12/18 report from DNI on foreign interference suddenly gets more interesting...



US Calls On Federal Agencies To Power Down SolarWinds Orion Due To Security Breach

An emergency directive issued by the U.S. government calls on all federal civilian agencies to disconnect or power down SolarWinds Orion IT management tools because they are being used to facilitate an active exploit

The U.S. government late Sunday night called on all federal civilian agencies to power down SolarWinds Orion products immediately because they are being used as part of an active security exploit.

An emergency directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) comes “in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors,” according to the notice. “This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales in the directive. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”

The directive instructs the all agencies operating SolarWinds products to report that they have completed the shutdown by noon ET Monday.

CISA issued the directive following a report that the SolarWinds Orion IT management tool had been used to hack several federal agencies.

The U.S. Treasury and the U.S. Commerce Departments were breached through SolarWinds as part of a Russian government campaign, The Washington Post reported. It is unclear whether a breach last week of security vendor FireEye was also linked to SolarWinds.

IT infrastructure mangement vendor SolarWinds disclosed Sunday that it experienced a highly sophisticated, manual supply chain attack on versions of its Orion network monitoring product released between March and June of this year. The company said it’s been told the attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, though no specific country was named.

A FireEye blog post states that hackers gained access to numerous public and private organizations through trojanized updates to SolarWinds’ Orion software, but didn’t disclose the identity of any of the victims. FireEye said it’s been working closely with SolarWinds, the Federal Bureau of Investigation, and other key partners.

While hackers over the past two years have taken advantage of the tools MSPs rely on to manage customer IT systems, the tools utilized in this breach do not appear to be linked to SolarWinds’ MSP business.

The Orion platform supports SolarWinds’ traditional IT infrastructure management business and isn’t connected to the SolarWinds MSP business built through acquisitions in recent years. The company said it isn’t aware of any impact to its remote monitoring and management (RMM), N-Central and associated SolarWinds MSP products from the attack on Orion.

Austin, Texas-based SolarWinds last week named Pulse Secure’s Sudhakar Ramakrishna as its next CEO, and has been examining a spin-out of its MSP tools business for months. SolarWinds said its technology is used by the Pentagon, all five branches of the U.S. military, the State Department, NASA, the NSA, the Postal Service, the National Oceanic Atmospheric Administration, the Department of Justice, and the Office of the President of the United States.

“The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” National Security Council Spokesman John Ullyot told The Washington Post.

FireEye made the shocking disclosure Tuesday that it suffered a security breach in what’s believed to be a state-sponsored attack designed to gain information on some of the firm’s government customers. The attacker could access some of FireEye’s internal systems but apparently didn’t exfiltrate data from the company’s primary systems that store customer information, the threat intelligence vendor said.

The threat actor, however, stole FireEye’s Red Team security assessment tools, and FireEye said it isn’t sure if the attacker plans to use the stolen tools themselves or publicly disclose them. FireEye’s stock has plunged $1.69 (10.9 percent) to $13.83 per share since the hack was disclosed after the market closed Tuesday.

The Washington Post reported Sunday that the hackers with the Russian intelligence service—known as APT29—who attacked FireEye also compromised the Treasury and Commerce departments as well as other U.S. government agencies. The breaches have been taking place for months and may amount to an operation as significant as the State Department and White House hacks during the Obama years.

There is concern within the U.S. intelligence community that the hackers who targeted Treasury and the Commerce Department’s National Telecommunications and Information Administration used a similar tool to break into other government agencies, Reuters reported Sunday. The hack is so serious it led to a National Security Council meeting at the White House on Saturday, according to Reuters.

APT29 also compromised the Democratic National Committee servers in 2015 but didn’t end up leaking the hacked DNC material. Instead, the Russian military spy agency GRU separately hacked the DNC and leaked its emails to WikiLeaks in 2016, the The Post said.

The Washington Post said that APT29 hacks for traditional espionage purposes, stealing secrets that can be useful for the Kremlin to understand the plans and motives of politicians and policymakers. Group members have stolen industrial secrets, hacked foreign ministries and, more recently, have attempted to steal coronavirus vaccine research, according to The Post.

https://www.crn.com/news/secur...gh-solarwinds-report

CISA ISSUES EMERGENCY DIRECTIVE TO MITIGATE THE COMPROMISE OF SOLARWINDS ORION NETWORK MANAGEMENT PRODUCTS
Original release date: December 13, 2020 | Last revised: December 14, 2020

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) tonight issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors. This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”

This is the fifth Emergency Directive issued by CISA under the authorities granted by Congress in the Cybersecurity Act of 2015. All agencies operating SolarWinds products should provide a completion report to CISA by 12pm Eastern Standard Time on Monday December 14, 2020.

https://www.cisa.gov/news/2020...rwinds-orion-network

SolarWinds’ Customers
SolarWinds’ comprehensive products and services are used by more than 300,000 customers worldwide, including military, Fortune 500 companies, government agencies, and education institutions. Our customer list includes:

