SolarWinds Orion and Office 365 Attack

By Chris Nyhuis, Vigilant CEO

A Vigilant Threat Alerts Series

Over this past weekend, a new attack was released that directly affects customers of SolarWinds Orion and Office365. Details are still coming out; however, we want to make sure you know how this may affect you and how we can protect you.

The details of this attack may directly pertain to you if you own or use SolarWinds Orion and/or Office365. If you don’t have these technologies, this email will still be informational.

How it happened:

Stage 1: SolarWinds Orion

1. The attacker embedded a file into a software update on the SolarWinds Orion update website.
2. If you updated your SolarWinds Orion software during this year with versions 2019.4 through 2020.2.1 that were digitally signed from March-May 2020 and posted to the SolarWinds website, you would have downloaded the compromised file and had it installed.
3. This was a trojan attack, meaning that it would sit dormant until activated. After being activated the attacker opens a backdoor into the target network and walks right in.
4. Chances are you were not the target of the attack. The target(s) were most likely high-profile organizations that employ complex security solutions. The attacker made this easy for themselves by infecting everyone that uses SolarWinds Orion.  Even if you had this file, it does not mean that you were hacked, or that you had an incident. The attacker would only have come in if the file was activated.  
5. Another thing to rememb er is that the attack is hidden inside of a digitally signed file from SolarWinds, so unless it is activated, or you know the file has manipulated code, the file will not show up as malicious.  

Stage 2: Office365

1. Through various means (usually phishing) an attacker obtained credentials to log into Office365 accounts from the attacked organizations.
2. Once the attacker was in, they read emails obtaining sensitive information, had a vantage point to identify what the target organizations were doing and impersonated users.

As a Vigilant customer, you are covered. Vigilant is continuously hunting within our customers' environments, looking to see if any of our customers have exposure to any threats. Due to the nature of these attacks, how they are carried out and multiple attack points, there is varying coverage based on the services you subscribe to.

• If you have MEP Level II– As MEP Level II comes with full on system hunting and file level inventory, we have scanned your environment for the filename and can definitively tell you if the file is installed on any systems. At this point, we will have already alerted you if the file existed.

• If you only have MEP Level I– We have detection for this attack so if the files were to be activated, we can block the activity. However, MEP Level I does not have file system inventory, so while MEP Level I can detect and block the activity if the file is activated without MEP Level II, we can’t proactively tell you if the file is installed. If you would like us to scan and hunt on these systems, please reach out to your Vigilant CRS agent and request to be upgraded to MEP Level II. We can upgrade your MEP level I systems within minutes.

• If you have CyberDNA –The attacker enters a target company by activating the malicious code that creates a backdoor command and control tunnel (C2), which is much like a VPN into a network. CyberDNA® detects C2 traffic from a network standpoint and can detect if this traffic exists. CyberDNA® and our teams are constantly on the lookout for C2 traffic at any time and will notify you and help mitigate it if we do find it.

• Office365 Monitoring – Vigilant365™ monitors Office 365 for just $2.00 per user, per month. It takes less than 20 minutes to deploy and protects your O365 environment against account takeovers, while reducing the time to detect attacks.

• Vigilant365™ tracks active and non-active user account statuses

• Tracks inbox rule changes and password changes

• Monitors and flags any emails forwarded outside of your organization

• Identifies distributed geographic logins and calculates distance between login locations to differentiate impossible travel logins.

SolarWinds Orion Related Recommended Actions: Along with the details of the SolarWinds Orion supply chain attack, recommended courses of actions have also been published. If you have the impacted SolarWinds Orion product in your environment, the recommendations are as follows:

1. Subscribe to CyberDNA, MEP I and MEP II for holistic coverage of all the threat vectors where this attack can be detected.

2. In addition to security monitoring, Vigilant provides performance Server and System Monitoring.

3. Ensure that any SolarWinds servers are isolated/contained until a further review and investigation is conducted. (This should include blocking all Internet egress from SolarWinds servers and/or powering off if necessary.)

4. If SolarWinds infrastructure is not isolated, consider taking the following steps:

5. Restrict scope of connectivity to endpoints from SolarWinds servers, especially those that would be considered Tier 0 / crown jewel assets

6. Restrict the scope of accounts that have local administrator privileges on SolarWinds servers.

7. Block Internet egress from servers or other endpoints with SolarWinds software.

8. Consider (at a minimum) changing passwords for accounts that have access to SolarWinds servers/infrastructure.

9. If SolarWinds is used to manage networking infrastructure, consider conducting a review of network device configurations for unexpected/unauthorized modifications.

10. Immediately install any available updates and/or patches to applicable systems. Currently, 2020.2.1 HF 1 is the latest patch that is available for download. However, HF 1 does not address the security concerns related to this attack. 2020.2.1 HF 2 is anticipated to be released on December 15th, 2020.

Lastly, if you are only taking advantage of one of our services (e.g., CyberDNA®, MEDR or Vigilant365™) and would like to learn how to both strengthen your security and reduce your security risk, please contact your Vigilant Customer Relationship Specialist.