jamesteohart - stock.adobe.com

DHS CISA Shares SolarWinds Post-Threat Compromise Activity Tool

Designed to detect post-threat compromise activity from the SolarWinds incident, CISA’s Aviary dashboard visualizes and analyzes outputs from its Sparrow detection tool.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency shared another tool to support remediation of threats posed by the SolarWinds supply-chain attack. The new dashboard takes aim at post-threat compromise activity within enterprise environments.

CISA’s Aviary dashboard was developed to visualize and analyze outputs from its Sparrow detection tool. The agency released the tool in December 2020, in response to the initial reports surrounding the SolarWinds security incident.

Sparrow is designed to support hunts for threat activity stemming from the SolarWinds compromise, while Aviary facilitates analysis of Sparrow’s data outputs.

Nation-state threat actors, with suspected ties to Russia, trojanized previous updates to the SolarWinds Orion platform, creating a rippling effect across multiple sectors as organizations began to download the malware-infected update.

The highly sophisticated, targeted attack allowed the threat actors to gain access to multiple public, private, and government sector entities around the world. Once the attackers gained a foothold onto the network, they quickly moved laterally across connected devices using legitimate credentials.

Researchers have observed the attackers performing stealthy reconnaissance and storing the information within legitimate plugin configuration files that allow them to hide within legitimate SolarWinds activity.

What’s more, other attackers have tagged on to the threat model, targeting unpatched systems with new malware variants for other nefarious activities.

The White House estimates that 100 organizations and nine federal agencies fell victim to the attack. But given the sophistication and proliferation of the attack, the full impact may not be fully understood for some time.

The latest CISA effort analyzes operations data to provide keys insights into indicators of compromise. CISA is encouraging all entities to leverage these tools to effectively mitigate the attack spread.

The agency previously released the CISA Hunt and Incident Response Program (CHIRP) tool aimed at supporting entities in the detection of threat activity within on-prem environments. The forensics collection tool finds indicators of compromise stemming from advanced persistent threat (APT) actor attacks and within Microsoft Cloud environments.

Healthcare entities should take advantage of the free resources provided by CISA to remediate this critical threat, given its scope and risk to the enterprise. DHS established a resource site for private sector entities, in addition to remediation guidance targeting compromises through the SolarWinds platform.

The SolarWinds attack was just the first of three major vendor incidents in the last six months. Attackers are also targeting unpatched critical flaws in Microsoft Exchange. And the Clop ransomware group broke into a vulnerability in Accellion’s File Transfer Appliance (FTA) and stole a trove of client data, later extorting the victims directly.

Next Steps

Dig Deeper on Cybersecurity strategies