SolarWinds: What is Known So Far
Hackers believed to be part of a Russian advanced persistent threat (APT) group managed to infiltrate the SolarWinds software update system and "trojanize" updates sent to customers. The backdoor installed on infected networks waited at least two weeks before contacting command and control systems, which helped the intruders evade detection. FireEye, which was one of the companies targeted, noted the operation's tactics included "some of the best operational security." The threat actors were operating from March until this past weekend, which provided lots of opportunity for information gathering. It will take a while to get a picture of what information the attackers harvested and what they left inside occupied systems. (Please note that the WSJ story is behind a paywall.)
Jake Williams, a SANS NewsBites editor, and Rob Lee, SANS Curriculum Lead for Forensics and Incident Response, produced an authoritative special webcast last night providing drilldown and advice, available at https://sansurl.com/solarwinds Another excellent analysis has been published on the SANS Internet Storm Center (https://isc.sans.edu/diary/rss/26884). Fireeye and Microsoft have put out very detailed information about the attack and the SolarWinds vulnerabilities, including indicators and detection signatures. Beyond shutting down Solarwinds Orion nodes, review IOC information on the FireEye GitHub repo: https://github.com/fireeye/sunburst_countermeasures. If you are using a Network Management System product other than SolarWinds, it's still important to check the configuration and threat model so you would know if that product had been compromised. Also important to make sure you are checking that all of your suppliers that are/were using SolarWinds are doing the right mitigation and recovery.
Having your Network Management system compromised is a worst case scenario, and nothing that should be brushed off with a "We are not important enough to be hit". The options for an attacker are endless, and we have probably not seen most of it yet. PLEASE rebuild affected SolarWinds Orion installs from scratch. Do not just "patch and move on". It is painful to rebuild, but incident response is harder. Change passwords stored in SolarWinds while you are at it (and it isn't easy to find them all). Finally, take published indicators of compromise as a "good start" but don't assume they are complete.
Read more in
Washington Post: Russian hack was 'classic espionage' with stealthy, targeted tactics