ould SolarWinds Hack Affect You and Your Business?
This week, you’ve likely heard the news about SolarWinds being hacked – potentially exposing up to 18,000 organizations. Most worryingly, a number of US Government agencies have seen evidence of malicious activity, including the Departments of Treasury, Commerce, State, Energy, Homeland Security, and the National Institute of Health, among others. It is not known for certain who is responsible for the attack, but multiple sources are attributing it to an elite hacking group within the Russian Government.
As you might expect, many of our clients have been asking how this might impact them and their organizations. So I thought I’d try to shed some light on how this impacts small and medium sized businesses, and what should SMBs be doing in response? In short, there’s good news and not so good news.
First, the good news.
If you are a small or medium sized business, and if you are not a federal government contractor, there’s a chance that you were not targeted. The attack itself is a manual attack, and not everyone is worth the effort.
The attack leverages software called SolarWinds Orion; if you don’t use this software, then you are not affected.
If you do use SolarWinds Orion, then the software was a possible vehicle used as a backdoor into the affected organizations’ networks. The software would periodically reach out and phone home to the attackers to let them know that the backdoor existed. But if the attackers didn’t answer – and with 18,000 backdoors out there, the attackers couldn’t answer every one – then nothing else happened. All the organization has to do is close the backdoor (ie, shut down SolarWinds, or update and lock it down) and they can move on.
We use SolarWinds Orion – How can I determine if we’ve been compromised?
If you are using SolarWinds Orion, then here is a quick list of actions to take:
- Look at the network activity over the past few months (look at all of 2020 if possible). The malicious backdoor always begins by sending a message from Orion out to “avsvmcloud[.]com”.
- Next, if the attackers actually accessed your network, you will see additional unexpected traffic outbound from Orion to the internet. (In a clean environment, Orion does not often need to communicate with the internet, so if you see significant outbound activity from Orion, then consider it a huge waving red flag and take immediate action.)
Now for the not so good news.
If you use SolarWinds Orion, and you suspect that the attackers did use the backdoor to access your network, it is going to be incredibly hard to get them out of your network. The attackers know that SolarWinds, as with any other attack vector, can be closed down or fixed at any time. So when they get in, the first thing they do is open up additional backdoors, so that if any one backdoor gets closed they can just switch to another one. Once they’re in your network, just shutting off SolarWinds will not solve the problem.
The attackers here are some of the most sophisticated that have ever been detected. They aren’t using any of the common tools or methods, which means that regular detections like antivirus logs and Active Directory account reviews don’t work here. Once they’re in the network, tracking them down and undoing their damage will require abilities that are even more sophisticated than the ones they’re using. Some people believe this is not possible to achieve.
The US Government response is being led by a joint multi-agency group, including the Cybersecurity & Infrastructure Security Agency (CISA), which is part of Homeland Security. On December 17, CISA released an update with information known to date, which essentially says that if the attackers were actually in your network, the only way to be sure is to rebuild everything from scratch.
This already looks to be the most significant cyber security event in years, possibly ever. You should be aware and concerned about it. If you have questions or need help assessing your possible exposure and risk, please don’t hesitate to reach out to us.
Note: This is a rapidly evolving situation, and the above information may be out of date. This blog is based upon information known as of the morning of December 18, 2020.