How to Determine if You’re Affected by the SolarWinds Hack
by Blake Cormier Content Manager, E-N Computers
The SolarWinds hack is a major escalation in cybersecurity hostilities. On December 13, 2020, cybersecurity firm FireEye reported that a Russian state-sponsored hacking group penetrated SolarWinds, a major provider of IT management and security software. Once inside, they were able to stealthily insert malware into update packages for the Orion software platform, which was then installed by more than 18,000 customers, including big-name players like Microsoft and U.S. government departments.
They were then able to leverage this backdoor to gain a foothold in some networks where Orion was installed, using further attacks to compromise login credentials, forge SAML authentication tokens, and spoof security certificates. This essentially allows the attackers unrestricted access into the compromised network via highly privileged credentials.
How to Know If You’re Affected by the SolarWinds Breach
While this is a major breach, it only affects a small number of companies directly. Here are some indicators that you will need to be on high alert and take immediate steps to protect your network.
You (or Your IT Vendor) Use SolarWinds Orion
The compromised update involved a change to a plugin for the SolarWinds Orion platform. SolarWinds has said that about 36,000 customers use Orion, and about 18,000 of them may have installed the affected updates. So if you have SolarWinds Orion installed on your network, immediately update to the recommended version from SolarWinds and begin looking for further evidence of a breach.
While your company may not use Orion, your IT vendor may use it as part of its toolset. So if you haven’t heard from your IT vendor or MSP, immediately contact them to confirm that they’re not affected by the breach – and if they are, find out what steps they’re taking to protect your information and your network.
You’ve Seen Traffic to This Domain
According to analysis by Microsoft and others, the attackers used the domain avsvmcloud[.]com to communicate with systems breached by the SolarWinds hack. Microsoft was able to take control of that domain to help stop further attacks. You should immediately check your firewall and system logs for evidence of any systems on your network communicating with that domain.
You Are Involved in Defense, Manufacturing, or Another Sensitive Industry
Not all of the companies that installed the backdoored Orion update were targeted for further exploitation. The threat actors appeared to target organizations associated with defense, government contracting, manufacturing, and technology. If you operate in one of these industries, you should take extra care to ensure that you aren’t being targeted. This could include surveying your vendors and contractors to make sure that they aren’t affected.
Further Technical Reading
If you’d like to learn more about the SolarWinds hack, how you can make sure your network isn’t compromised, and the methods used by the threat actors, check out these articles from trusted security researchers:
While this is a major headline-grabbing cybersecurity incident, it’s good to remember that most data breaches and security incidents – especially those directed toward small and midsize businesses – aren’t nearly as flashy. Most attacks we see use tried-and-true techniques like phishing, spear phishing, social engineering, and malicious links. A high-value cyber weapon like a supply chain compromise would generally only be used against a high-value target like a major corporation or government agency.
This doesn’t mean that you shouldn’t worry about cybersecurity. Rather, it means you should take steps to ensure that best practices are being followed across your organization. This includes making sure that proper tools and policies — including properly configured firewalls, web filtering, antivirus, password hygiene, two-factor authentication, the principle of least access, and log monitoring — are in place, functional, and fully adopted.
If you are in the defense or government contracting space, you should immediately take steps to implement the controls specified in the Cybersecurity Model Maturity Certification (CMMC). Even if you aren’t required to implement CMMC, NIST SP 800-171 is a good starting point for evaluating your cybersecurity practices and making a plan to harden them.
These steps aren’t easy to do alone. You’ll likely want help from a trusted third party. A security-focused managed IT service provider (MSP) like E-N Computers can help you to evaluate your network and plan for any needed improvements to your security posture.
Next Steps: Learn More About Hardening Your Network
Implementing a strong cybersecurity policy isn’t an easy task. It takes consistent effort and a team approach to identify weaknesses and fix them before they can be exploited. To learn more about how to build a high-quality IT team for your business, read our article Should I Build or Buy an IT Department?In it, you’ll learn about the roles that you need to fill on your IT team to get excellent results.