Earlier this week, SolarWinds announced they had discovered an allegedly state-sponsored compromise to their SolarWinds Orion platform, which was responsible for last week’s FireEye breach, where attackers stole sensitive “red team” hacking tools and potential information related to certain government customers.
What You Need to Know
The US Cybersecurity and Infrastructure Security Agency (CISA) published a directive requiring all federal civilian agencies to review their networks for indicators of compromise (IoCs) and disconnect any running SolarWinds Orion servers. Additionally, SolarWinds is urging their customers to update their Orion installations to 2020.2.1 HF 1 as quickly as possible to mitigate the compromised components. They released version 2020 2.1 HF 2 earlier this week, which will replace the compromised components and “provide several additional security enhancements.”
What You Need to Do (If You Use SolarWinds Orion)
If you’re a SolarWinds Orion customer, install the updates from the SolarWinds Customer Portal as quickly as possible to mitigate this threat. You can use this link to check what version of the Orion Platform you are running, and can use this link to check which hotfixes you have applied.
While applying the update is your best fix, you can also configure some WatchGuard products to help mitigate this issue, and even limit potential future SolarWinds Orion risks. This attack leverages SolarWinds Orion server ports, 17776-17778 (TCP). If you don’t need to expose these ports externally (to the Internet), you should block them with your Firebox. If you do need to provide remote access to these ports, you should at least limit that access. You can either configure a policy from a limited group of IPs, domains, or users, or better yet, require VPN (preferably with multi-factor authentication) for remote clients to even reach the Orion server IP and ports.
What WatchGuard Is Doing to Help
Beyond trying to inform our partners and users about this issue, WatchGuard is working to implement defenses into our products to detect and prevent some of the fallout associated with the wider breach. As mentioned, this incident is part of a wider attack that affected FireEye. In that attack, the threat actors stole proprietary and dangerous FireEye “red-team” tools that malicious actors could now use against other victims. FireEye has released a Github repository with many indicators of compromise (IoC) for these tools. The WatchGuard product and engineering teams are actively working these IoCs into the products that make sense, in order to protect our customers from any new adversaries leveraging them maliciously.
To learn more about the incident, how it happened, and what you should be aware of as a security provider, read our post, published on the Secplicity blog.