Not every organization is going to have SolarWinds configured identically, but when they do have SolarWinds configured, it is definitely a great targeting point for attackers. The Orion NMS has broad capabilities for monitoring and managing systems, including servers, workstations, network devices, etc. An attacker who compromised an NMS can usually reshape network traffic for MitM opportunities and can often use credentials for system monitoring to laterally move to target systems. Even when NMS are “monitor only” the credentials used still offer some level of access to the attacker. Any changes the NMS can make, the attacker can too. This means that the Network Management System can make changes on behalf of its configuration.
Second, many NMS are configured to both monitor for events and respond to them. First, the Network Management Systems must be able to communicate with all devices being managed and monitored so outbound ACLs are ineffective., making it a prime location. NMS are prime targets for attackers for a variety of reasons. Not to be confused with NSM, which in security is a network security monitor. The most widely deployed SolarWinds product is Orion, which is a Network Management System (NMS).
#SOLARWINDS COMPROMISE SOFTWARE#
SolarWinds is a software company that primarily deals in systems management tools used by IT professionals. Shortly after, Ellen Nakashima of the Washington Post confirmed with background sources that the US Treasury breach was perpetrated by the same group that targeted FireEye, that SolarWinds was involved in both breaches, and that it was perpetrated by threat group APT29 (Cozy Bear/Russian SVR). That the US Treasury Department has been compromised by a sophisticated adversary. On December 13 Chris Bing of Reuters broke the story That it had been hacked by a nation-state and since that announcement they’ve been incredibly transparent, publishing information about the breach and what they’ve learned about it in their investigation. Of course, as it is an evolving situation, we will likely know more as the days progress, but this is what we know as of now. Supply chain attacks are not common and the SolarWinds Supply-Chain Attack is one of the most potentially damaging attacks we’ve seen in recent memory. You can find the presentation slides here. More details can be found in our X-Force Exchange post, which will be updated as this situation evolves.Īssistance is also available to assist 24×7 via IBM Security X-Force’s US hotline 1-88 | Global hotline (+001) 31.This was transcribed from Jake Williams' webcast on December 14th, 2020. IBM is closely monitoring the overall situation and is engaged with clients and the security community. Vendor guidance and resources from SolarWinds can be leveraged as needed here.įor IBM QRadar users looking for more details on applying the available threat intelligence to their response, IBM has published a more detailed blog in the IBM Security Community available here.
Indicators of Compromise are available from the X-Force Exchange. Identify, isolate and investigate any potentially impacted SolarWind Orion or associated computing environment via a comprehensive security analysis.The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 21-01 in response to this incident.Īt this time, IBM recommends organizations running SolarWinds Orion take the following actions: federal agencies have disclosed they were potentially victims of the hacking campaign.
#SOLARWINDS COMPROMISE MANUAL#
SolarWinds reports that this incident was likely the result of a highly sophisticated, targeted and manual supply chain attack by a nation state, but it has not, to date, independently verified the origin of the attack. SolarWinds has announced a cyberattack on its systems that compromised specific versions of the SolarWinds Orion Platform, a widely used network management tool.
0 kommentar(er)
