By now, most have heard of the recent high-profile cyberattack known as Solorigate or Sunburst. The attack occurred as a result of a compromise in the SolarWinds Orion IT monitoring and management software. This blog post is intended to provide our community a summary of the incident and some helpful resources to understand the potential impact on your organization and your network.
First, the Basics
The SolarWinds Orion product is a tool used widely by organizations to help monitor IT infrastructure. As a platform, Orion facilitates end-to-end management capabilities such as system health, performance, security, and operational efficiency across an entire organization's tech ecosystem, which is why it is so widely used by large institutions and corporations.
This tool became infected with malicious code in what is known as a "supply chain attack." This means that an upstream or third-party service was affected, and it in turn affected customers downstream in the supply chain. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released information regarding this incident via this bulletin on December 13, 2020. Initial investigations by cybersecurity experts report that this is a targeted, nation-state attack.
As mentioned in the advisory above, the software versions affected by the Orion Platform are 2019.4 HF 5 through 2020.2.1 HF 1, released between March 2020 and June 2020.
Who Was Affected?
Currently, it is estimated that as many as 18,000 SolarWinds customers were affected. Reports from Reuters, The Washington Post, and The Wall Street Journal say that the malicious code affected the U.S. departments of Homeland Security, State, Commerce, and Treasury and the National Institutes of Health, as well as many large corporations. These entities are still assessing the incident to determine if there has been a breach of customer data or information that they would in turn be required to report.
What Can I Do to Protect My Organization?
Microsoft has provided a useful blog post to help end users, customers, and IT departments understand the impact, as well as offer suggestions to understand your organization's own vulnerability. It is important to note that as of December 13, Microsoft states that they have "not identified any Microsoft product or cloud service vulnerabilities in these investigations." Organizations can stay informed of cyber-related activity by subscribing to receive alerts and emails from official government agencies.
To date, TechSoup's internal research has not found that we were affected. TechSoup will continue to monitor any impact this may have on our community as part of our normal security protocols.
1/4/2021 update: Microsoft has released an update on its internal research. Microsoft's continued investigation has reconfirmed that no production or Microsoft customer data has been impacted by this incident.
Now, the Technical Stuff
Cybersecurity experts have crafted tools to help organizations hunt internally to determine if they have been a subject of the breach. In a worst-case scenario, this could result in an actor gaining elevated privileges within your organization's core systems. The following resources from Microsoft provide in-depth information on how to detect and (hopefully) remedy the situation.
- An Analysis of Solorigate, the Compromised DLL That Started the Cyberattack
- SolarWinds Post-Compromise Hunting with Azure Sentinel
At the time of this writing, there are still ongoing investigations regarding the scope and breadth of this incident and its impact on the civil-society sector. We will continue to keep you posted as new details emerge regarding this situation.