)
- Server Configuration Monitor (SCM)
- Storage Resource Monitor (SRM)
- User Device Tracker (UDT)
- Virtualization Manager (VMAN)
- VoIP & Network Quality Manager (VNQM)
- Web Performance Monitor (WPM)
- If IT can’t say for certain or needs help determining with assurance whether backdoored instances of SolarWinds product are present, consider utilizing a network inventory or scanning tool or working with a third party to assist with detection.
If you know you are using or have used a SolarWinds product in the past, do the following:
- Review all instances of the product (e.g., production, DR, lab) to learn what version of the software is installed. Versions of the software known to contain the
Sunburst malware are:
- v2019.4 HF5
- v2020.2 (no hotfix)
- v2020.2 HF1
