December 17, 2020
US Government joins other nations and organizations targeted in a series of global cyber attacks
The recently identified months-long hack into the SolarWinds® Orion® Platform software, which is responsible for monitoring the computer networks of tens of thousands of private users, including fortune-500 companies and worldwide government agencies, is considered to be one of the largest and more sophisticated attacks against US government agencies and officials in the past years.
In an announcement from December 16th, SolarWinds reported that the hack targeted versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 of its Orion software. By getting tens of thousands of private and government users to download an Orion software update that was contaminated with a malicious code, hackers gained remote access to servers on which Orion operated, and was able to steal sensitive information.
The breach was detected after top cybersecurity company FireEye announced a breach to its SolarWinds software. However, to date, it remains unclear which government agencies were compromised by the attack.
While specific attackers were not identified, it is assessed that the attack was carried out by Russian agents. SolarWinds is now reportedly working with FireEye as well as the FBI in investigating the breach, which, according to FireEye, presented remarkable cyber capabilities.
Few of the proposed mitigation steps to secure the Orion platform include:
- Review ID files that should be monitored in the organizational systems;
- Examine the possibility to operate your systems without the Orion software and unplug it or take down the servers;
- Search your logs for traffic identified with the attackers, based on the ID files, starting March 2020.
- If your organizational systems support the file definitions published by FireEye, it is recommended to install them into your systems;
- Installing the Orion Platform behind firewalls;
- Disabling internet access for the Orion Platform;
- Limiting ports and connections to necessary ones only;
- Install the new updated version 2020.2.1 HF1 which includes substitutes to the manipulated components;
The attack on the US government joins other identified cyber-attacks that have been carried out towards the end of 2020 and targeted different nations, including Israel. Recent significant cyber-attacks, targeting over 80 targets in the Israeli economy were carried out by Iranian hacker groups and other players. These attacks targeted both local private organizations, such as Insurance agencies, and government bodies, such as a local water reservoir.
TSOC’s IR team works around the clock to provide support and assistance to organizations. At this time, it is important to remember a few basic principles:
- Patch management – make sure all systems are updated and have no critical exploits;
- Configuration Hardening – Change default passwords and make sure all configurations are set correctly;
- Follow the principles – less privilege and separation of duties;
- Visibility – Make sure you have logs & audits from critical locations in your infrastructure (FW, DC etc). Make sure you have an EDR to support investigations and response times
- Manage your supply chain – Your suppliers are the back entrance to your castle. Watch them, audit them, manage them
Follow Us on Facebook for the latest news and insights on cybersecurity.
Stay Safe with TrustNet!
