10 Dec 2020
UPDATE - SolarWinds Orion vulnerability being actively exploited - Earlier this week, FireEye publicly advised that a highly sophisticated state-sponsored actor had gained access to their network and have taken a copy of the FireEye Red Team tools.
Earlier this week, FireEye publicly advised that a highly sophisticated state-sponsored actor had gained access to their network and have taken a copy of the FireEye Red Team tools. Red Team tools are used by many cybersecurity organisations to evaluate the security of networks. While made for a good purpose, these same tools could be used to gain unauthorised access to a victim's network.
The Australian Cyber Security Centre (ASCS) is working closely with FireEye and other cybersecurity partners to understand the risks facing Australian systems. At the time of writing, ASCS report that there is no evidence these tools have been used against Australians.
FireEye has provided a github repository of signatures for several common intrusion detection services to detect whether these tools may have been used against a network.
A critical vulnerability that has been discovered in the SolarWinds Orion network management platform and is being actively exploited by a sophisticated threat actor. It's understood to be the same vector used in high-profile compromises, such as the security firm FireEye.
SolarWinds has released a hotfix patch to mitigate this vulnerability and will release an additional hotfix expected Wednesday 16 December. Following discussions with our international partners, CERT NZ is advising that organisations using the versions detailed below consider isolating these servers immediately and ensuring no internet egress is permitted until the servers can be patched and secured. Organisations will need to carefully assess the applicability of this guidance based on their network configuration and dependencies.
We recommend that you immediately isolate any Orion server from the network and apply the hotfix, released by SolarWinds (Orion Platform version 2020.2.1 HF 1) and immediately apply the subsequent hotfix when available (2020.2.1 HF 2).
We also strongly recommend that users of the affected versions rebuild servers once the 2020.2.1 HF patch is available.
In addition to patching, take additional measures, including:
Organisations should consider the impacts and applicability of these steps on their specific network operations prior to implementing these mitigations.
Ensuring an effective patching strategy, focusing on internet-facing systems, is the most effective mitigation against these tools. ASCS recommend organisations follow the advice provided in existing ACSC publications such as Summary of Tactics, Techniques and Procedures Used to Target Australian Networks and ASD’s Essential Eight.