The SolarWinds Orion Threat and Your Cybersecurity Posture.

By Freed Maxick RAS Team on December 23, 2020
Back to main Blog
Freed Maxick RAS Team

The recent SolarWinds breach underscores the importance of several key concepts related to Cybersecurity. Though the level of sophistication and pervasiveness of the attack is far above average, it underscores the importance of getting back to the basics.

Though no single approach to cybersecurity can single-handedly prevent an attack of this level of complexity, the posture that your organization possesses can certainly reduce impact and illustrate your IT Team’s ability to protect and respond.

Some items that clearly define the posture required to work through this type of nation-state threat that your organization should consider include:

  • A robust Incident Response Plan
  • True Segmented and Layered Network Architecture
  • Sound Monitoring and Detection Practices
  • Vigorous Third-Party Management Processes
  • Strong Access Controls, especially around Privileged Access, Authentication and Key/Token Management
  • Vigilant System Configuration and Management, including Secure System Build Processes and Patching / Update Processes

Freed Maxick’s Risk Advisory Services Team recommends the following steps taken directly from The Cybersecurity and Infrastructure Security Agency (CISA) Computer Emergency Readiness Team (CERT), part of the Department of Homeland Security (DHS):

https://us-cert.cisa.gov/ncas/alerts/aa20-352a

https://cyber.dhs.gov/ed/21-01/

DETECTION & ANALYSIS: Verify that …

SolarWinds Orion is not in use, specifically these products:
  • Orion Platform 2019.4 HF5, version 2019.4.5200.9083
  • Orion Platform 2020.2 RC1, version 2020.2.100.12219
  • Orion Platform 2020.2 RC2, version 2020.2.5200.12394
  • Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
  • SolarWinds has provided a complete list of all impacted products at: https://www.solarwinds.com/securityadvisory
The existence of any of the following:
  • [SolarWinds.Orion.Core.BusinessLayer.dll] with a file hash of [b91ce2fa41029f6955bff20079468448]
  • [C:\WINDOWS\SysWOW64\netsetupsvc.dll]
CONTAINMENT, ERADICATION & RECOVERY: Any systems that are illustrating that are: (1) running these above versions of SolarWinds Orion; and/or (2) containing the above-mentioned data link libraries should be disconnected for remediation.
  • Treat any hosts monitored by the SolarWinds Orion monitoring software as compromised and assume that further persistence mechanisms have been deployed;
  • Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources;
  • Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.

These additional steps are also recommended as of today because it is believed that this APT is affecting more than users that have implemented SolarWinds Orion  

  • Verify that all system security updates, patches and operating system versions are current
  • Verify that DNS has no past entries for this name: avsvmcloud[.]com resolves to 140.0[.]1  (This will more than likely be a single instance occurring that is spaced out between occurrences.)
  • Verify appropriate use of highly privileged accounts and where possible change passwords
  • Verify any authentication tokens and credentials to highly privileged Active Directory domain accounts, (especially Security Assertion Markup Language (SAML) signing certificates using their escalated Active Directory privileges) are appropriate
  • Monitor for "Impossible Logins" which are based on "Impossible Travel" (users logging in from different distant geographic locations where it is unlikely that user would log in from)
  • Monitor for extended SAML tokens beyond your organization's usual time limit (such as longer than one hour)
  • Monitor for SAML tokens with different timestamps, including the time it was issued and the last time it was used
  • Monitor for SAML tokens that do not have an associated login with its user account within an hour of the token being generated

It goes without saying that any third-party relationship that you have should also be verified against these criteria. Your organization should be aware of any third-party you use that may require these remediation steps and the status of that activity.

Though all these items will not completely ensure your protection from this recent threat, these additional steps will help to identify an attack if it is occurring.

Further, we expect that this APT to continue to evolve as more information to come to light over the next few months.  Please stay vigilant.

Stay up to date