On December 13th, the Cybersecurity and Infrastructure Security Agency CISA issued an emergency directive related to a known compromise on SolarWinds Orion products. Current analysis shows that around 300.000 customers of these products were affected and around 18.000 were high profile accounts among the private and public sector. The threat actor managed to include a backdoor code into Orion’s legitimate code and delivered it through a software update. According to FireEye’s analysts, the backdoor managed to affect systems since March 2020
Immediate actions
- If you use SolarWinds Orion, please follow recommendations from the vendor
- Look for abnormal country-based traffic. The traffic is masqueraded through local country VPN addresses
- Isolate affected machines and remediate immediately
- Review and apply Cybersecurity and Infrastructure Security Agency recommended actions
5 ACTIONS TO AVOID ATTACKS SUCH AS SOLARWINDS
- Assess Supply Chain Risk: Assess the security risk and control across the supply chain upstream and downstream
- Robust Networks Are Key: Deploy Zero Trust-based Network architecture
- Enhance End Point Controls: Implement a proactive monitoring model leveraged by protection capabilities like EDR and UEBA
- Secure Digital Applications: Define and implement a strong DevSecOps strategy for Digital Applications.
- Tighter Risk Review and Governance: Deploy a governance model with metrics and indicators for decision making after detecting breaches, like ETEK Insights
If you already have Managed Security Services with ETEK, you are already protected, if not, contact us at Securityadvisory@etek.com.