More than 425 of the US Fortune 500
All ten of the top ten US telecommunications companies
All five branches of the US Military
The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
All five of the top five US accounting firms
Hundreds of universities and colleges worldwide
Partial customer listing:

Acxiom
Ameritrade
AT&T
Bellsouth Telecommunications
Best Western Intl.
Blue Cross Blue Shield
Booz Allen Hamilton
Boston Consulting
Cable & Wireless
Cablecom Media AG
Cablevision
CBS
Charter Communications
Cisco
CitiFinancial
City of Nashville
City of Tampa
Clemson University
Comcast Cable
Credit Suisse
Dow Chemical
EMC Corporation
Ericsson
Ernst and Young
Faurecia
Federal Express
Federal Reserve Bank
Fibercloud
Fiserv
Ford Motor Company
Foundstone
Gartner
Gates Foundation
General Dynamics
Gillette Deutschland GmbH
GTE
H&R Block
Harvard University
Hertz Corporation
ING Direct
IntelSat
J.D. Byrider
Johns Hopkins University
Kennedy Space Center
Kodak
Korea Telecom
Leggett and Platt
Level 3 Communications
Liz Claiborne
Lockheed Martin
Lucent
MasterCard
McDonald’s Restaurants
Microsoft
National Park Service
NCR
NEC
Nestle
New York Power Authority
New York Times
Nielsen Media Research
Nortel
Perot Systems Japan
Phillips Petroleum
Pricewaterhouse Coopers
Procter & Gamble
Sabre
Saks
San Francisco Intl. Airport
Siemens
Smart City Networks
Smith Barney
Smithsonian Institute
Sparkasse Hagen
Sprint
St. John’s University
Staples
Subaru
Supervalu
Swisscom AG
Symantec
Telecom Italia
Telenor
Texaco
The CDC
The Economist
Time Warner Cable
U.S. Air Force
University of Alaska
University of Kansas
University of Oklahoma
US Dept. Of Defense
US Postal Service
US Secret Service
Visa USA
Volvo
Williams Communications
Yahoo

https://www.solarwinds.com/company/customers

This message has been edited. Last edited by: feersum dreadnaught,

https://www.solarwinds.com/securityadvisory

SolarWinds Security Advisory

Updated: 12.14.2020 12:50pm CST

SolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1. We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack. We recommend taking the following steps related to your use of the SolarWinds Orion Platform.

SolarWinds asks customers with any of the below products for Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment. This version is currently available at customerportal.solarwinds.com.

SolarWinds asks customers with any of the below products for Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6, which will be available today, December 14, 2020, at customerportal.solarwinds.com.

No other versions of Orion Platform products are known to be impacted by this security vulnerability. Other non-Orion products are also not known to be impacted by this security vulnerability.

If you aren't sure which version of the Orion Platform you are using, see directions on how to check that here. To check which hotfixes you have applied, please go here.

If you cannot upgrade immediately, please follow the guidelines available here for securing your Orion Platform instance. The primary mitigation steps include having your Orion Platform installed behind firewalls, disabling internet access for the Orion Platform, and limiting the ports and connections to only what is necessary.

Additionally, we recommend customers scan their environment for the affected file: SolarWinds.Orion.Core.BusinessLayer.dll. If you locate this .dll, you should immediately upgrade to remove the affected file, and follow security protocols to protect your environment.

An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tuesday, December 15, 2020. We recommend that all customers update to release 2020.2.1 HF 2 once it is available, as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security enhancements.

Security and trust in our software is the foundation of our commitment to our customers. We strive to implement and maintain appropriate administrative, physical, and technical safeguards, security process, procedures and standards designed to protect our customers.

Known affected products: Orion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix or with 2020.2 HF 1, including:

Application Centric Monitor (ACM)
Database Performance Analyzer Integration Module (DPAIM)
Enterprise Operations Console (EOC)
High Availability (HA)
IP Address Manager (IPAM)
Log Analyzer (LA)
Network Automation Manager (NAM)
Network Configuration Manager (NCM)
Network Operations Manager (NOM)
Network Performance Monitor (NPM)
Network Traffic Analyzer (NTA)
Server & Application Monitor (SAM)
Server Configuration Monitor (SCM)
Storage Resource Monitor (SCM)
User Device Tracker (UDT)
Virtualization Manager (VMAN)
VoIP & Network Quality Manager (VNQM)
Web Performance Monitor (WPM)

This is some SERIOUSLY frightening shit my friends. Very bad. This is a good example of the first step in cyber security. The secure development of the software that we use. Honestly, sometimes I feel like all hope is lost.

Yes, this is the stuff that keeps me awake at night. Just crazy how they are putting code distribution within a commercial product. So much for live updates for a while...

Working with our security team to make sure the IDS and other sensors have the profiles for this in place.