Monday, December 14, 2020

SolarWinds, FireEye, and Russian Intelligence Compromise the entire damn world...

Ok folks, this one is the real deal... I believe that the SolarWinds global supply chain compromise incident disclosed yesterday, is now the most severe, and most widespread information security comprise incident ever publicly disclosed. 

I can only think of one other that is even close... the RSA compromise... and from what was actually publicly disclosed (vs. what many of us in the field know to have been compromised but cannot officially confirm or disclose)... honestly... this may be worse. From all appearances, and the implications thereof, it may be MUCH worse in fact. 

SolarWinds is a major component of the infrastructure that runs... everything really. 300,000 organizations may have been compromised by this... note, compromised not necessarily exploited... SolarWinds is used by a lot of major service providers, ISPs, ASPs, SaaS providers, Managed Service Providers in the networking, security, and every other space... It's everywhere, and when you look at the details of the compromise... yeah, this could be EXTREMELY bad. 

For information and review... The various official notices and responses to the SolarWinds global supply chain compromise incident:

The emergency CERT alert issued appx. 2200est last night:

https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software

The DHS-CISA (Homeland Security Cybersecurity and Infrastructure Security Agency) Emergency Directive for the compromise.

https://cyber.dhs.gov/ed/21-01/

This is the solarwinds official advisory and recommendations:

https://www.solarwinds.com/securityadvisory

Here's the FireEye advisory and recommendations:

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

Here's the Microsoft Advisory and recommendations:

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

Here's the recommended detection and mitigation countermeasures, rulesets, and criteria... as published by FireEye and recommended by the CISA:

https://github.com/fireeye/sunburst_countermeasures

And the recommendations to detect persistence in a compromise event from MITRE-ATTACK

https://attack.mitre.org/tactics/TA0003/

Labels: , , , ,
Posted by at