Go | New | Find | Notify | Tools | Reply |
Festina Lente |
12/18 report from DNI on foreign interference suddenly gets more interesting... US Calls On Federal Agencies To Power Down SolarWinds Orion Due To Security Breach An emergency directive issued by the U.S. government calls on all federal civilian agencies to disconnect or power down SolarWinds Orion IT management tools because they are being used to facilitate an active exploit The U.S. government late Sunday night called on all federal civilian agencies to power down SolarWinds Orion products immediately because they are being used as part of an active security exploit. An emergency directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) comes “in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors,” according to the notice. “This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.” “The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales in the directive. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.” The directive instructs the all agencies operating SolarWinds products to report that they have completed the shutdown by noon ET Monday. CISA issued the directive following a report that the SolarWinds Orion IT management tool had been used to hack several federal agencies. The U.S. Treasury and the U.S. Commerce Departments were breached through SolarWinds as part of a Russian government campaign, The Washington Post reported. It is unclear whether a breach last week of security vendor FireEye was also linked to SolarWinds. IT infrastructure mangement vendor SolarWinds disclosed Sunday that it experienced a highly sophisticated, manual supply chain attack on versions of its Orion network monitoring product released between March and June of this year. The company said it’s been told the attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, though no specific country was named. A FireEye blog post states that hackers gained access to numerous public and private organizations through trojanized updates to SolarWinds’ Orion software, but didn’t disclose the identity of any of the victims. FireEye said it’s been working closely with SolarWinds, the Federal Bureau of Investigation, and other key partners. While hackers over the past two years have taken advantage of the tools MSPs rely on to manage customer IT systems, the tools utilized in this breach do not appear to be linked to SolarWinds’ MSP business. The Orion platform supports SolarWinds’ traditional IT infrastructure management business and isn’t connected to the SolarWinds MSP business built through acquisitions in recent years. The company said it isn’t aware of any impact to its remote monitoring and management (RMM), N-Central and associated SolarWinds MSP products from the attack on Orion. Austin, Texas-based SolarWinds last week named Pulse Secure’s Sudhakar Ramakrishna as its next CEO, and has been examining a spin-out of its MSP tools business for months. SolarWinds said its technology is used by the Pentagon, all five branches of the U.S. military, the State Department, NASA, the NSA, the Postal Service, the National Oceanic Atmospheric Administration, the Department of Justice, and the Office of the President of the United States. “The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” National Security Council Spokesman John Ullyot told The Washington Post. FireEye made the shocking disclosure Tuesday that it suffered a security breach in what’s believed to be a state-sponsored attack designed to gain information on some of the firm’s government customers. The attacker could access some of FireEye’s internal systems but apparently didn’t exfiltrate data from the company’s primary systems that store customer information, the threat intelligence vendor said. The threat actor, however, stole FireEye’s Red Team security assessment tools, and FireEye said it isn’t sure if the attacker plans to use the stolen tools themselves or publicly disclose them. FireEye’s stock has plunged $1.69 (10.9 percent) to $13.83 per share since the hack was disclosed after the market closed Tuesday. The Washington Post reported Sunday that the hackers with the Russian intelligence service—known as APT29—who attacked FireEye also compromised the Treasury and Commerce departments as well as other U.S. government agencies. The breaches have been taking place for months and may amount to an operation as significant as the State Department and White House hacks during the Obama years. There is concern within the U.S. intelligence community that the hackers who targeted Treasury and the Commerce Department’s National Telecommunications and Information Administration used a similar tool to break into other government agencies, Reuters reported Sunday. The hack is so serious it led to a National Security Council meeting at the White House on Saturday, according to Reuters. APT29 also compromised the Democratic National Committee servers in 2015 but didn’t end up leaking the hacked DNC material. Instead, the Russian military spy agency GRU separately hacked the DNC and leaked its emails to WikiLeaks in 2016, the The Post said. The Washington Post said that APT29 hacks for traditional espionage purposes, stealing secrets that can be useful for the Kremlin to understand the plans and motives of politicians and policymakers. Group members have stolen industrial secrets, hacked foreign ministries and, more recently, have attempted to steal coronavirus vaccine research, according to The Post. https://www.crn.com/news/secur...gh-solarwinds-report CISA ISSUES EMERGENCY DIRECTIVE TO MITIGATE THE COMPROMISE OF SOLARWINDS ORION NETWORK MANAGEMENT PRODUCTS Original release date: December 13, 2020 | Last revised: December 14, 2020 WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) tonight issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors. This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately. “The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.” This is the fifth Emergency Directive issued by CISA under