Threat Intel

Hello All. The deadline of December 31, 2020 that DHS’s Cybersecurity and Infrastructure Security Agency (CISA) have imposed requiring that all US federal agencies to update their SolarWinds Orion platform to the latest version of Orion has come and gone. We all know having been on the sharp end of the stick requiring the business to update vulnerable software can sometimes end with the business accepting the risk. This is essentially what CISA is requiring US Government depts. and agencies to do if they are unable to upgrade for some reason or another.

They also have to provide proof that a “forensic analysis” has been conducted to verify that a breach has not already occurred using the vulnerable install of Orion. However, there is even an exception for those who are unable to perform a forensic analysis – “Agencies running affected versions that have no capability to conduct forensic analysis (system memory, host storage, network, and cloud) shall, at minimum, hunt for IOCs or other evidence of threat actor activity published in ED 21-01, Activity Alert AA20-352A, and future associated guidance. Agencies that, through hunting and/or forensic analysis, find these IOCs or evidence of threat actor activity, such as secondary AOO, shall assume breach and must report it as an incident to CISA through https://us-cert.cisa.gov/report”

Here is the supplemental guidance v3 from CISA:

“This supplemental guidance v3 requires (1) agencies that ran affected versions conduct forensic analysis, (2) agencies that accept the risk of running SolarWinds Orion comply with certain hardening requirements, and (3) reporting by agency from department-level Chief Information Officers (CIOs) by Tuesday, January 19, and Monday, January 25, 2020.”

Would be interesting to know what the stats are on the remaining affected installations of Orion and what depts. and agencies are affected. With all the exceptions in place, do you think the US Government is leaving themselves open for breaches?

Read more on the CISA site: https://cyber.dhs.gov/ed/21-01/#supplemental-guidance

Read more

Hello all. So from all accounts it looks like the Russian state actors responsible for the SolarWinds breach may have managed to escalate access and pivot inside Microsoft’s internal network and gain access to a small number of internal accounts.

Microsoft have confirmed that their initial investigation has not identified any evidence of unauthorized access to production systems and/or customer data. They also confirmed that Microsoft systems were not used as a jump point to attack other networks.

The interesting twist to the story is that Microsoft is saying that these internal accounts were however used to access Microsoft source code repositories. From the Microsoft blog, “We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.” (http://bit.ly/3odoe9U)

The problem with this is it could lead to exactly the same MO that was used APT29 used on SolarWinds. Specifically, weaponizing source code at Microsoft. Imagine the fallout. Initial numbers affected by the SolarWinds breach was around 18,000. What if the goal was to perpetrate the exact same attack, but on source code used by the Windows operating system, the Windows Server operating system or Microsoft Office. According to U.S. analytics vendor Net Applications, Windows 10 accounted for 72.2% of Windows-only machines in October 2020 – At that rate of growth, it will run three out of four PCs by the end of January. Now, it is important to note that Microsoft has indicated that although source code was accessed, there is no indication that it was modified. However, can you imagine the fallout of a weaponized DLL for example being pushed out via Windows Update to over 1 billion PCs out there? (http://bit.ly/3bcTdzg)

Read more

Hello All. Quick follow-up to my post – SolarWinds Survival on December 29.  DHS’s Cybersecurity and Infrastructure Security Agency (CISA) have ordered all US federal agencies to update their SolarWinds Orion platform to the latest version by the end of business hours on December 31, 2020, including those running non-affected versions of Orion.

“We issued V2 supplemental guidance to Emergency Directive 21-01,” CISA tweeted. “Agencies using non-affected versions must update to the new version.”

“The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code,” the agency said.

“Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks must be updated to 2020.2.1 HF2 by COB December 31, 2020.”

CISA has indicated that agencies using non-affected versions must update to the new version since Orion Platform versions 2019.4 HF6 and 2020.2.1 HF2 given they are designed to protect from both the SUNBURST and SUPERNOVA malware.

Further information on the DHS CISA directive can be found at – https://cyber.dhs.gov/ed/21-01/#supplemental-guidance

Read more