An Executive’s Guide to the Attack on FireEye and SolarWinds

NetCraftsmen®

Originally published December 14, 2020. Last updated January 11, 2021.

The wide-spread extent of the SolarWinds security hacks and the release of FireEye’s penetration tools is probably the most significant network security event since the WannaCry ransomware attack in 2017.

Summary

This attack has the potential to compromise your entire infrastructure.  To gauge the extent of the threat – please realize that the US Cybersecurity and Infrastructure Security Agency (CISA) and the US Department of Homeland Security (DHS) issued their Emergency Directive on Dec 13, 2020 requiring that all US Federal Departments should turn off or disconnect their SolarWinds Orion systems by Noon Eastern on Dec 14, 2020.

January 6, 2021: The CISA directive has been updated explaining specific steps that should be followed. We’ve updated this article as a result—see below.

This is unprecedented and the investigation is ongoing. The actual depth and breadth of the attack continues to grow as investigators uncover more data. The latest reporting by the New York Times suggests that more than 250 organizations have been affected, including federal agencies and major businesses like Microsoft and Amazon.

What should you do if your organization is one of the 300,000 customers of SolarWinds and FireEye? Our security team has some recommendations on steps to take and how to handle the situation.

Assess the Situation

First, if your team runs SolarWinds Orion, was that version at risk?

  • The vulnerable versions were released between March 2020 and June 2020 as documented in the SolarWinds advisory. Many organizations don’t update their applications very frequently, so have the network management tools team determine if a vulnerable version was ever used.
  • CISA Update: January 6, 2021:  CISA updated Emergency Directive 21-01 with explicit steps that must be followed. Note that you must scroll down to find the section titled Supplemental Guidance v3, dated January 6, 2021. Agencies that ran the affected versions of SolarWinds Orion must conduct forensic analysis to detect additional actions by the threat actors. Any further use of SolarWinds must comply with hardening requirements. Finally, report to CISA.
  • CISA Update: December 30, 2020:  All affected versions should be powered down or otherwise removed from Federal networks. The directive also clearly states that any system that previously ran an affected image must be treated as compromised.  No system that ever ran an affected version should remain online.   In addition, both unaffected and other versions must be upgraded to Orion Release 2020.2.1HF2.
  • CISA Update: December 18, 2020: SolarWinds Orion version vulnerability list has been updated. In addition, for Clarity, the Versions of SolarWinds Orion were broken into three groups:  1) The ‘affected’ versions (containing the malicious backdoor), 2) The versions having been identified as not having the backdoor (‘unaffected’) and finally 3) Other versions.  This clarifies the actions needed, but all other aspects of the ED 21-01 remain in place.

Then, if a vulnerable version of SolarWinds was used, you need to understand that many implementations involve read and write access to your infrastructure – meaning a compromise would have permitted the attacker to modify your infrastructure and systems.

  • How is Orion used at your Company?
  • Were any unauthorized firewall rules deployed from it?
  • Were any unauthorized changes made to router, switch or other infrastructure devices?
  • Have you lost any data?

A security information and event manager (SIEM) may help the security team identify potential data loss. At this point, it isn’t clear what data was of interest, so have them look for anything out of the ordinary.

The attack on FireEye didn’t impact their products (to our knowledge). Instead, their penetration testing tools were stolen and may be used by this or other bad actors in the future. FireEye has published a link to its list of countermeasures (a technical list of penetration tools and mitigation for each).

What Next?

How should you and your organization proceed from here? Our security team has created a list of next steps to help you navigate this threat:

  1. Monitor CISAs announcements for guidance at https://cisa.gov. There is already an emergency directive in an announcement of the compromise and a corresponding Emergency Directive 21-01. You should have your IT security team review and act on its recommendations.  January 6, 2021: The revised Directive contains a table summarizing conditions under which SolarWinds Orion may be continued to be used:

For footnotes and further information see: https://cyber.dhs.gov/ed/21-01/

  1. The first step is to disconnect SolarWinds from the network or to turn it off. If your organization can do forensic analysis, follow the directive and do this first. If that capability doesn’t exist or cannot be done quickly, turn SolarWinds Orion off until CISA releases a new recommendation. When the industry determines that SolarWinds is safe, plan to build a new SolarWinds implementation. January 6, 2021: This is what CISA is now requiring.
  2. Then your IT security team should assess whether any of the systems monitored and managed by SolarWinds have been compromised or had unauthorized changes, especially firewall rule changes or unauthorized software updates or installations. A variety of tools can help with this process – please contact us if you need guidance. The security team should also evaluate system access logs to determine if any lateral movement of a potential attacker is detected.
  3. FireEye’s penetration tools were stolen, and you should consider your organization vulnerable until your IT security team proves otherwise. FireEye’s security recommendations should be followed, as published in a detailed threat research document (useful for your IT security team): Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST Backdoor.
  1. January 6, 2021: Also review CISA Alert (AA20-352A) that describes other threat vectors. Any systems which SolarWinds Orion was able to manage (i.e., had read/write access credentials or read access to sensitive data like login information) should be rebuilt.

This security compromise is very disruptive to businesses who are busy trying to remain ahead of other threats. NetCraftsmen is tracking the events and is prepared to assist with an analysis or structuring of an alternative network management system.

Updates will be posted on this site as we evaluate CISA and appropriate vendor advisories.

For more information or if NetCraftsmen can help, please contact our Chief Technology Officer, John Cavanaugh directly at jcavanaugh@netcraftsmen.com.

 

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.