The recent hack against FireEye and the U.S. Treasury and Commerce Department affected SolarWinds software for more than 18,000 software users including mostly private company clients in addition to the famously affected government entities. SolarWinds has confirmed that a cyberattack to its systems inserted a vulnerability within the SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix, and 2020.2 HF 1 (see the SolarWinds Advisory if unsure which version you use). If your organization uses these products, prompt action may be needed to identify and mitigate potential security implications. The malware allows the (likely Russian) hackers to set a back door into companies using the Orion Platform. Some targets have been attacked and mined for data right away, while others have nothing beyond the vulnerability as yet unexploited. Thousands of SolarWinds customers have already received notice directly from SolarWinds that their products were not affected by the incident and no action is required. Otherwise, the following mitigation steps are recommended:
- Disconnect from the internet all Orion products for versions 2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1 and update your versions as noted in the SolarWinds security advisory
- Identify and block all traffic to and from external sources where Orion software is installed
- Remove exemptions for Orion software file directories in your organization’s antivirus software and scan your systems
- Identify threat-actor controlled accounts and remove those accounts
- Continue monitoring systems for other suspicious activity and read updated advisories as more information about the attacks is discovered and released
SolarWinds and FireEye have also provided the following advisories that can help your organization determine what damage or data exposure, if any, was afflicted by the hackers and what else to do to protect your systems and data:
- SolarWinds Security Advisory
- FireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
- FireEye GitHub page: Sunburst Countermeasures