CISA Releases New Guidance on SolarWinds PatchAlso: Microsoft Updates Solorigate Investigation
The Cybersecurity and Infrastructure Security Agency has released an emergency directive requiring all federal organizations still running vulnerable SolarWinds Orion software to immediately update to the latest version.
See Also: Automating Security Operations
In an update released Wednesday, CISA says the organizations with a vulnerable version of the SolarWinds platform installed must update to version 2020.2.1HF2 by Dec. 31.
"The National Security Agency has examined this version and verified that it eliminates the previously identified malicious code," CISA says.
The SolarWinds hacking was initially disclosed on Dec. 13 by FireEye, which discovered the supply chain attack. Multiple federal agencies were compromised, including the Commerce and Treasury departments. SolarWinds says that from March through June, it issued Orion software updates that unintentionally included attacker-added backdoors, which FireEye has dubbed "Sunburst." The malicious software updates were signed using valid digital signatures and could steal files, profile systems and disable system services. Some organizations are continuing to run the backdoored software, meaning some organizations have been exposed to this attack campaign for nine months or more.
U.S. Secretary of State Mike Pompeo accused Russia of being behind the attack, saying in a radio interview earlier this month, "We can say pretty clearly that it was the Russians."
Russia has denied any involvement.
The CISA alert says the four affected Orion platforms are:
- Orion Platform 2019.4 HF5, version 2019.4.5200.9083
- Orion Platform 2020.2 RC1, version 2020.2.100.12219
- Orion Platform 2020.2 RC2, version 2020.2.5200.12394
- Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
CISA says organizations using systems that cannot be updated should keep them powered down and disconnected. Additionally, agencies should label and isolate all backups of the affected versions and, if they have the capability, conduct forensic analysis and search for indicators of compromise or other evidence of threat actor activity.
CISA further notes that unaffected versions should be patched to the NSA-approved SolarWinds Orion Platform version 2020.2.1HF2 to prevent any attacks. "Specifically, all federal agencies operating versions of the SolarWinds Orion platform other than those identified as "affected versions" are required to use SolarWinds Orion Platform version 2020.2.1HF2," CISA says.
CISA notes in the update that additional directions concerning SolarWinds will follow.
Microsoft Updates 'Solorigate' Investigation
Microsoft reported in a Thursday update it has found no evidence of access to production services or customer data nor any indication that its systems were used to attack others. While FireEye refers to the backdoored code as Sunburst, Microsoft has instead dubbed the attack "Solorigate."
But Microsoft's ongoing investigation has found that hackers accessed its network and viewed source code.
"Our investigation has ... revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories," Microsoft says. But it adds that "the account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made."
SolarWinds Impact To Date
SolarWinds believes that nearly 18,000 of its customers may have installed the Trojanized software, which it first began issuing in March.
CISA has said the attack's impact goes well beyond the federal government to include state and local agencies, critical infrastructure and private organizations (see: CISA Warns SolarWinds Incident Response May Be Substantial).
Some of the federal agencies affected by the SolarWinds attack include the National Institutes of Health and the Commerce, Homeland Security, State, Treasury and Energy departments.
U.S. Sen. Ron Wyden, D-Ore., the ranking Democrat on the Senate Finance Committee called the breach "significant" (see: US Treasury Suffered 'Significant' SolarWinds Breach).
In the private sector, victims include the technology firms Belkin, Cisco, Intel, NVidia and VMware, as well as Iowa State University and Hilton Grand Vacations.
News Editor Doug Olenick contributed to this story.