Over the last two weeks, a widespread hacking campaign affecting federal, state, local governments, school districts, and even cybersecurity firms and commercial enterprises has made the news. This hacking campaign originates with vulnerabilities to SolarWinds Corporation's Orion product - which provides centralized monitoring for network traffic across an organization's IT environment.
If your county uses SolarWinds Orion or another Network Management System (NMS) to monitor and manage network traffic, please continue reading. If you are unsure, please contact your IT department.
Austin, Texas-based SolarWinds Corporation is a networking software company that helps organizations manage their entire IT portfolios. SolarWinds' Orion product provides centralized monitoring across an organization's IT environment.
SolarWinds Orion products are currently being exploited by hackers. Specifically, product versions 2019.4 through 2020 2.1 HF1 - versions released between March 2020 and June 2020 are evidenced as being compromised. Older versions may also be compromised. The United States Cybersecurity & Infrastructure Security Agency (CISA), on December 19, 2020, indicated they have evidence of and are currently investigating access vectors in addition to SolarWinds. Therefore, even if you use an alternative NMS, you should not assume that only SolarWinds Orion products were affected.
The specific exploitation of Orion is known as a supply-chain attack, which occurs when someone infiltrates your system through an outside partner with access to your system and data. As an advanced persistent threat (APT), this threat, after launched, remains undetected for a significant period of time. Though recently identified, evidence suggests that SolarWinds customers who installed updates to their Orion software were unknowingly welcoming hidden malicious code into their systems as early as March 2020.
What Should You Do?
- Immediately disconnect or power down SolarWinds Orion products from your network. Until more is known, don't assume that it's just the published versions that are compromised.
- Block all inbound/outbound traffic to the SolarWinds servers at firewall.
- Reset passwords on all accounts with local/domain admin on the SolarWinds servers.
- Identify and remove all threat actor-controlled account and identified persistence mechanisms.
Reference https://cyber.dhs.gov/ed/21-01/ for additional guidance and recommendations.
If you believe you have been compromised, please contact Sheila Mishich, Litigation Case Manager, at firstname.lastname@example.org or at 800.236.6885.