DHS, CISA and NCSC Issue Warnings After SolarWinds Attack

Government agencies have issued warnings about the fresh spate of attacks, apparently from nation-state actors against major security vendors.

Last week FireEye disclosed that it had spotted an attack from nation state actors looking for data on government clients, where attackers were able to access some internal systems and steal some of FireEye’s red team tools. It was later disclosed that the attack was enabled by using trojanized updates to SolarWinds’ Orion IT monitoring and management software, although Solarwinds said that fewer than 18,000 of its global customers had been affected.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 21-01 in response to the SolarWinds compromise which calls “on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”

In a statement, CISA acting director Brandon Wales said “the compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks.”

He said: “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”  

Also, Alexei Woltornist, assistant secretary for public affairs at the Department of Homeland Security, said DHS is aware of cyber breaches across the federal government and working closely with its partners in the public and private sector on the federal response.

A spokesperson for the UK’s National Cybersecurity Centre (NCSC) said in a statement: “The NCSC is working closely with FireEye and international partners on this incident. Investigations are ongoing, and we are working extensively with partners and stakeholders to assess any UK impact. The NCSC recommends that organizations read FireEye’s update on their investigation and follow the company’s suggested security mitigations.”

It recommended organizations ensure any instances of SolarWinds Orion are configured according to the company’s latest guidance, and have these instances installed behind firewalls, disabling internet access for the instances, and limiting the ports and connections to only what are critically necessary.

Commenting, Sam Curry, chief security officer at Cybereason, said: “If 2020 has taught us anything, it is that the COVID-19 pandemic has improved the resiliency of security professionals and reinforced how determined defenders are to rid networks of cyber-espionage adversaries. In fact, all UK companies should respond with a cold, logical, rational response.

“In general, now is not the time for security experts to panic. A practical and measured response is advised.”

If SolarWinds is being used in your organization, Curry recommended strengthening your security posture as follows:

  • Isolate machines running SolarWinds until further information is available as the investigation unfolds
  • Reimage impacted machine
  • Reset credentials for accounts that have access to SolarWinds machines
  • Upgrade to Orion Platform version 2020.2.1 HF1 as soon as possible. Solar Winds has also provided further mitigation steps

"In addition, set up a task force to look through all data logs, check the hygiene of systems and make sure everyone is generally on high alert for future attacks,” he said. “Ensure your company is always on the hunt for adversaries. The sooner you do these things the sooner you can assume no one is lurking in your network in silent mode.”

What’s Hot on Infosecurity Magazine?