Threat Update
Government and private sector organizations are constantly releasing updates on all manner of topics relating to the SolarWinds Orion compromise. In this article, we have detailed recently released information related to the incident.
Technical Detail & Additional Information
WHAT IS THE THREAT?
HARDENING ACTIVE DIRECTORY
A recent article from CSO Online on hardening Active Directory against attacks like the Solarwinds Orion breach highlighted an earlier article from the security company Trimarc, which provides detailed steps that administrators can take to harden AD in their environment. The CSO Online article references a free tool that Trimarc created to perform security checks against an AD system, however, their breakdown of AD security concerns and the recommendations they provide are extensive and worth reviewing even if you are not interested in the tool they made.
STATEMENTS FROM VENDORS AND ORGANIZATIONS
Mimecast:
Mimecast has confirmed that the breach they reported two weeks ago was linked to their hosting a compromised version of Solarwinds Orion on the network. Based on their investigation, they believe the threat actors used their certificates to target Mimecast customers.
Qualys: It was only a test system
Threat researchers found domains registered to the cybersecurity vendor as part of their investigation into compromised domains related to the Solarwinds Incident. Qualys denies that their network was compromised and that the instance of Orion on their network was part of their Lab environment in which they were testing the platform.
Fidelis Cybersecurity:
Fidelis Cybersecurity released a blog article that states a version of the compromised Orion platform was at one point being evaluated for use in the environment and had been part of the network. They state that, although their investigation did show the attempts to escalate privileges and move laterally, the platform was sufficiently segmented from the network and the attempts failed.
Palo Alto:
The firm released a statement that they investigated two breaches of their network back in September and October 2020, which they did not realize were part of the greater Orion incident, but have now concluded that the incidents were linked and the result of a compromised version of Orion. In the initial report released about the events, Palo Alto stated that “the attempted attack was unsuccessful, and no data was compromised”
MITRE ATT&CK: UNC2452 TECHNIQUES
MITRE has published a new version of ATT&CK which documents some of their findings related to techniques used by the threat actors behind the SolarWinds Orion compromise. They state that since new information is continually being released, this version will likely see additional changes being made to it in the future. In this version they have released updates on:
- New procedural example variations of techniques
- Expansion of current technique scoping
- New (sub-)techniques not previously published within ATT&CK
- A new group representing the threat group responsible for the intrusions.
- New malware first spotted in this intrusion
- An existing tool used in this intrusion
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.zdnet.com/article/four-security-vendors-disclose-solarwinds-related-incidents/
- https://www.csoonline.com/article/3603951/tips-to-harden-active-directory-against-solarwinds-type-attacks.html
- https://www.hub.trimarcsecurity.com/post/securing-active-directory-performing-an-active-directory-security-review
- https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714
If you have any questions, please contact our Security Operations Center.