CIRT.GY | Security Alert (14th December 2020)

Security Alert (14th December 2020)

Ref# SolarWinds | Date: Dec 15th 2020

Description

On the 14th December 2020, SolarWinds indicated that their systems had experienced a highly sophisticated, manual supply chain attack affecting the SolarWinds Orion Platform.

A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data.[1]

Summary

The SolarWinds Orion Platform is a powerful, scalable infrastructure monitoring and management platform designed to simplify IT administration for on-premises, hybrid, and software as a service (SaaS) environment in a single pane of glass.

The versions affected by this attack are the 2019.4 Hot Fix (HF) 5 and 2020.2 with no hotfix or 2020.2 HF 1 including:

Application Centric Monitor (ACM)
Database Performance Analyzer Integration Module (DPAIM)
Enterprise Operations Console (EOC)
High Availability (HA)
IP Address Manager (IPAM)
Log Analyzer (LA)
Network Automation Manager (NAM)
Network Configuration Manager (NCM)
Network Operations Manager (NOM)
Network Performance Monitor (NPM)
NetFlow Traffic Analyzer (NTA)
Server & Application Monitor (SAM)
Server Configuration Monitor (SCM)
Storage Resource Monitor (SCM)
User Device Tracker (UDT)
Virtualization Manager (VMAN)
VoIP & Network Quality Manager (VNQM)
Web Performance Monitor (WPM)

Solutions and Work arounds

Immediately update the Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to the Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment.
Immediately update the Orion Platform v2019.4 HF 5 to 2019.4 HF 6.

For more information on this attack, please visit the URL: https://www.solarwinds.com/securityadvisory

The Guyana National CIRT recommends that users and administrators review this alert and the remediation strategies and apply them where necessary.

Reference

SolarWinds Security Advisory (14th December 2020). Retrieved from SolarWinds:

https://www.solarwinds.com/securityadvisory

Security Advisory Regarding SolarWinds Supply Chain Compromise (14th December 2020). Retrieved from Security Boulevard:

https://securityboulevard.com/2020/12/security-advisory-regarding-solarwinds-supply-chain-compromise/

Active Exploitation of SolarWinds Software (13th December 2020). Retrieved from US-Cert: https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software

[1] https://www.csoonline.com/article/3191947/supply-chain-attacks-show-why-you-should-be-wary-of-third-party-providers.html