The Great SolarWinds Hack of 2020
What you need to know.
Let\’s first start by saying that Covenant Computing does not use SolarWinds products to support their customers. That is not to say that we will never have a compromised product – no one can say that. But, specifically, in this incident, none of the tools we use to support and secure our customers are involved in this hack and you have not been compromised. So, if you are a customer of ours, you can relax. The first thing we want to you to know is that we do not use the software indicated in this breach, and the second thing is that no action is needed on your part.
That being said, everyone needs to take a few steps to secure themselves and their businesses so that, in a situation like this, the hack can be stopped dead in its tracks or the damage can be mitigated. So, we will cover that info at the end of this article.
This article will be primarily referring to information found in the official CISA government breach release website found at: https://www.cisa.gov/supply-chain-compromise
Specifically, the article found on the alert page found at: https://us-cert.cisa.gov/ncas/alerts/aa20-352a
and to DHS CyberSecurity division Emergency Directive 21-01: https://cyber.dhs.gov/ed/21-01/
Other sources are:
ArsTechnica – https://arstechnica.com/information-technology/2020/12/feds-warn-that-solarwinds-hackers-likely-used-other-ways-to-breach-networks/
DarkReading – https://www.darkreading.com/vulnerabilities—threats/we-have-a-national-cybersecurity-emergency—-heres-how-we-can-respond/a/d-id/1339766
and Microsoft – https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/
To call this a \”hack\” is an understatement. In fact, as of the writing of this article (nearly 3 weeks post-discovery) the incident discovery and response is still ongoing. Meaning that they are still discovering the impact of the breach and its entire scope.
If there are more developments, we will release them.
What we know so far…
The breach was engineered by a group that gained access to the update tool for SolarWinds Orion software. This means that the people who did this were able to insert a rogue DLL file into a software update that allowed the actors to target specific systems and information.
The payload that was delivered was designed to sniff out prime targets for attack and to open other doors to make those attacks possible and easier
This \”back door\” has been codenamed \”SUNBURST\” as noted in the FireEye article and in this SolarWinds article: https://www.solarwinds.com/securityadvisory
SUPERNOVA is the codename used to identify the malware used to attack users of the SolarWinds Orion platform.
SolarWinds Orion was just the door…
The attacks that were proliferated were done so with future hacks in mind. These breaches targeted the supply chain (software updates). The vulnerability that was used to insert the malicious code in the update cycle has since been patched.
- Compromised software versions include:
- Orion Platform 2019.4 HF5, version 2019.4.5200.9083
- Orion Platform 2020.2 RC1, version 2020.2.100.12219
- Orion Platform 2020.2 RC2, version 2020.2.5200.12394
- Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
Known Affected Products
Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1, including:
Application Centric Monitor (ACM)
Database Performance Analyzer
Enterprise Operations Console (EOC)
High Availability (HA)
IP Address Manager (IPAM)
Log Analyzer (LA)
Network Automation Manager (NAM)
Network Configuration Manager (NCM)
Network Operations Manager (NOM)
User Device Tracker (UDT)
Network Performance Monitor (NPM)
NetFlow Traffic Analyzer (NTA)
Server & Application Monitor (SAM)
Server Configuration Monitor (SCM)
Storage Resource Monitor (SRM)
Virtualization Manager (VMAN)
VoIP & Network Quality Manager (VNQM)
Web Performance Monitor (WPM)
This is the beginning of the threat discovery…
…the attackers likely used means other than just the SolarWinds backdoor to penetrate networks of interest…
Other reports issued since the discovery of the attack have shown that there are more than just people and machines affected. Likely targets are multi-tenant entities such as Private sector service providers and services vendors that provide cloud services and software to multiple distributors.
Microsoft has identified how their platforms have been examined and configuration gaps could lead to vulnerabilities in their software and operating systems. Details of that information is here: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/
…attempted activities beyond just the presence of malicious SolarWinds code in our environment…
What can we do to protect ourselves?
Ok, so this is the obvious part of the article where we plead with you to protect yourself by purchasing a security plan from us. We believe that security is an all-in prospect because it makes no sense to lock the front door and leave a side window open.
So many people believe that a good antivirus is enough and in the past, we would say that was true.
For SMBs (small and medium businesses), the biggest threat is the loss of data and the disruption of their workflow. Our no-compromise Covenant Security 2021 package is our best defense offering for this type of threat. We hold your hand through implementation and through processing the changes necessary to protect your data and your business.
Covenant Security 2021 covers these key categories in the information security landscape:
- Human Vulnerabilities
- Perimeter Vulnerabilities
- Application Control
- Data Control
- Network Management
- Data Continuity
- Endpoint Continuity
The information that runs your business, that you access, retrieve, store, and publish to customers and potential clients deserves to be protected.
Covenant Security 2021
Schedule your free security consultation call.
15 Minute Call