Hackers broke into the networks of the Treasury and Commerce departments as part of a global cyberespionage campaign revealed Sunday. In response to what may be a large-scale penetration of U.S. government agencies, the Department of Homeland Security’s cybersecurity arm issued an emergency directive calling on all federal civilian agencies to scour their networks for compromise.
SolarWinds acknowledged its systems ‘experienced a highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.’ Find out more directly from SolarWinds, including the full list of affected products, by reading their security advisory on this incident, here.
Microsoft says the attackers were able to add malicious code to software updates provided by SolarWinds for Orion users. Attackers are then able to gain footholds within the network, in which they can gain elevated credentials. From there, attackers are able to forge single sign-on tokens for any existing users, including highly privileged accounts. Find out more directly from Microsoft, here.
How to Protect Yourself
- Run up-to-date antivirus or EDR products that detect compromised SolarWinds libraries and potentially anomalous process behavior by these binaries.
- Consider disabling SolarWinds in your environment entirely until you are confident that you have a trustworthy build free of injected code.
- Identify all accounts that have used on the affected SolarWinds Platform, either logging into SolarWinds or allowing SolarWinds to perform tasks within the environment and consider these accounts compromised. Reset or decommission the accounts.
- Follow best practices for identity and access management, including strong authentication practices. If any recycled passwords were in use, consider those compromised across all accounts.
- Review all AD accounts for their correct creation, assignment and use.
- Review all logs for lateral movement between systems using the identified accounts from the date a compromised version of SolarWinds was deployed.
- Reset any keys between Corporate Systems and an MFA Authentication Service if there is a concern of them being compromised. For example, OWA or VPN integration with a third-party MFA).
- Review all available DNS, IDS, and Firewall logs for indicators of compromise (such as domain names and IP addresses from the FireEye Blog and Volexity Blog
- Review the network access of all systems and implement a zero-trust model, for example, on egress from SolarWinds to the Internet.
- Examine all changes recorded to the configuration of network equipment for the duration of the compromised SolarWinds deployment.
- Reduce surface area by removing/disabling unused or unnecessary applications or service principals
- Secure your Azure AD identity infrastructure by following the guidance here.
See more steps to protect from recent nation-state cyberattacks, here.
Find out more from the original article from Krebs on Security, here