The US Cybersecurity and Infrastructure Security Agency has updated its official guidance for dealing with the fallout from the SolarWinds supply chain attack.
In an update posted late last night, CISA said that all US government agencies that still run SolarWinds Orion platforms must update to the latest 2020.2.1HF2 version by the end of the year.
Agencies that can’t update by that deadline are to take all Orion systems offline, per CISA’s original guidance, first issued on December 18.
The guidance update comes after security researchers uncovered a new major vulnerability in the SolarWinds Orion app over the Christmas holiday.
Tracked as CVE-2020-10148, this vulnerability is an authentication bypass in the Orion API that allows attackers to execute remote code on Orion installations.
This vulnerability was being exploited in the wild to install the Supernova malware on servers where the Orion platform was installed, in attacks separate from the SolarWinds supply chain incident.
Orion update verified by the NSA
As part of the original SolarWinds supply chain attack, hackers broke into SolarWinds’ internal network and altered several versions of the Orion app to add malware.
All Orion app updates, versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were tainted with a malware strain named Sunburst (or Solorigate).
This malware is believed to have been installed by at least 18,000 companies, according to SolarWinds. Sunburst was only a first-stage reconnaissance module that allowed the attackers to escalate infections to a second-stage, where they deployed a malware strain named Teardrop.
SolarWinds released the 2020.2.1HF2 version on December 15 to address the attack, claiming that installing the update would remove any traces of the Sunburst-related code from their systems (present inside victim networks after installing the originally tainted Orion versions).
“The National Security Agency (NSA) has examined this version [2020.2.1HF2] and verified that it eliminates the previously identified malicious code,” CISA said on Tuesday.
But besides removing the Sunburst-related malware code from infected hosts, CISA is mostly urging government agencies to update to 2020.2.1HF2 to make sure threat actors can’t exploit any other Orion-related bug, like the severe CVE-2020-10148 vulnerability, to carry out new attacks against US federal agencies already reeling from the initial supply chain attack.
More tools for defenders working on SolarWinds IR
Prior to releasing this guidance update, CISA has also released a free tool for IT and security experts working incident response (IR) on the SolarWinds supply chain attack.
The tool, a PowerShell script, helps detect possible compromised accounts and applications in an Azure or Microsoft 365 environment.
In a report published yesterday, Microsoft said the goal of the SolarWinds hackers was to enter companies’ networks through the tainted Orion app update but then escalate their access to their victims’ local networks, and finally, the victims’ cloud-based environments, where most of the sensitive data was being aggregated.
CrowdStrike, which said last week it was also targeted by the SolarWinds hackers but that the attack failed, also released a similar tool to the one released by CISA. Named CRT, the tool can help identify accounts with extensive access permissions inside an Azure AD and Office 365 corporate network.
Both the CISA and CrowdStrike tools are useful for spotting accounts with extensive permissions that are not under an administrator’s control.