URGENT Cybersecurity Alert & Resources for You
Summary: The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.
Message & Resources from the Wisconsin Department of Administration, Bill Nash, Chief Information Security Officer:
Since the CISA reporting on SolarWinds Orion has been so well publicized and is causing a lot of concern, we wanted to provide a summary and reminder of services available. If you have already confirmed that you do not have SolarWinds Orion, this is a reminder of the services available to you.
To recap, if you do not have one of the following affected versions of SolarWinds Orion, you do not need to take action:
Affected Versions:
· Orion Platform 2019.4 HF5, version 2019.4.5200.9083
· Orion Platform 2020.2 RC1, version 2020.2.100.12219
· Orion Platform 2020.2 RC2, version 2020.2.5200.12394
· Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
If you are operating one of the vulnerable versions, then the information below can help you determine what category you fall in and determine the level of risk and effort necessary to put your SolarWinds back into operation:
· Category 1 includes those who do not have the identified malicious binary. These owners can patch their systems and resume use as determined by and consistent with their internal risk evaluations.
· Category 2 includes those who have identified the presence of the malicious binary-with or without beaconing to avsvmcloud[.]com. Owners with malicious binary whose vulnerable appliance's only unexplained external communications are with avsvmcloud[.]com-a fact that can be verified by comprehensive network monitoring for the device-can harden the device, re-install the updated software from a verified software supply chain, and resume use as determined by and consistent with a thorough risk evaluation.
· Category 3 includes those with the binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain or IP address. If you observed communications with avsvmcloud[.]com that appear to suddenly cease prior to December 14, 2020-not due to an action taken by your network defenders-you fall into this category. Assume the environment has been compromised, and initiate incident response procedures immediately.
If you are in need of assistance, the MS-ISAC and CISA are excellent resources:
· Please also include the MS-ISAC SOC, soc@msisac.org, on any outreach to CISA if you are an MS-ISAC member.
If you are in need of state resources:
Wisconsin Statewide Intelligence Center (WSIC)
Wisconsin Cyber Response Team (CRT)
· For cyber incident assistance call: WEM Duty Officer at 800-943-0003
Bill Nash | Chief Information Security Officer
Department of Administration
Division of Enterprise Technology