On December 14th, FireEye disclosed a widespread global intrusion campaign. During their investigation, they discovered that an attacker exploited vulnerabilities within the SolarWinds® Orion® Platform. The malware subsequently masqueraded its traffic as Orion Improvement Protocol and blended in with legitimate SolarWinds activity to obfuscate the threat actors’ activities.
SolarWinds has released an initial hotfix to the Orion Platform. It is recommended that customers using SolarWinds disable the vulnerable instance as noted and prepare to upgrade (pending appropriate testing and maintenance windows). A second hotfix with additional mitigations is expected to be released tomorrow (Tuesday, December 15th, 2020).
eSentire has added new detection and protection content for this specific threat based on information and countermeasures disclosed by SolarWinds, CISA and FireEye. We will continue to monitor the situation and deploy new detection and protection content as necessary.
What we're doing about it:
- Additional esNETWORK rules have been deployed to identify malware executing against customer environments to supplement existing detection coverage
- esENDPOINT file hashes are being periodically queried and checked against Indicators of Compromise
- esLOG and esENDPOINT rules are being evaluated for new and refined detection opportunities
- eSentire discusses this specific attack within a recorded webinar. Watch it here.
What you should do about it:
- If deemed appropriate to your business risk appetite, disable your SolarWinds instance.
- SolarWinds® recommends that all customers upgrade their SolarWinds® Orion® Platform to version 2020.2.1 HF 1, available for download from the SolarWinds Customer Portal.
- SolarWinds® expects and recommends that users download and install an updated fix: 2020.2.1 HF 2. They expect to release it on Tuesday, December 15th, 2020.
- Ensure anti-virus signatures are up to date.
- MVS customers should review scan reports for the presence of vulnerable systems. These reports can be reviewed by accessing the latest vulnerability reports on the eSentire Insight Portal. MVS Cloud customers can also access reports by accessing their Tenable.io instance or eSentire Insight Portal. Non-MVS customers should review vulnerability scan reports for the presence of vulnerable systems.