Fortalice Advisory on SolarWinds Orion Code Compromise

December 17, 2020

Blue Team

On Sunday, December 13, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors, allowing them to gain access to network traffic management systems. Research from FireEye indicates that this highly sophisticated intrusion campaign, which may have begun as early as Spring 2020, is impacting numerous public and private organizations around the globe. According to its directive, CISA is treating this incident extremely seriously, noting that the exploitation poses “an unacceptable risk” and “requires emergency action.” CISA goes on to say that there is a “high potential for compromise” and that, if successful, the exploitation could pose a “grave impact.”

How to Protect Yourself Now:

If your organization currently uses SolarWinds Orion products (affected versions are 2019.4 through 2020.2.1 HF1), we recommend disconnecting all affected devices immediately, as this is the only known mitigation measure currently available.

According to a SolarWinds Security Advisory, “No other versions of Orion Platform products are known to be impacted by this security vulnerability. Other non-Orion products are also not known to be impacted by this security vulnerability.”

What Comes Next:

We value you as customers, and we understand that incidents like this can be very confusing and unsettling. We are here to help. As this situation continues to develop, Fortalice is committed to providing you with the tools and confidence to fortify your interests, protect your organization, and maintain a strategic advantage over adversaries. If you have any questions regarding this SolarWinds Orion Code compromise or require assistance in implementing necessary threat mitigation steps for your organization, please do not hesitate to reach out to us.

We’ve been in contact with CISA today, and they made it clear that it was a very fluid situation, but that they are telling their customers to “assume a breach.” At this time, CISA does not have IOCs or IP addresses to share, but pointed its partners and stakeholders to the resources that I have linked to below. At this time, CISA is saying that there are no easy fixes, and that this response will be evolving and ongoing moving forward.

Resources:

CISA Current Activity Alert “Active Exploitation of SolarWinds Software
CISA Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise
SolarWinds Security Advisory
FireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
FireEye GitHub page: Sunburst Countermeasures

Alert (AA20-352A)

‍

Incident Response

Summer of Ransomware, Part 2?

Fortalice Solutions

Summer of 2020 was coined the "Summer of Ransomware", but are we about to have a second summer of ransomware in 2023?

Cybersecurity Fraudsters Lurk in Wake of Silicon Valley Bank Collapse

Jackie Monroy

Silicon Valley Bank (SVB) was shuttered early this month and had its deposits seized in the largest U.S. bank failure since the 2008 financial crisis. Although it may seem like SVB’s collapse will only impact its direct customers and depositors, it is far more complicated. Like vultures to roadkill, cyber scammers often wait to exploit and target victims after tragedy strikes, or bad news arises. A perfect storm of stress, uncertainty, and urgency for customers and vendors alike during this time can impair someone’s judgement when they click links and open emails they otherwise would ignore or delete. Fortalice has outlined a few different ways cybercriminals social engineer their victims during times of extreme distress and insecurity.

Experts Blog