Practical Next Steps for Your Organization from MediSked Security Expert Shayne Champion
You probably heard about the recent “big security hack” on the news. Fortunately, none of MediSked’s systems or software were impacted, but this highlights the importance of keeping all system software updated, using threat intelligence sources, active monitoring of your network with Security Incident and Event Management (SIEM) systems, and ensuring that users regularly update passwords.
And although MediSked was not impacted, we know many people have questions about who was affected, how, and what to do next about this significant national incident.
On Tuesday, December 8, 2020, industry-leading information security firm FireEye confirmed that they had been hacked by a nation-state, and subsequently that the same threat actor had stolen their ‘Red Team’ network penetration testing tools. (Click here for a list of all 16 vulnerabilities the Red Team tools exploit.) This led many to blast one of the industry’s leading security consulting firms for being unable to protect their own environment. FireEye has since released counter-measures to combat those Red Team tools which are available at their GitHub.
Five days later, SolarWinds, an industry-leading producer of IT monitoring, management, and security software announced that foreign threat actors (identified as the Russian APT29/Cozy Bear group) had inserted a vulnerability (SUNBURST) into their Orion Platform which has been dubbed “Solargate”. This vulnerability, spread through updates to the Orion application (versions 2019.4 – 2020.21 HF), was released between March and June of 2020. SolarWinds has released a subsequent hotfix. For additional information about the status with SolarWinds, click here to review their current security advisory page.
Unfortunately, by the time the vulnerability was discovered around 18,000 SolarWinds Orion customers had already installed the patch. This encompassed at least six federal agencies including the National Nuclear Security Administration and the Energy Department. Fortunately, current evidence suggests that while these attackers infiltrated the ‘corporate’ networks, they were unable to access the Industrial Control Systems (ICS) networks which manage critical infrastructure and systems. The impacted SolarWinds clients also include a number of Fortune 500 firms, including Microsoft. The RedDrip team posted a Tweet with a link to a github project with a script for the impacted domains.
The SUNBURST vulnerability was perpetrated through a trojanized version of a legitimate file digitally signed by SolarWinds named “SolarWinds.Orion.Core.BusinessLayer.dll”. According to Fortinet, “The trojanized file is a backdoor. Once on a target machine, it remains dormant for a two-week period and will then retrieve commands that allow it to transfer, execute, perform reconnaissance, reboot and halt system services. Communication occurs over http to predetermined URI’s.”
FireEye has published a detailed report on the attack. Additional research by investigators discovered the domain (avsmcloud[.]com) that the hackers were using as a Command and Control (C&C) server to communicate with compromised targets. That domain has since been shut down (sinkholed) by Microsoft and may be the ‘kill switch’ that shuts this current round of attacks down.
What to Do
Since Microsoft has ostensibly shut down the controlling server, there should be no active traffic. However, all organizations should be on the lookout for the attack’s threat indicators listed here, including hash signatures of compromised files and domains that you should be blocking at your firewall (incoming and outgoing).
Additionally, your organization should follow the guidance provided by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in Emergency Directive 21-01. While some of their steps are only appropriate for U.S. federal agencies, they have a detailed set of instructions that are specific and applicable for all potentially impacted users of the SolarWinds Orion platform.
In addition to these measures to prevent any current activity, organizations should review their logs back from the original release date of the first compromised patch (March 2020) and look for signs of compromise in all logs up to the present.