Cyber Market Advisory: Solarwinds Orion code compromise – how to respond to this wide-scale event

This article follows our previous article on the Solarwinds cyber incident.

What happened?

Solarwinds and the wider infosec community have recently become aware of a critical vulnerability in a Solarwinds software program. Details about the incident are rapidly evolving, however preliminary investigations reveal a sophisticated state sponsored threat actor group likely inserted the vulnerability (malicious code) into legitimate software to gain access to target organisations' systems.

Who is Solarwinds?

Solarwinds is a managed services provider which provides software products to private and Government organisations globally.

Among other programs, Solarwinds provides a software product referred to as Orion. Orion allows IT teams to centralise the monitoring of devices on an internal network, to ensure that devices are connecting to the network correctly and do not exhibit signs of suspicious activity. Orion also allows organisations to roll out updates to devices uniformly.

What do we know so far?

A threat actor group installed malicious code in a legitimate update to Solarwinds’ Orion software.

The malicious code gave the threat actor group remote access to networks of organisations which installed an update to the Orion program between March and June 2020 (effectively, a “back door” into a network). The malware is designed to hide its activity as legitimate network traffic.

After lying dormant for a period of approximately 2 weeks, the malicious code executes commands which are capable of transferring files, starting programs, profiling an organisation’s system, disabling system services and rebooting machines.

Immediate steps to take in response to the breach

While the scope of the compromise is not yet known, organisations which use Solarwinds' software products, specifically the Orion software product, versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 should:

• contact their IT provider to ensure systems are secure;
• check whether they use a known affected Solarwinds product (a full list is available here: https://www.solarwinds.com/securityadvisory);
• check whether they are using Solarwinds' Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 and if so, upgrade to Orion Platform version 2020.2.1 HF 2 as soon as possible;
• check whether they are using Solarwinds' Orion Platform v2019.4 HF 5 and if so, upgrade to Orion Platform 2019.4 HF 6. Directions for identifying which version of the Orion platform you are using can be found here; and
• check for indicators of compromise, which can be found here: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html and here: https://github.com/fireeye/sunburst_countermeasures.

IT teams should also check their Document Link Libraries (DLLs) for the Solarwinds Orion product to check if it matches any of the file hashes listed here: https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv.

Organisations which suspect they have been compromised as part of the incident also need to consider the residual privacy implications of the Orion compromise – i.e. you will need to conduct an assessment into whether the incident amounts to an 'eligible data breach' under the Privacy Act in Australia, and other data protection laws around the world if applicable.

Affected organisations and Government agencies should continue to monitor the advisories for further details on how to respond.

Where do you go for more information?

We commend the ACSC, DPC VIC and wider infosec community for leading the national/whole of Government response to this incident and for providing real time updates on the impact to Government agencies and the private sector.

The following sources provide additional information which may help you identify indicators of compromise in your environment:

• the ACSC will provide relevant updates on its Orion compromise threat page, here: https://www.cyber.gov.au/acsc/view-all-content/alerts/potential-solarwinds-orion-compromise;
• Solarwinds has released its recommendations on steps organisations should take to patch the vulnerability in the Orion software program. Organisations should check if they were or have been using one of the listed affected products, as recommended above. This article also lists Solarwinds products which are known not to be affected at this stage;
• the United States' Cybersecurity and Infrastructure Security Agency (CISA) has released a directive with mitigation steps for impacted organisations, here: https://cyber.dhs.gov/ed/21-01/#supplemental-guidance (Emergency Directive 21-01);
• CISA has released an alert for the Solarwinds incident, which lists affected Solarwinds products, technical details (as known) of the incident, including tactics being used by the threat actor group to gain access to systems and avoid detection by incident response teams, and advice for detecting signs of compromise, here: https://us-cert.cisa.gov/ncas/alerts/aa20-352a;
• FireEye is releasing signatures to detect threat actor activity on its Github page, here: https://github.com/fireeye/sunburst_countermeasures; and
• the Victorian Department of Prime Minister and Cabinet may also provide information on the compromise.

How can we help?

Clyde & Co has the largest cyber incident response practice in Australia and New Zealand and works with our global offices to provide a full incident response service.

Our specialist team have dealt with a number of the largest and most complex incidents in Asia Pacific region to date. This includes advising on 1,000+ data breach, ransomware and cyber related incidents impacting a wide range of industries.

Our team provides expert advice on how to identify compliance risks, navigate the crisis response and respond to data protection issues across the full cyber incident lifecycle. This includes advising on:

• incident response management and vendor coordination;
• ransomware response and recovery;
• extortion negotiations and threat intelligence;
• payment misdirection fraud, funds tracing and funds recovery;
• email and social media account takeover response;
• communications strategy and stakeholder management;
• data breach assessment and notification, including coordination of global and multi-party data breaches across 100+ jurisdictions;
• e-safety, image based abuse and cyber bullying;
• regulatory response, including dealing with the OAIC, NZOPC, ASIC, APRA, the ACCC and other regulators across 50+ jurisdictions;
• third party disputes;
• recovery litigation against wrongdoers; and
• class action risk relating to privacy breaches (an evolving space).

Our 24 hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on:

• Australia: + 61 2 9210 4464
• New Zealand: 0800 527 508
• cyberbreach@clydeco.com