The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, following a known compromise affecting SolarWinds Orion products. CISA has advised the immediate disconnection of the affected devices, which are currently being exploited by malicious actors.
The Emergency Directive asks all federal civilian agencies to review their networks for indicators of compromise, and disconnect or power down SolarWinds Orion products using versions 2019.4 through 2020.2.1 HF1 immediately.
The cyberattacker was able to gain access to U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March this year, according to a CISA alert issued Thursday. The threat actor displayed sophistication and complex tradecraft in these intrusions.
CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. The adversary has also demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered, CISA said.
The agency is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed.
The adversary is making extensive use of obfuscation techniques to hide their C2 communications, according to the CISA alert. The adversary is using virtual private servers (VPSs), often with IP addresses in the home country of the victim, for most communications to hide their activity amidst legitimate user traffic. The attackers also frequently rotate their ‘last mile’ IP addresses to different endpoints to obscure their activity and avoid detection.
“Critical Infrastructures do have very good change management processes in place, the recommendation is to conduct an alternate audit process for your top risk assets, just because your standard audit tool may have been compromised,” wrote Agustin V, head of OT global cybersecurity at Iberdrola, in a LinkedIn post.
CISA remains in regular contact with the U.S. government, private sector and international partners, providing technical assistance upon request, and making needed information and resources available to help those affected recover quickly from this incident. It is also working with public and private stakeholders across the critical infrastructure community to ensure that they understand their exposure and are taking steps to identify and mitigate any compromises.
Having determined that the exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action, CISA said that the vendor is currently working to provide updated software patches. However, agencies must wait until CISA provides further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software in their enterprise. CISA will continue to work with its partners to monitor for active exploitation associated with this vulnerability.
Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain, according to the CISA emergency directive.
Users must block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed, apart from identifying and removing all threat actor-controlled accounts and identified persistence mechanisms, CISA said.
After all threat actor-controlled accounts and identified persistence mechanisms have been removed, CISA’s emergency directive required that all hosts monitored by the SolarWinds Orion monitoring software be treated as compromised by threat actors and assume that further persistence mechanisms have been deployed.
It also recommended rebuilding hosts monitored by the SolarWinds Orion monitoring software using trusted sources, resetting all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales in a press statement, on Sunday. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”
This is the fifth Emergency Directive issued by CISA under the authorities granted by Congress in the Cybersecurity Act of 2015. The current emergency directive remains in effect until all agencies have applied the forthcoming patch or the directive is terminated through other appropriate action.
Pursuant to Presidential Policy Directive (PPD) 41, the FBI, CISA and ODNI have formed a Cyber Unified Coordination Group (UCG) to coordinate a ‘whole-of-government response’ to this significant cyber incident. The group aims to unify the individual efforts of these agencies as they focus on their separate responsibilities.
“This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government,” according to a joint statement issued by the Federal Bureau of Investigation, CISA and the Office of the Director of National Intelligence, on Wednesday.