CISA Issue Emergency Directive To All Federal Civilian Agencies To Power Down SolarWinds Orion Products Immediately Due to Hack

[ThePointblank]

This is a pretty big and emergency directive coming from the Cybersecurity and Infrastructure Security Agency (CISA), directing all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately due to a known exploit that is apparently being exploited by hackers. This after the US Treasury and the US NTIA were apparently breached by hackers. A foreign government is suspected and the National Security Council met Saturday to discuss the fallout.

 

The directive from CISA:

https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network

Quotes

 

Quote

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) tonight issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors. This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.  

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”  

This is the fifth Emergency Directive issued by CISA under the authorities granted by Congress in the Cybersecurity Act of 2015. All agencies operating SolarWinds products should provide a completion report to CISA by 12pm Eastern Standard Time on Monday December 14, 2020.  

 

 

The Reuters news piece talking about the original hack:

https://www.reuters.com/article/us-usa-cyber-amazon-com-exclsuive/exclusive-u-s-treasury-breached-by-hackers-backed-by-foreign-government-sources-idUSKBN28N0PG

 

Quote

WASHINGTON (Reuters) -Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury and Commerce departments, according to people familiar with the matter, adding they feared the hacks uncovered so far may be the tip of the iceberg.

The hack is so serious it led to a National Security Council meeting at the White House on Saturday, said one of the people familiar with the matter.

U.S. officials have not said much publicly beyond the Commerce Department confirming there was a breach at one of its agencies and that they asked the Cybersecurity and Infrastructure Security Agency and the FBI to investigate.

National Security Council spokesman John Ullyot added that they “are taking all necessary steps to identify and remedy any possible issues related to this situation.”

The U.S. government has not publicly identified who might be behind the hacking, but three of the people familiar with the investigation said Russia is currently believed to be responsible for the attack. Two of the people said that the breaches are connected to a broad campaign that also involved the recently disclosed hack on FireEye, a major U.S. cybersecurity company with government and commercial contracts.

 

 

The IT services company, SolarWinds confirmed that they were the subject of a highly sophisticated hack:

https://www.reuters.com/article/us-usa-solarwinds-cyber/it-company-solarwinds-says-it-may-have-been-hit-in-highly-sophisticated-hack-idUSKBN28N0Y7

 

Quote

WASHINGTON (Reuters) - IT company SolarWinds said on Sunday that monitoring products it released in March and June of this year may have been surreptitiously tampered with in a “highly-sophisticated, targeted and manual supply chain attack by a nation state.”

 

SolarWinds has a number of high profile contracts providing IT services, with their website indicating they provide IT services to 425 of the Fortune 500 companies, and various US government departments, such as NOAA, the Pentagon, State Department, the US Postal Service, Office of the President of the United States, and all five branches of the US Military.

 

For those not familiar with it, SolarWinds is a network management system (NMS), and is one of the more ubiquitous network management systems out there. These systems are usually used to monitor, control, and configure network devices and critical servers, and often have critical access to most (often all) systems on the network.

 

A NMS not only has the ability to monitor all systems on the network, but also maintain the availability of the more critical systems on the network, and as such, they have the ability to monitor and control services becoming unresponsive and restarting them, all before a network admin even becomes aware of an issue.

 

 

Fireeye, a IT cybersecurity company (and also one of the companies affected by the hack) had this article up on their site on the SolarWinds hack:

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

 

Quote

FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.

 

Basically, what Fireeye is saying is that the malware slips in via a trojan that uses a modified version of the component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. The malware then hides on the network, dormant for roughly two weeks then  it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. It masquerades this activity as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.

 

 

In all, this is a very big hack, affecting many companies and government agencies.

[Dataanti]

this is a major happening if i ever did see it

 

 

https://www.solarwinds.com/company/customers

 

 

that is a very concerning list. is it war now?

also kind of related... load this up on mobile and check out what powers the dominion voting companies site 

 

https://dvsfileshare.dominionvoting.com/

 

[Jet_ski]

Quote

Investigators believe that the hackers have been monitoring agency employees’ emails since June, according to the official, who described the level of concern inside the government as “very high.”

Monitoring emails since June!!!!

https://www.politico.com/amp/news/2020/12/13/federal-agencies-hacked-444970

[leadeater]

1 hour ago, Jet_ski said:

Monitoring emails since June!!!!

