Description: – (TLP-WHITE)

MCIT is aware of a critical vulnerability that has been discovered in the SolarWinds Orion network management platform and is being actively exploited by a sophisticated threat actor. MICT understands this is the same vector used in high-profile compromises, such as the security firm FireEye.

SolarWinds has released a hotfix patch to mitigate this vulnerability, and will release an additional hotfix expected Wednesday 16 December (Samoan Time). Following discussions with our international partners, MCIT is advising that organisations using the versions detailed below consider isolating these servers immediately and ensuring no internet egress is permitted until the servers can be patched and secured. Organisations will need to carefully assess the applicability of this guidance based on their network configuration and dependencies.

What’s happening:

Systems affected

SolarWinds has stated the vulnerability affects users of Orion versions:

  • 2019.4 – 2020.2.1

What this means

This vulnerability introduces backdoor remote execution access to servers running the vulnerable versions. A sophisticated threat actor has been using this access to compromise networks and exfiltrate data, with high-profile compromises reported in the United States. The nature of this vulnerability is such that any organisation using these versions could be affected or is likely vulnerable to exploitation.

What to look for

How to tell if you’re at risk

  • You are affected by this vulnerability if you are using SolarWinds Orion versions:
    • 2019.4 – 2020.2.1

What to do

Preventions

MCIT recommends that you immediately isolate any Orion server from the network and apply the hotfix, released by SolarWinds (Orion Platform version 2020.2.1 HF 1).

Immediately apply the subsequent hotfix when available (2020.2.1 HF 2).

MCIT strongly recommends that users of the affected versions rebuild servers once the 2020.2.1 HF patch is available.

In addition to patching MCIT recommends you take additional measures, including:

  • changing passwords of all accounts accessible to Orion servers
  • analyzing all configuration for network devices managed by the Orion platform for alteration.
  • Check your network for strange activity on user computers or Systems.
  • Also, ensure that your computer systems are updated and well patched.
  • Also to ensure that your systems are well logged and have event logging enable in all areas required.

Organisations should consider the impacts and applicability of these steps on their specific network operations prior to implementing these mitigations.

MCIT will be revising this advisory as more information becomes available.

 

More References 

SolarWinds’ security advisoryExternal Link

The Department of Homeland Security’s Emergency Directive 21-01External Link

FireEye’s write up of the vulnerability and post-compromise activity

cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network

sunburst_countermeasures

Print Friendly, PDF & Email