Solarwinds Orion was breached today in a manner that is consistent with some of the most advanced persistent threats (APT) we’ve seen. An advanced persistent threat (APT) is a broad term used to describe an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in order to mine highly sensitive data.
In this case we are talking massive amount of government, federal, defense and big business data for months on end.
Solarwinds President John Pagliuca made the following announcement earlier today:
We have just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 through 2020.2.1. We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed incident, as opposed to a broad, system-wide attack.
At this time, we are not aware of an impact to our SolarWinds MSP products including RMM and N-central.
If you own a SolarWinds Orion product, we recommend you visit www.solarwinds.com/securityadvisory for more detailed information. If you have any immediate questions, please contact Customer Support at 1-866-530-8040 or firstname.lastname@example.org.
Security and trust in our software are the foundation of our commitment to our customers. Thank you for your continued patience and partnership as we continue to work through this issue.
Microsoft’s Security Response Center published a very helpful read about the technical details used by the actor.
Security isn’t easy nor is it cheap. Even while following the strictest security frameworks these attacks can persist and evade security products. Defense in layers is ideal and then ultimately have true immutable backup in the event of total compromise.
Update CISA has released a bulletin:
WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) tonight issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors. This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”
This is the fifth Emergency Directive issued by CISA under the authorities granted by Congress in the Cybersecurity Act of 2015. All agencies operating SolarWinds products should provide a completion report to CISA by 12pm Eastern Standard Time on Monday December 14, 2020.