On Sunday, December 13, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors, allowing them to gain access to network traffic management systems. Research from FireEye indicates that this highly sophisticated intrusion campaign, which may have begun as early as Spring 2020, is impacting numerous public and private organizations around the globe. According to its directive, CISA is treating this incident extremely seriously, noting that the exploitation poses “an unacceptable risk” and “requires emergency action.” CISA goes on to say that there is a “high potential for compromise” and that, if successful, the exploitation could pose a “grave impact.”
How to Protect Yourself Now:
If your organization currently uses SolarWinds Orion products (affected versions are 2019.4 through 2020.2.1 HF1), we recommend disconnecting all affected devices immediately, as this is the only known mitigation measure currently available.
According to a SolarWinds Security Advisory, “No other versions of Orion Platform products are known to be impacted by this security vulnerability. Other non-Orion products are also not known to be impacted by this security vulnerability.”
What Comes Next:
We value you as customers, and we understand that incidents like this can be very confusing and unsettling. We are here to help. As this situation continues to develop, Fortalice is committed to providing you with the tools and confidence to fortify your interests, protect your organization, and maintain a strategic advantage over adversaries. If you have any questions regarding this SolarWinds Orion Code compromise or require assistance in implementing necessary threat mitigation steps for your organization, please do not hesitate to reach out to us.
We’ve been in contact with CISA today, and they made it clear that it was a very fluid situation, but that they are telling their customers to “assume a breach.” At this time, CISA does not have IOCs or IP addresses to share, but pointed its partners and stakeholders to the resources that I have linked to below. At this time, CISA is saying that there are no easy fixes, and that this response will be evolving and ongoing moving forward.
CISA Current Activity Alert “Active Exploitation of SolarWinds Software
CISA Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise
SolarWinds Security Advisory
FireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
FireEye GitHub page: Sunburst Countermeasures
The notification provided to Mimecast from Microsoft indicated that several certificates issued by Mimecast had been compromised by a sophisticated threat actor.