SolarWinds Attack - At a Glance
The global intrusion campaign, that started with the news of a FireEye exploit, is a supply chain attack trojanizing SolarWinds Orion’s business software updates, an IT performance monitoring platform, to distribute malware.
This is an expansive, highly evasive and aggressive set of attacks by sophisticated, nation-state sponsored hackers against government and commercial entities across the globe. It has been widely reported that Cozy Bear, a Russian hacking group, is behind the compromises that could have begun as early as Spring 2020.
As many as 18,000 SolarWinds clients may have been compromised. As of December 16th, three US government agencies have publicly confirmed they were compromised: The Department of Commerce, the Department of Homeland Security and the Agriculture Department.
Emtec’s Response
While Emtec’s organization and client support systems have not been affected, we continue to be diligent in our efforts to assess and conduct necessary threat detection and behavior anomaly scans to keep a 360-degree awareness of our security posture across Emtec’s network and user devices. Emtec also conducts penetration tests on a regular basis. We are taking the necessary steps to keep our Emtec environment and client data secure.
What you should do Immediately
This vulnerability poses an extremely high risk to government and business entities alike. Small, medium and large firms are equally exposed. Companies that utilize SolarWinds for business platform availability monitoring should be concerned. To better understand your exposure and reduce your risk, here are 5 activities our team advises organizations to perform immediately.
- Determine internal exposure to SolarWinds breach ASAP
Evaluate internally if you are running the SolarWinds Orion Platform, what version and any hotfixes which have been applied. Follow SolarWinds remediation and upgrade recommendations immediately. - Verify any vendor/partner exposure
Do you partner with external vendors to support your network and critical systems? If so, reach out to all parties to confirm if they have any exposure and if your information or systems may have been compromised. - Assess your network for vulnerabilities
Utilize a vulnerability management solution to perform a scan of your network including endpoints, server operating systems and applications to reveal any potential gaps that need to be remediated. Periodic penetration tests are another good best practice to employ as well. Digital Defense offers a full suite of vulnerability management and penetration testing solutions. For a full list of cyber security tools we recommend for small and medium businesses, read our recent blog on the subject. - Evaluate your current cyber security strategies
Cyber security should be looked at as a business investment not just an IT investment. It is critical that you evaluate your current cyber security strategies and measures for potential gaps and evaluate additional investments and expanded procedures to better position you against attacks in the future. Part of this evaluation should be an incident response plan. Do you have incident response plan in place and is it up to date for your current systems? It’s not the best time to figure out how you will respond and continue to provide services once a breach occurs. - Leverage real-time behavior-based detection
These types of attacks are why real-time threat detection is so important for organizations. Behavior-based detection platforms focus on behavior-based analytics which do not rely on signatures, blacklists or awareness of the specific technique to identify unauthorized and/or malicious behaviors. An advanced, behavior-based analytics suite can identify new variants of malware, new attack techniques as well as attacks from fresh IP addresses and URLs. Cybraics is an excellent platform which we recommend for real time- threat detection to reduce risk of this type of attack.
Today it is SolarWinds and FireEye, tomorrow it could be other critical partners or tools you utilize. Do you understand the impact on your organization and how would you respond to it? It is important to be prepared.
If you need more hands on-deck or have questions/concerns about your potential exposure, please contact our team immediately. We are ready to help you “Keep Them Out and Seek Them Out”!
References
Center for Internet Security- https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-solarwinds-orion-could-allow-for-arbitrary-code-execution_2020-166/
SolarWinds Security Advisory- https://www.solarwinds.com/securityadvisory
FireEye blog - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
Ars Technica - https://arstechnica.com/information-technology/2020/12/18000-organizations-downloaded-backdoor-planted-by-cozy-bear-hackers/
CNN - https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html
