Solarwinds Breach: What This Means for You

You will almost certainly come across info of a Solarwinds breach at some point today or this week. The breach at the US Treasury, USG, Fire Eye, and others came from Solarwinds. Fortunately for us, this was a Solarwinds Core product involved, Orion, and not the same Solarwinds product that we use to support your networks.   This is an extremely limited, targeted, and manually executed attack that was customized per entity hit.  It is presumed that this was a nation-state actor, currently believed to be Russia. Huntress Labs has examined the code for the software probe that monitors your network and has determined that it is not affected.

For our co-managed BlueCentral IT clients with limited access to the Solarwinds N-Central RMM (remote monitoring and management system) for your networks, we have reset 2FA/MFA logins to be cautious. If you require access to N-Central, please let our Help Desk team know.

What We Know:

• This breach has been persistent since March of this year.
• This only affects customers using the Solarwinds Orion toolset (again, not employed by MidnightBlue)
• The extremely sophisticated breach appears to have been executed by a nation-state, at this time believed to be APT29 (AKA Cozy Bear).
• This was a supply chain attack, meaning they injected their code before it was signed and published by Solarwinds Core.
• Because this was signed software, it was almost undoubtedly white-listed by system admins because a trusted vendor signed it.
• The software package would lay dormant for up to 2 weeks after it was deployed.
• After it was deployed, it would reach out to a Command and Control URL to get packages for deployment.

What We Don’t Know:

• The implications of the breach. I.e., what was compromised, what levels of control were granted/exercised, etc.
• If this was the only signed software in the Orion suite affected or if there is potentially other malicious code that was signed.

While Midnight Blue’s toolset is not implicated in the breach, we have taken defensive steps to help protect our clients.

What Midnight Blue Has Done and is Doing:

• We take access to this tool seriously and have enforced and/or reset 2FA/MFA on all users
• While there is no indication that our tools are vulnerable, we have, out of an abundance of caution, put blocks in place, and have ensured that all of our own systems are patched and updated.
• We are in constant communication with Solarwinds’ product management team for updates and security posture discussions.
• We are watching the SOC and CISO reports being released related to this event to determine if the scope of attack widens as well as to determine if any additional attack surfaces need to be hardened.

Resources:

• Fire Eye report – https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
• Microsoft security report including hashes for affected versions – https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
• Huntress labs updates – https://twitter.com/kylehanslovan/status/1338506923642122243?s=21

Breaches such as this one are one of many reasons why we’re always on for our clients. It’s our bottom line to keep your networks secure before threats even happen.

Please do not hesitate to reach out with any questions or concerns.