Getty Images

DHS CISA Shares Remediation, Risk Guidance for SolarWinds Compromise

Since the initial SolarWinds compromise, hundreds of entities have fallen victim to the supply-chain cyberattacks. New CISA guidance takes aim at remediation and risk decisions.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency released new guidance to help support security leaders and administrators with risk decisions and remediation of successful compromises of SolarWinds Orion platforms.

Hundreds of US government agencies, critical infrastructure entities, and private sector organizations have been impacted by the compromise of certain SolarWinds platforms, as part of a massive campaign targeting the global supply-chain, first disclosed in December 2020.

Nation-state threat actors trojanized previous updates to some SolarWinds Orion software versions 2019.4 HF 5 through 2020.2.1 HF 1, released between March 2020 and June 2020. The installation of malware enabled further exploits and espionage against entities that installed the update.

The attacks have been attributed to an advanced persistent threat (APT) actor with ties to Russia, who’s leveraged the successful exploit and persistent footholds on victims’ networks to target federated identity solutions and Active Directory or Microsoft 365 environments.

“SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers,” researchers explained.

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called ‘Jobs’, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services,” they added.

The nefarious activities varied by victim, but the hacker used the long-term access to collect and exfiltrate data and create backdoors for future access. The APT actors use a range of techniques to hide their operations, moving laterally across the network with a light malware footprint through legitimate credentials and remote access.

As a result, it can be difficult to detect a compromised system. The new DHS CISA guidance is designed to support entities with remediation challenges of on-premise and cloud networks compromised through the SolarWinds exploit.

While designed for federal agencies, CISA is urging all critical infrastructure and private sector agencies to review the insights and apply the recommendations, wherever applicable.

Administrators can leverage the guidance to review the tactics, techniques, and procedures (TTPS) leveraged by the APT threat actors. The insights include an overview of the threat activity.

“Given that the threat actor may be deeply burrowed in networks, eviction will be challenging and complex; this guidance provides short- and intermediate-term actions that agencies can take to mitigate this activity and prevent the actor’s re-use of similar TTPs,” CISA officials explained.

“By taking steps to evict this adversary from compromised on-premises and cloud environments, agencies will position themselves for long-term actions to build more secure, resilient networks,” they added.

Administrators will find details on remediating and mitigating malicious activity associated with the SolarWinds threat, which CISA warns will be difficult to detect and eradicate.

As such, the insights include both short- and intermediate-term steps entities can take to detect, mitigate,and remediate the activity. Those steps include conducting a risk or impact assessment.

CISA also broke down the insights based on the type of organization and broken down into phases to find the threat and eliminate it, as well as needed steps to keep the hacker out of the system. The insights also include a list of resources to help support continued security needs.

The agency also provided guidance on compromise risk decisions for security leaders, including the necessary steps for defending against the critical threat.

“The threat actor may be deeply burrowed in compromised networks, and full eviction will be costly, highly challenging, and complex,” CISA explained.

“However, failure to perform comprehensive remediation activity and evict the adversary will expose enterprise networks and cloud environments to substantial risk for long-term undetected APT activity, and compromised organizations will risk further loss of sensitive data and erode the public trust of their networks,” they added.

Since the threat’s disclosure in December, further malware and nefarious activities have been reported leveraging vulnerable SolarWinds Orion systems -- including those not tied to the initial exploit.

In light of the heightened targeting on healthcare by nation-state actors, covered entities should review these invaluable resources to shore up defenses.

Next Steps

Dig Deeper on Cybersecurity strategies