On Sunday, it was reported that the US Treasury and Commerce departments may have been breached. According to Reuters, the cyber spies were able to break into systems “by surreptitiously tampering with updates released by IT company SolarWinds, which serves government customers across the executive branch, the military, and the intelligence services, according to two people familiar with the matter. The trick – often referred to as a “supply chain attack” – works by hiding malicious code in the body of legitimate software updates provided to targets by third parties.”
This supply chain attack is what is believed to be behind the FireEye Breach which was disclosed last week. Both FireEye and SolarWinds are cyber security firms with big government contracts. Indeed, SolarWinds lists over 300,000 customers worldwide, including “over 425 of the US Fortune 500, all top ten US telecom companies, hundreds of universities and colleges, all five branches of the US Military, the US Pentagon, the State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.”
Just like the FireEye Breach announced last week, this is BIG cyber security news. In fact, “FireEye has notified all entities we are aware of being affected,” the company said, confirming that the nation-state hackers that breached its systems (tracked as UNC2452) are the same as the ones abusing SolarWinds’ Orion business software. It is currently believed that the SolarWinds hack led to the FireEye breach.
For its part, SolarWinds has released the following statement: it had just discovered its systems experienced, “a highly sophisticated, manual supply chain attack on Orion software builds for versions 2019.4 through 2020.2.1, released between March and June. We have been advised this attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.” Solarwinds is advising its clients upgrade to Orion Platform version 2020.2.1 HF 1 (Hot Fix). They plan to release follow-up Hot Fix on Tuesday.
So, what are you to do if you are running SolarWinds? First, patch your systems with the new hotfix that was just released. SolarWinds also provides additional hardening and mitigation info for those who cannot immediately apply the hotfix on vulnerable servers. SolarWinds also stated in their advisory: “The primary mitigation steps include having your Orion Platform installed behind firewalls, disabling internet access for the Orion Platform, and limiting the ports and connections to only what is necessary.”