Responding to the global SolarWinds compromise

Sophisticated supply chain attack targeting governments and global organisation

What has happened?

SolarWinds provides endpoint management software to many global organisations and central governments. The SolarWinds “Orion” IT monitoring product has been identified as backdoored with previously undocumented malware known as SUNBURST, infected versions distributed to customers via SolarWinds' legitimate update mechanism, and used to compromise high-profile government and public sector organisations.

As per SolarWinds’ advisory, all software builds for versions 2019.4 to 2020.2.1, released between March 2020 and June 2020, were compromised. This means any system which received a SolarWinds Orion update to a build between these versions is at risk of compromise or has already been compromised.

SolarWinds estimate that up to 18,000 organisations received an affected update. However, it is important to note that just because an organisation has received an affected update does not mean they were compromised - it means they were vulnerable. The number of organisations compromised through the backdoored update is much smaller and focused on specific sectors. Reporting from FireEye suggests this is approximately 50.

In brief:

  • SolarWinds Orion software compromised by SUNBURST malware;
  • Software version 2019.4 to 2020.2.1 released between March 2020 and June 2020, were compromised;
  • Up to 18,000 organisations received an affected update;
See how you can mitigate the risk. 

How far does the attack go back?

The first backdoored SolarWinds Orion version was released for download in March 2020. However, earlier activity linked to this attack has been identified:

  • Security researchers identified other unauthorised modifications to the SolarWinds Orion code going back as far as October 2019 - is it likely that these were "test runs" performed by the same attacker responsible for the backdoor, to validate their ability to release modified code.

  • The earliest domain registration date linked to this attack was in August 2019.

Is this the biggest/ worst cyber attack identified to date?

  • This attack is certainly sophisticated and has had far-reaching impacts, but characterising this as "the biggest" or "the worst" cyber attack is unlikely to stand up to scrutiny.

  • The "NotPetya" destructive malware attack in 2017 caused "more than $10 billion in total damages" according to a senior US Government cyber security adviser.

  • The "WannaCry" ransomware attack in 2017 (attributed by the US and UK government to North Korea) infected over 200,000 computers worldwide. In particular, this attack impacted the UK's National Health Service causing "thousands of appointments and operations" to be cancelled and multiple emergency care departments to redirect patients as they were unable to effectively operate.

  • "Operation Cloud Hopper" targeted managed IT service providers (MSPs), allowing China-based APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally.

How you should respond?

How can you find out if you have the affected SolarWinds product?

Any organisation with SolarWinds Orion versions 2019.4 to 2020.2.1 should assume they may have been affected and investigate to understand whether there are any indicators of compromise (IOCs). 

Any organisation which identifies indicators of compromise relating to this activity has almost certainly been affected and should commence an incident response process, beginning with the immediate response actions detailed in Step 2. 

Even if you do not have an affected SolarWinds product, there are steps they may wish to take. See Steps 2 and 3 for more details.

How will you know if you have SolarWinds products?

If a reliable configuration management database (CMDB) is not available, organisations can identify SolarWinds products in their environment by:

  • Searching network logs for connections to the legitimate SolarWinds update site at downloads[.]solarwinds[.]com

  • Searching for running SolarWinds processes in their endpoint detection and response (EDR) tool.

Once a SolarWinds product is identified, organisations should then investigate hosts to determine the specific software in use.

How will you know if you have the affected SolarWinds Orion versions?

Organisations can determine SolarWinds Orion version number by:

  • Checking the SolarWinds Orion console.

  • Reviewing the “Programs and Features” area of the Control Panel on the host.

If you have affected SolarWinds Orion version, what immediate action should they take?

Any organisation which believes they are affected should immediately invoke relevant incident response plans and take rapid containment action to temporarily mitigate risk.

Specific containment actions required are based on the perceived risk to the affected organisation. Our current intelligence on this attack indicates that likely targets are primarily high-profile central government departments with a foreign affairs or defence remit. Any affected organisation in this category should consider themselves high-risk. Organisations outside of this category may wish to consider themselves lower-risk and therefore implement less disruptive containment actions.

  • Low-risk organisations should upgrade impacted SolarWinds Orion servers. 

