This is a developing story...Latest Update 12/17/2020: Microsoft has changed Windows Defender’s default action against this malware from “Alert” to “Quarantine,” This action could cause systems to crash but will effectively kill the malware when it discovers it. On Sunday, December 13th, 2020 it was discovered that a large-scale cyber breach has infected U.S. government agencies, including the Department of Treasury and the Department of Commerce.
A Russian government-backed group, known as APT29 or Cozy Bear, are suspected to be behind this large-scale attack. This group was responsible for the breach of security solutions-provider FireEye, as well as, previous attacks on the U.S. State department and COVID-19 vaccine research sites this summer.
The current, on-going attack actively affects SolarWinds Orion Platform software versions 2019.4 through 2020.2.1, released between March 2020 and June 2020.
While the attack targeted government agencies, private-sector businesses who use this software could also be affected.
This is known as a "supply-chain attack." The bad guys inserted malicious code into periodic updates of SolarWinds' Orion IT monitoring and management software used to manage networks. The scope and sophistication of this attack led researchers to suspect the Russian-backed group was responsibility.
According to FireEye, the attacker’s activity since the breach uses multiple techniques to evade detection and obscure their activity.
This attack could have begun as early as Spring 2020 and is currently ongoing. The campaign is widespread, affecting public and private organizations around the world.
SolarWinds reach and customer base is nationwide for network monitoring and management. The scope of this attack will not be fully realized for several months. It appears that the hackers went after the highest value government targets first, but many more government and private business networks may already be compromised.
Attacks like this point out the vigilance required by all managed service providers when it comes to shoring up their network security. Reuters reported this week that SolarWinds was alerted as far back as 2017 that exploits to its network were being sold on dark web forums. One security researcher even stated that SolarWinds update server could be easily accessed with minimal hacking ability.
There's some good news for Microsoft users. Starting today (December 16th) Microsoft Defender Antivirus will block and isolate malware-infected versions of the SolarWinds app.
If you are a Solar Winds customer, immediately upgrade to Orion Platform release 2020.2.1 HF 1, which is currently available via the SolarWinds Customer Portal.
SolarWinds has also released additional mitigation and hardening instructions at https://www.solarwinds.com/securityadvisory.
If you're not a Solar Winds customer, now is still a great time to contact your cyber security and IT support team to make sure attacker activity is not discovered in your environment.
If you don't already have one, work with experts to design a remediation strategy to know exactly what you should do if your environment gets impacted by a breach.
(We'd like to thank one of our Cyber SOC partners, Arctic Wolf Networks for contributing to this report.)
Additional References to keep up with this on-going attack.