Close

Search Results

Sorry we couldn't find any results for you.

To find more of our people, please search using the ‘People’ option at the top.

    Loading search results

    Skip to Content

    Active exploitation of SolarWinds Orion IT management platform

    The Cybersecurity and Infrastructure Security Agency (CISA) is warning about active exploitation of SolarWinds Orion, a widely used platform for IT monitoring and management. You should contact your IT team or provider now to determine whether you use the SolarWinds Orion platform and whether your specific version of the software is affected. If it is, you should immediately take steps to mitigate the risk.

    What's affected

    On December 13, SolarWinds warned of highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020. Threat actors were able to modify certain SolarWinds software updates to distribute malware, as discussed in more detail in FireEye’s related blog post. The malware creates a significant vulnerability in the systems of organizations that installed the updates. By exploiting the vulnerability, threat actors can install ransomware or additional malware, steal data from your network, obtain access to network resources, and install backdoors for remote access.

    What to do

    SolarWinds recommends the following mitigation steps and provides more details in their security advisory:

    • Determine which version of Orion Platform you are using and which hotfixes have been applied
    • Upgrade to the most recent version of the software
      Watch for an additional hotfix release anticipated for tomorrow
    • If you cannot upgrade immediately, implement mitigation steps including having your Orion Platform installed behind firewalls, disabling internet access for the Orion Platform, and limiting the ports and connections to only what is necessary.

    CISA has also issued an emergency directive for government agencies on mitigation. The emergency directive goes into greater detail and is well worth reviewing.


    FireEye’s blog post discusses in depth how the attack works, how the malware operates, how post-compromise activity can be detected, and how you can mitigate the risks. FireEye has also released signatures to detect the threat actor and attack on their GitHub page.


    Microsoft has provided guidance on how attackers frequently escalate privileges and secure long-term access to the system as part of these attacks. See their post for recommended defenses and updated detections for Azure Sentinel and Microsoft Defender.

    Resources
    Sign up for Beazley updates