    Low-risk organisations should upgrade to the most recent Orion Platform release 2020.2.1 HF 1 (available for download from the SolarWinds Customer Portal) and be prepared to upgrade to Orion Platform release 2020.2.1 HF 2 when it is released on 15 December 2020.

  • High-risk organisations should disable or isolate impacted SolarWinds Orion servers.

    High-risk organisations should immediately disable (i.e. shut down) or isolate any systems hosting impacted instances of SolarWinds Orion from their network, and not upgrade until a full risk assessment can be performed over the upgraded SolarWinds Orion version.

These immediate containment measures are highly unlikely to fully mitigate the risk of compromise, especially if the attacker already has access to the environment, and organisations should ensure they have sufficient capability to execute a successful response.

If you have a SolarWinds Orion product but not the affected version, what immediate action should they take?

At the moment, organisations with a SolarWinds Orion product version outside 2019.4 to 2020.2.1 are not believed to be impacted by this attack. However, as of 30 December 2020 CISA is mandating "all federal agencies operating versions of the SolarWinds Orion platform other than those identified as “affected versions” below are required to use at least SolarWinds Orion Platform version 2020.2.1HF2" due to "the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion".

Any organisations operating versions of SolarWinds Orion not affected in this attack should upgrade to the latest version (2020.2.1HF2) as soon as possible.

Once this step has been completed, organisations should also review the next steps below.

 

This attack highlights the risk posed by supply chain attacks. Organisations should also consider the following:

  • What privileges are given to third-party software (such as SolarWinds) and has the principle of least privilege has been applied?

    Organisations often provide IT management and security software with blanket elevated privileges, which unnecessarily results in unnecessary security risks. Organisations should work with vendors to understand the specific privileges service accounts require, grant these and no more, and monitor for any potential abuse.

  • Can threat detection capabilities detect malicious activity?

    This attack went on for many months without being detected, which highlights the importance of logging, monitoring, and alert investigation. Organisations should ensure they have the mechanisms in place to identify malicious activity across their environment, and test this by replicating offensive techniques. In particular, organisations should ensure they have visibility of authentication systems and identity providers.

  • Is identity and access protected?

    Many organisations still operate outdated and insecure identity and access management systems built on legacy implementations of Microsoft's on-premise Active Directory. Organisations should seek to move to modern solutions (for example, Azure Active Directory) where possible, and otherwise ensure that key systems such as ADFS are protected.

How can PwC help you?

Our front-line cyber teams are working with governments and clients around the world to help identify those organisations targeted in this attack, and ensure a rapid response. Relevant services include:

Prevent

Our technical and strategic threat intelligence teams have an in-depth understanding of the technical capabilities displayed by this attacker, the operational techniques used, and the strategic context. 

We can help customers prioritise defensive controls and understand the risk of exposure, and provide threat intelligence subscription services, and directed research.

Our privileged access management team provides a range of assurance, advisory and implementation services which help organisations to identify high-risk or high-value identities, and design and implement technical controls to mitigate the risk of compromise. 

They have extensive experience working with a range of identity technologies including Microsoft's Active Directory, CyberArk, SailPoint, and more.

Detection

Our threat detection team has extensive experience detecting malicious activity on our clients' networks, and can help identify evidence of potential compromise using our alliances with Tanium, Palo Alto Networks, and other technology vendors.

Respond

Our cyber incident response teams can help organisations respond to, remediate, and recover from sophisticated and targeted cyber attacks. 

We are able to provide end-to-end support, including hands-on digital forensics and intrusion analysis, malware reverse engineering, incident management and coordination, and board-level crisis support.

{{filterContent.facetedTitle}}

{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}
{{contentList.loadingText}}

Contact us

Anthony Leung Shing

Anthony Leung Shing

Country Senior Partner, Tax Leader, PwC Mauritius, PwC Mauritius

Tel: +230 404 5071

Vikas Sharma

Vikas Sharma

Regional Consulting & Risk Services (C&RS) Leader, PwC Mauritius

Tel: +230 404 5015

Ariane Serret

Ariane Serret

Senior Manager, Clients and Markets Development, PwC Mauritius

Tel: +230 4045029

Follow PwC Mauritius