Well it's a good thing everyone has moved to Cloud and SaaS with all communications done through Teams/Slack etc. I mean who uses emails now days, that's old tech, yuck. Industry experts and commentators must be right about this, it's all they talk about and it's all you hear from management levels.

 

Spoiler

 

[TetraSky]

When something is connected to the internet, except it to get hacked...

 

At least this seems to mostly only affect people who can afford to replace it.

[williamcll]

Huh, I thought someone found an exploit in renewable energy grids.

 

Edit: I see the problem

 

[CarlBar]

4 hours ago, williamcll said:

Huh, I thought someone found an exploit in renewable energy grids.

 

Edit: I see the problem

 

 

Same.

 

Also sounds like they where able to spoof a legitimete update from SolarWinds themselves, which from whats being said is a result of a seperate hack of SolarWinds themselves. If so SolarWinds really screwed up if the stuff on their end needed to do that was exposed over the network. That stuff should be air gaped.

[bcredeur97]

5 hours ago, williamcll said:

Huh, I thought someone found an exploit in renewable energy grids.

 

Edit: I see the problem

-snip-

 

Lol "sophisticated"

Always someone just leaving a door open somewhere. Every time.

[StDragon]

Definitely sponsored by a nation-state. The hackers weren't simply there to exploit for profit. This has all the hallmarks of spying / espionage. They snuck in and stayed there like a camping ninja for a very long time.

 

11 hours ago, Dataanti said:

is it war now?

No one wins thermonuclear warfare.

 

If you're Russia, they can get away with anything. All you can do on the receiving side is defense. Offense is not an option lest it lead to kinetic action.

[jagdtigger]

 

[Belgarathian]

Uh oh 

 

[SolarNova]

So the un-hackable totally secure and trustworthy election system that has recently been used in the US ..is in fact ...not that.

 

Go figure

[Random_Person1234]

51 minutes ago, StDragon said:

If you're Russia, they can get away with anything. All you can do on the receiving side is defense. Offense is not an option lest it lead to kinetic action.

Offense is very much an option for the US. In fact, the US has done many offensive hacks before.

[Random_Person1234]

2 minutes ago, SolarNova said:

So the un-hackable totally secure and trustworthy election system that has recently been used in the US ..is in fact ...not that.

 

Go figure

There is no evidence that this hack affected the security of the US election.

[StDragon]

14 minutes ago, Belgarathian said:

Uh oh 

 

 

I received an e-mail from Solarwinds. According to them, this only effects the Orion Platform software builds versions 2019.4 through 2020.2.1.

 

"At this time, we are not aware of an impact to our SolarWinds MSP products including RMM and N-central."

[wanderingfool2]

2 hours ago, StDragon said:

I received an e-mail from Solarwinds. According to them, this only effects the Orion Platform software builds versions 2019.4 through 2020.2.1.

 

"At this time, we are not aware of an impact to our SolarWinds MSP products including RMM and N-central."

I always laugh internally every time I read an email from companies like this.  Keeping it open to the fact that if they have completely messed things up they can just tack on later products and still say "we didn't know".

[handymanshandle]

probably explains the real or part of the reason Chris Krebs was fired

[StDragon]

1 hour ago, wanderingfool2 said:

I always laugh internally every time I read an email from companies like this.  Keeping it open to the fact that if they have completely messed things up they can just tack on later products and still say "we didn't know".

I got a similar e-mail back when Tyler Technologies got hacked a few months ago. At first, they said it wasn't much of a concern but the hack was limited in scope. Basically, they develop software used by local municipalities; so they're pretty big. Anyways, the first thing I did was change the passwords to their vendor accounts. Days later, I received a follow-up e-mail stating we should be changing passwords.

 

Basically, If you have SolarWinds %anything%, keep the news close by and change your passwords anyways. And as always, use 2FA / MFA.

[imreloadin]

Good thing SolarWinds' CEO managed to sell $15,000,000 worth of SolarWinds' stock before all this happened back on 11/18/20 & 11/19/20...

 

 

Source: https://finance.yahoo.com/news/solarwinds-corp-swi-president-ceo-181502379.html

[randomperson_234]

4 hours ago, Random_Person1234 said:

Offense is very much an option for the US. In fact, the US has done many offensive hacks before.

