Solarwinds Supply Chain Compromise – Recommendations

On December 13, 2020 FireEye released their research into the compromise of the SolarWinds Orion supply chain, resulting in the compromise of a significant number of organizations around the world. Recommendations for incident response have been published by multiple entities with intimate knowledge of the situation, including FireEye, Microsoft, and the United States Department of Homeland Security. In this post, our incident response team will summarize what is known at this point and recommendations that affected organizations should consider.

What We Know

The following summarizes the information that has been made public at this point:

A sophisticated threat actor dubbed “UNC2452” by FireEye conducted a supply chain attack on SolarWinds Orion network monitoring platform.
SolarWinds reported that “fewer than 18,000” customers may have had an installation of the trojanized software.
The campaign resulted in successful intrusion into a wide range of organizations spanning government agencies and private sector companies.
The threat actors applied excellent operational security in their operations to disguise their activities and avoid detection.
Investigations into these intrusion are ongoing and there is still a lot that we do not know.

Recommendations

If your organization is using SolarWinds products, we recommend the following actions:

Containment

- If your organization is running products in the Solarwinds advisory, block all outbound connections to the internet for assets running the Solarwinds products immediately
  - For a majority of environments and use cases this should have a minor to negligible impact. Ifthis is not feasible, limit to protocols and hosts that are necessary for operation only

Note that this likely does not contain the threat actors if they are already active in your environment. Rather, it prevents initial access if they have not already infiltrated the environment.

Proceed with the assumption that you may be compromised. Conduct threat hunts in your environment looking for anomalous activity starting shortly after the Orion update
- Do not rely solely on the indicators of compromise provided from FireEye or Microsoft. Threat actors of this calibre and operation security commonly will have dedicated infrastructure and toolset for targets.
- For threat hunting, focus on assets running Orion communicating to abnormal domains, IP blocks and ASNs. Focus on other assets communicating to abnormal domains, IP blocks and ASNs in addition to anomalous logins and east/west traffic. The timeframe that the Solarwinds supply chain may have been compromised is sometime between October of 2019 and March of 2020.

Change passwords that are used by or have been used to access SolarWinds systems.

Remediation/Mitigation

Upgrade to the latest version of the Orion platform available from SolarWinds. A patch has been made available today, and another hotfix is set to be released on December 15.
Focus on providing least privilege to the user account being used for Solarwinds.
- Examples of this can be found in Solarwinds documentation to include:
  - Read only access to VMWare environment (https://documentation.solarwinds.com/en/Success_Center/VMAN/Content/VMAN-Required-permissions-for-VMware-and-Hyper-V-credentials.htm)
  - Removing SYSADMIN privilege after registration for SQL DPA monitoring (https://support.solarwinds.com/SuccessCenter/s/article/SQL-Server-permissions-for-DPA-monitoring?language=en_US)
  - Non-Admin Account for SAM polling (https://support.solarwinds.com/SuccessCenter/s/article/How-to-create-a-non-administrator-user-for-SAM-polling?language=en_US)
  - Other least privilege steps can be found online or through contacting SolarWinds support
Implement proper security controls and IT hygiene to limit the impact or scope of a threat actor