In an announcement on Monday by SolarWinds, our community learned that its Orion software has served as the unwitting conduit for an international cyberespionage operation. SolarWinds reported that hackers inserted malicious code into Orion software updates pushed out to nearly 18,000 customers which may have begun as early as Spring 2020. Although the full extent of the damage is still unknown, breaches have been reported.
Urgent action is necessary
SolarWinds has over 300,000 customers worldwide, and we believe this to be an extremely pervasive threat. Alerts for commercial and governmental organizations related to this event have been issued by SolarWinds, FireEye, SANS, US-CERT, and the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS).
CISA at DHS has identified an intrusion related to SolarWinds Orion products (versions 2019.4 through 2020.2.1 HF1) in the latest Emergency Directive. These versions are currently being exploited allowing malicious attackers to gain access to network traffic management systems. The Emergency Directive provides detailed actions required by government agencies using the Orion software.
IT and Security teams using BigFix can quickly determine which systems have Orion software installed, detect if compromised versions of Orion are present, and help isolate infected systems. More information about how to detect indicators of compromise using BigFix are provided here: https://forum.bigfix.com/t/dhs-emergency-directive-21-01-solarwinds-thread/36420.
If infected systems are found, DHS is recommending that systems be turned off until forensics are completed including determining if a breach has occurred. Once completed, DHS is recommending that systems be rebuilt from ISO images. Organizations can prepare for this effort or begin provisioning new systems using established tools such as BigFix Lifecycle. Again, refer to the DHS Emergency Directive to understand the actions required by government agencies and departments. Commercial customers may also refer to Microsoft’s Customer Guidance on Recent Nation-State Cyber Attacks.
How BigFix helps to address this threat now
The global BigFix community is working together to continuously refine the approach to this threat. Follow the latest at https://forum.bigfix.com/t/dhs-emergency-directive-21-01-solarwinds-thread/36420. Working with security professionals across industries, the community has rapidly identified and proven methods for using BigFix to report on SolarWinds installations and vulnerable versions and detect malicious Indicators of Compromise (IoC) related to this vulnerability. New insights and approaches are being included as the situation unfolds.
Our clients can rest assured that HCLSoftware does not have the compromised versions of SolarWinds Orion in its environment, nor do we know of any HCL contractors or vendors who use SolarWinds Orion. None of the tools used by HCL BigFix have been impacted by the reported breach at SolarWinds or FireEye. As a result, our ability to deliver products and services to our valued customers have not been impacted. We remain vigilant in maintaining data security and securing our systems.
Every day, BigFix provides deep insights into potential exposure or compromise
BigFix is regularly used to provide deeper insights into vulnerabilities and threats as well as implementing remediations in near real time. BigFix provides methods to immediately identify and detect systems that may be vulnerable, continually analyzes your systems to identify any newly affected systems, provides historical reporting on software installations and removals to help determine the window of exposure, can validate security policies that identify whether and when specific security controls were modified or disabled by an attacker, and can deploy operating systems or image systems to rapidly recovery your systems.
For more information about BigFix capabilities, visit www.BigFix.com or contact your HCLSoftware Specialist or your BigFix Technical Advisor.