What We Currently Know
We’ve all been following the news about the SolarWinds supply chain attack where threat actors exploited the company’s Orion software update to plant malware on corporate and government networks. The situation continues to unfold with new headlines announcing the scale of the attack, including an additional threat actor believed unrelated to the first attack.
From a security standpoint, there were two important things to note around Microsoft and its swift response to the breach. Although Microsoft seized the domains which halted malicious activity, for customers whose command and control session was set up, the threat actor was able to gain access, resulting in out-of-band persistence and compromised environments. Here is Microsoft’s customer guidance response to the threat actors forging the SAML Tokens.
On Saturday Dec 19, CISA updated their initial alert to state there was evidence not tied to the SolarWinds Orion platform. “Specifically, we are investigating incidents in which activity indicating abuse of SAML tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified. CISA is working to confirm initial access vectors and identify any changes to the TTPs.” As stated, CISA will update their alert as new information becomes available.
The SAML abuse continues to be a very worrisome situation. By generating their own security tokens, threat actors now have organizations’ own security “keys to the kingdom” and there’s not an easy way for companies to know, making it challenging to protect themselves.
How GreenPages Is Protecting Clients
GreenPages believes that all companies should take a fresh look at their own security posture, as well as the posture of any networks they interact with and trust. There is no organization that runs a completely airtight ship, with human error being the wild card factor that technology can’t always solve.
In that vein, even though GreenPages does not run, operate, or manage the known vulnerable code, we have been in contact with customers who have purchased SolarWinds through us, and are taking a fresh look at our own posture and proactively implementing additional security measures as a result.
From an overall comprehensive security strategy standpoint, GreenPages offers a wide range of Cybersecurity and Risk Advisory Services that provide clients with the latest security approaches to implement, configure, secure, and manage their environments. From security policy creation, platform and tool selection, technology implementation, and infrastructure hardening, our security engagements can help.
From a Managed Security and Managed SOC standpoint, GreenPages offers comprehensive MDR and Managed SOC offerings for monitoring, alerting, awareness, and incident response—from collecting log in and other types of data (with a variety of tools, including our own RECON platform) and running it through detection analytics for humans to analyze for nefarious behavior and provide incident response. Two of our top security partners include Arctic Wolf and NetEnrich—both leaders in the field.
Guidance for Organizations
Here’s a link to additional articles for the latest background information as well as prescriptive technical guidance:
- Steps from SolarWinds to update or upgrade specific Orion Platform versions https://www.solarwinds.com/securityadvisory
- FAQ from SolarWinds https://www.solarwinds.com/securityadvisory/faq
- Steps from Microsoft for customers to protect themselves from recent nation-state cyberattacks https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/
- The Cybersecurity and Infrastructure Security Agency’s (CISA) Emergency Directive— a comprehensive response to the Solar Winds Orion Code Compromise https://cyber.dhs.gov/ed/21-01/#supplemental-guidance
- GreenPages’ Blog with additional steps you can take right away to strengthen your overall security posture, (password hardening, revoking domain administrator credentials, pen testing, etc.) https://www.greenpages.com/blog/december-security-breaches
How to Engage with GreenPages for Help
As we all know, this is a wide-ranging, dangerous, and continuously unfolding cyberattack. GreenPages is vigilantly monitoring the situation and our engineers are standing by to provide you with any guidance you need. Reach out to us.