12/22/202 UPDATE: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published further guidance regarding the SolarWinds cyberattack. Aimed at federal agencies, this supplemental guidance nevertheless is helpful to other organizations that use SolarWinds’ Orion software.
Under “Conditions for Reconnecting Unaffected Versions,” CISA says it is “still assessing whether it is appropriate to relax ED 21-01’s requirement that agencies not install patches for their SolarWinds Orion software. Some older versions of SolarWinds Orion have been identified as not affected by the malicious backdoor. However, operating such older versions carries significant risk, because (1) like other types of older software, older versions of SolarWinds Orion contain known vulnerabilities; (2) the adversary that inserted the SolarWinds Orion backdoor is likely to be intimately familiar with SolarWinds Orion code, including known or unknown vulnerabilities that may exist separate and apart from the backdoor; and (3) this adversary has demonstrated the capability and willingness to exploit SolarWinds Orion to compromise U.S. government agencies, critical infrastructure entities, and private organizations.”
Further, CISA says it is investigating evidence it has that the attacker used access vectors other than the SolarWinds Orion platform. “Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior (are) present, yet where impacted SolarWinds instances have not been identified.”
12/19/20 UPDATE: Even if you are not directly affected by this security event, Microsoft recommends you take specific steps to protect your systems from attacks of this type. Look for Recommended Defenses halfway down the post.
ORIGINAL POST: In light of the unfolding SolarWinds cyberattack, we want to update you on steps we are taking – and you should take.
ImageQuest uses two SolarWinds products, Passportal and Pingdom; both are independent of the Orion product. Both are also explicitly listed as products not known to be affected by this vulnerability. While we are continuing to evaluate those two products’ security status, we are confident that there is currently no increased risk.
It is important to note our internal diligence and investigations of our services and systems indicate ImageQuest and our critical vendor platforms are not impacted by the SolarWinds attack. There has been no compromise to ImageQuest’s systems, services, or client information. No action is required to further secure any of your ImageQuest provided services.
Since so much remains unknown about the scope of this attack, we recommend you err on the side of caution. We are sharing the U.S. Computer and Infrastructure Administration (U.S. CISA) recommendations below for your convenience.
- Immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from your network. We recommend you hold off installing the Solar Winds Orion update until officials are confident the new update is safe. (Note: This is counter to guidance provided by Solar Winds )
- Immediately block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.
- Assume any credentials used to access Orion are compromised. Replace them with complex passwords greater than 25 characters.
- Assume any hosts monitored by the Orion software are compromised.
More steps, specific for your IT Team, are here. These steps include where to look for suspicious users, what malware signatures to look for, and forensic data capture.
The SolarWinds attack is a highly sophisticated, new threat vector not seen previously by the cybersecurity community. You should think carefully about your systems – and those of your vendors.
Your organization needs to immediately contact your critical vendors – those who connect to your network – and ask the following questions:
- Did/do they use the SolarWinds Orion product?
- If NO, do they use any other SolarWinds product(s)?
- If YES, did they update to and run versions 2019.4 through 2020.2.1, released between March 2020 and June 2020?
- If YES, what have they done/are they doing?
- If YES, are we in any way at risk?
- Do they have a formal statement we can capture?
ImageQuest is committed to delivering secure, reliable service for all our customers. We remained focused on this issue.
We will continue to monitor this event for you and update you as critical new information emerges.