By Joe Marshall of Cisco Talos and Paul Smith of Cisco IoT
What is this?
On December 11th, 2020, the U.S. government and the company SolarWinds disclosed a breach into their SolarWinds Orion Platform network management software. This attack was conducted by a sophisticated and likely nation-state based attacker. SolarWinds Orion is a commonly used network management software stack used to manage complex switched and routed IT/OT architectures.
High profile customers of the Orion platform are numerous U.S. government agencies, and many private entities. The adversary was able to penetrate SolarWinds software development infrastructure, and bolt malware into a legitimate software update from SolarWinds for their Orion platform. In March of 2020, this malicious ‘patch’ was distributed, which then could provide backdoor access into the victim’s networks where the adversary could then exfiltrate data.
Due to the enormity of this attack, forensic and threat intelligence information is still rapidly changing. For Cisco Secure and IoT customers, our security coverage and updates can be found at the Cisco Talos blog post here. At the time of this posting, SolarWinds customer exposure is stated to be less than 18,000 of the 30,000 Orion platform customers.
What do you do about it?
Per an advisory published by the Cybersecurity & Infrastructure Security Agency, or CISA, potential victims should identify which victim category they fall into based on the whether or not they installed the following binaries and contacted the command and control (C2) server: avsvmcloud[.]com
- Orion Platform 2019.4 HF5, version 2019.4.5200.9083
- Orion Platform 2020.2 RC1, version 2020.2.100.12219
- Orion Platform 2020.2 RC2, version 2020.2.5200.12394
- Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
To determine a level of concern, CISA has also given these categories to help you understand risks and perform incident response as necessary.
- Category 1: includes those who do not have the identified malicious binary. These owners can patch their systems and resume use as determined by and consistent with their internal risk evaluations.
- Category 2: includes those who have identified the presence of the malicious binary—with or without beaconing to avsvmcloud[.]com. Owners with infected appliances communicating with avsvmcloud[.]com but not with a secondary C2—a fact that can be verified by comprehensive network monitoring for the device—can harden the device, re-install the updated software from a verified software supply chain, and resume use as determined by and consistent with a thorough risk evaluation.
- Category 3: includes those with the binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain or IP address. If you observed communications with avsvmcloud[.]com that appear to suddenly cease prior to December 14, 2020— not due to an action taken by your network defenders—you fall into this category. Assume the environment has been compromised, and initiate incident response procedures immediately.
What does this mean?
The SolarWinds Orion compromise is an incredibly impactful attack across numerous industrial verticals, especially electric subsectors concerned with critical infrastructure. This will perhaps be regarded in the same category as NotPetya, or ccleaner as another successful nation-state supply chain attack with vast ramifications. As this is a recently discovered attack both in breadth and scope, we will be unpacking the damage done and discovering new forensic details for a considerable amount of time. Now is as a good a time as any to consider your operating risks and cyber threats to your business continuity.
As potentially damaging as the SolarWinds compromise could be, it could also be a catalyst for positive change for your enterprise. We would encourage you to think about your converged IT/OT architectures – what exposures and risks do you have not just from something like the SolarWinds compromise, but with any enterprise products that straddle both information and operational technology enterprises. Could you identify all the risks and exposures you have? From fundamental asset identification and network mappings and data flows, to unpatched vulnerabilities and process identification, there is a lot to consider.
It is also important to note that the attack on the SolarWinds Orion platform can absolutely cause an unwanted disruption in an operational network. Due to the pervasive nature of this platform, its tendrils can extend very far into the spine of an operational technology environment. From assigning IP’s and port security, to active directory integrations, to patch management and networking monitoring, SolarWinds Orion can run very deep into networks. This is largely undesirable for security reasons, but many enterprises may view it as necessary evil to maintain a large and complex infrastructure.
Furthermore, due to the nature of how products like SolarWinds Orion manage the infrastructure, it requires stored credentials/keys to be put in place to leverage the ease of use. This has long been the dilemma faced in IT/OT infrastructure, fewer people managing larger scale networks utilizing the convivence of ‘single pane of glass’ tools. These create security holes, and it is really up to the enterprise to weigh the risk vs. reward.
Long gone are the halcyon days of only external cyber risks to your enterprise. As organizations outsource all or parts of their IT and make heavier use of cloud services, their cybersecurity relies even more on those of their suppliers. We now live in an era of nation-state compromised supply chains that could impact your enterprise in profound ways. Given the considerable burden of managing your enterprises security, and now contending with nation-state supply chain attacks, it can likely feel overwhelming as a defender. Our suggestion: start at the basics and work forward. Ask yourselves what’s the worst day you could have and plan your risks accordingly.
Consider strategies like operating your industrial infrastructure in a zero trust model that can help mitigate damage done, not just against the SolarWinds compromise, but against ransomware or other malware attacks. Consider how well you know your networks, and if you know what there is to protect. Think about security monitoring and protections in your OT environments. Consider emergency response playbooks for cyber incident response. Consider safety concerns if an attack impacts your operations, or your regulatory compliance.
Ultimately, these are all difficult questions with complex answers, but the resilience and safety of your organization are worth the journey. Here is how Cisco can help:
Cisco Cyber Vision has been specifically developed for OT and IT teams to work together to ensure continuity, security, resilience and safety of your industrial operations. Cyber Vision has behavioral analysis and Snort® intrusion detection capabilities to detect malicious traffic. The latest Cyber Vision knowledge base includes Cisco Talos IDS signatures to detect SolarWinds attacks. If you have not done so already, we recommend you install it today by downloading it here.
Cisco Talos Incident Response (CTIR) provides a full suite of proactive and emergency services to help you prepare, respond and recover from a breach. CTIR enables 24-hour emergency response capabilities and direct access to Cisco Talos, the world’s largest threat intelligence and research group.
Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers. These teams are supported by unrivaled telemetry and sophisticated systems to create accurate, rapid and actionable threat intelligence for Cisco customers, products and services. Talos defends Cisco customers against known and emerging threats, discovers new vulnerabilities in common software, and interdicts threats in the wild before they can further harm the internet at large. Talos maintains the official rule sets of Snort.org, ClamAV, and SpamCop, in addition to releasing many open-source research and analysis tools.