 

[rcmaehl]

17 hours ago, Dataanti said:

this is a major happening if i ever did see it

 

 

https://www.solarwinds.com/company/customers

 

 

that is a very concerning list. is it war now?

also kind of related... load this up on mobile and check out what powers the dominion voting companies site 

 

https://dvsfileshare.dominionvoting.com/

 

Customer list is now down but here is a small list. Note that not just the US government is on here but some of the big ISPs along with US defense contractors.

 

Acxiom

Ameritrade

AT&T

Bellsouth Telecommunications

Best Western Intl.

Blue Cross Blue Shield

Booz Allen Hamilton

Boston Consulting

Cable & Wireless

Cablecom Media AG

Cablevision

CBS

Charter Communications

Cisco

CitiFinancial

City of Nashville

City of Tampa

Clemson University

Comcast Cable

Credit Suisse

Dow Chemical

EMC Corporation

Ericsson

Ernst and Young

Faurecia

Federal Express

Federal Reserve Bank

Fibercloud

Fiserv

Ford Motor Company

Foundstone

Gartner

Gates Foundation

General Dynamics

Gillette Deutschland GmbH

GTE

H&R Block

Harvard University

Hertz Corporation

ING Direct

IntelSat

J.D. Byrider

Johns Hopkins University

Kennedy Space Center

Kodak

Korea Telecom

Leggett and Platt

Level 3 Communications

Liz Claiborne

Lockheed Martin

Lucent

MasterCard

McDonald’s Restaurants

Microsoft

National Park Service

NCR

NEC

Nestle

New York Power Authority

New York Times

Nielsen Media Research

Nortel

Perot Systems Japan

Phillips Petroleum

Pricewaterhouse Coopers

Procter & Gamble

Sabre

Saks

San Francisco Intl. Airport

Siemens

Smart City Networks

Smith Barney

Smithsonian Institute

Sparkasse Hagen

Sprint

St. John’s University

Staples

Subaru

Supervalu

Swisscom AG

Symantec

Telecom Italia

Telenor

Texaco

The CDC

The Economist

Time Warner Cable

U.S. Air Force

University of Alaska

University of Kansas

University of Oklahoma

US Dept. Of Defense

US Postal Service

US Secret Service

Visa USA

Volvo

Williams Communications

Yahoo 

 

I'll be updating this list to a table when I get home for a more detailed breakdown

[imreloadin]

1 hour ago, rcmaehl said:

-le snip-

Why would they tout this? You'd think for security purposes it'd be more beneficial to not go "LOOK AT ALL THESE COMPANIES I HAVE DOMAIN ADMIN ACCESS IN"...Nothing like putting a big ol' target on your company for being the keys to the castle for almost every major multinational business and multiple government agencies

[StDragon]

4 hours ago, imreloadin said:

Good thing SolarWinds' CEO managed to sell $15,000,000 worth of SolarWinds' stock before all this happened back on 11/18/20 & 11/19/20...

 

 

Source: https://finance.yahoo.com/news/solarwinds-corp-swi-president-ceo-181502379.html

Depending on what he knew and when, it could be a case of insider trading per the SEC. Or, it could be just one heck of a coincidence and good luck.

 

[wanderingfool2]

2 hours ago, StDragon said:

Depending on what he knew and when, it could be a case of insider trading per the SEC. Or, it could be just one heck of a coincidence and good luck.

 

My hunch is that it might just have been good luck on his part.  He would know better (or I hope he would), that he would be in a lot of legal trouble if he knew about it and sold.

 

Actually, looking at the history he has sold an okay amount of time during Nov/Dec time...so my thought would be that it might just be lockup periods expiring or something from his shares.  Although admittedly he sold a lot more shares this time around than he has previously....then again, he started selling in August...overall I think it's just lucky timing (because I don't think any CEO would be foolish enough not to realize the SEC would likely investigate following a serious breach announcement that would obviously tank the stock)

[imreloadin]

6 hours ago, StDragon said:

Depending on what he knew and when, it could be a case of insider trading per the SEC. Or, it could be just one heck of a coincidence and good luck.

 

If you look at the source there were 4 other SolarWinds executives who sold around $5 million worth of SolarWinds stock around the same time, they all knew