the authorities granted by Congress in the Cybersecurity Act of 2015. All agencies operating SolarWinds products should provide a completion report to CISA by 12pm Eastern Standard Time on Monday December 14, 2020. https://www.cisa.gov/news/2020...rwinds-orion-network SolarWinds’ Customers SolarWinds’ comprehensive products and services are used by more than 300,000 customers worldwide, including military, Fortune 500 companies, government agencies, and education institutions. Our customer list includes: More than 425 of the US Fortune 500 All ten of the top ten US telecommunications companies All five branches of the US Military The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States All five of the top five US accounting firms Hundreds of universities and colleges worldwide Partial customer listing: Acxiom Ameritrade AT&T Bellsouth Telecommunications Best Western Intl. Blue Cross Blue Shield Booz Allen Hamilton Boston Consulting Cable & Wireless Cablecom Media AG Cablevision CBS Charter Communications Cisco CitiFinancial City of Nashville City of Tampa Clemson University Comcast Cable Credit Suisse Dow Chemical EMC Corporation Ericsson Ernst and Young Faurecia Federal Express Federal Reserve Bank Fibercloud Fiserv Ford Motor Company Foundstone Gartner Gates Foundation General Dynamics Gillette Deutschland GmbH GTE H&R Block Harvard University Hertz Corporation ING Direct IntelSat J.D. Byrider Johns Hopkins University Kennedy Space Center Kodak Korea Telecom Leggett and Platt Level 3 Communications Liz Claiborne Lockheed Martin Lucent MasterCard McDonald’s Restaurants Microsoft National Park Service NCR NEC Nestle New York Power Authority New York Times Nielsen Media Research Nortel Perot Systems Japan Phillips Petroleum Pricewaterhouse Coopers Procter & Gamble Sabre Saks San Francisco Intl. Airport Siemens Smart City Networks Smith Barney Smithsonian Institute Sparkasse Hagen Sprint St. John’s University Staples Subaru Supervalu Swisscom AG Symantec Telecom Italia Telenor Texaco The CDC The Economist Time Warner Cable U.S. Air Force University of Alaska University of Kansas University of Oklahoma US Dept. Of Defense US Postal Service US Secret Service Visa USA Volvo Williams Communications Yahoo https://www.solarwinds.com/company/customersThis message has been edited. Last edited by: feersum dreadnaught, NRA Life Member - "Fear God and Dreadnaught" | ||
|
wishing we were congress |
https://www.solarwinds.com/securityadvisory SolarWinds Security Advisory Updated: 12.14.2020 12:50pm CST SolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1. We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack. We recommend taking the following steps related to your use of the SolarWinds Orion Platform. SolarWinds asks customers with any of the below products for Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment. This version is currently available at customerportal.solarwinds.com. SolarWinds asks customers with any of the below products for Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6, which will be available today, December 14, 2020, at customerportal.solarwinds.com. No other versions of Orion Platform products are known to be impacted by this security vulnerability. Other non-Orion products are also not known to be impacted by this security vulnerability. If you aren't sure which version of the Orion Platform you are using, see directions on how to check that here. To check which hotfixes you have applied, please go here. If you cannot upgrade immediately, please follow the guidelines available here for securing your Orion Platform instance. The primary mitigation steps include having your Orion Platform installed behind firewalls, disabling internet access for the Orion Platform, and limiting the ports and connections to only what is necessary. Additionally, we recommend customers scan their environment for the affected file: SolarWinds.Orion.Core.BusinessLayer.dll. If you locate this .dll, you should immediately upgrade to remove the affected file, and follow security protocols to protect your environment. An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tuesday, December 15, 2020. We recommend that all customers update to release 2020.2.1 HF 2 once it is available, as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security enhancements. Security and trust in our software is the foundation of our commitment to our customers. We strive to implement and maintain appropriate administrative, physical, and technical safeguards, security process, procedures and standards designed to protect our customers. Known affected products: Orion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix or with 2020.2 HF 1, including: Application Centric Monitor (ACM) Database Performance Analyzer Integration Module (DPAIM) Enterprise Operations Console (EOC) High Availability (HA) IP Address Manager (IPAM) Log Analyzer (LA) Network Automation Manager (NAM) Network Configuration Manager (NCM) Network Operations Manager (NOM) Network Performance Monitor (NPM) Network Traffic Analyzer (NTA) Server & Application Monitor (SAM) Server Configuration Monitor (SCM) Storage Resource Monitor (SCM) User Device Tracker (UDT) Virtualization Manager (VMAN) VoIP & Network Quality Manager (VNQM) Web Performance Monitor (WPM) | |||
|
Seeker of Clarity |
This is some SERIOUSLY frightening shit my friends. Very bad. This is a good example of the first step in cyber security. The secure development of the software that we use. Honestly, sometimes I feel like all hope is lost. | |||
|
Network Janitor |
Yes, this is the stuff that keeps me awake at night. Just crazy how they are putting code distribution within a commercial product. So much for live updates for a while... Working with our security team to make sure the IDS and other sensors have the profiles for this in place. A few Sigs and some others | |||
|
Festina Lente |
NRA Life Member - "Fear God and Dreadnaught" | |||
|
Powered by Social Strata |
Please Wait. Your request is being processed... |