Blog

Zix | AppRiver is advising organizations to protect themselves in the wake of the SolarWinds supply chain attack.

How Was SolarWinds Compromised?

On December 13, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) issued Emergency Directive 21-01. The alert revealed that malicious actors were in the processing of exploiting versions 2019.4 through 2020.2.1 HF1 of SolarWinds’ Orion product, a technology platform which provides centralized monitoring of customers’ entire IT stack.

Citing the presence of “unacceptable risk to Federal Civilian Executive Branch agencies,” DHS CISA ordered all federal agencies to disconnect their affected SolarWinds products from their network and to not reconnect those products until CISA gave them the go-ahead. SolarWinds confirmed this exploit on its website, calling it a “very sophisticated supply chain attack.” It went on to explain that the attack had involved a vulnerability known as SUNBURST.

According to Microsoft, malicious actors potentially compromised the distribution systems used for Orion and embedded backdoor code into a legitimate SolarWinds library. SolarWinds subsequently pushed out this malware, “SolarWinds.Orion.Core.BusinessLayer.dll,” as an update to Orion. Upon execution, the malware disguised its network traffic as the Orion Improvement Program (OIP) protocol in order to conduct reconnaissance on its targets by monitoring their internal email networks.

As reported by The Verge, SolarWinds claimed that fewer than 18,000 of its total 33,000 user base had downloaded the malicious update. On its website, SolarWinds confirmed that it had removed the software builds affected by SUNBURST from its download sites. It also urged organizations to update their Orion platforms as soon as possible in order to ensure their security.

How Organizations Can Stay Safe

Customers of Zix | AppRiver are not directly affected by the compromise discussed above. We recommend organizations implement the countermeasures.

1. Prevent: Customers need a layered defense to their digital security. According to a filing with the United States Securities and Exchange Commission, SolarWinds is an Office 365 customer that had received word from Microsoft of suspicious email activity prior to the breach. SolarWinds said in its filing that it was investigating whether this activity was associated with the Orion compromise. This possibility reveals that organizations can’t rely on Office 365 built-in email threat protection to defend against digital threats. To prevent a breach from occurring, they also need third-party Advanced Email Threat Protection solution.
2. Detect: Organizations are advised to run a security audit within their Office 365 infrastructure to identify suspicious user behavior. There were indications within the breach analysis that determined the threat actors were monitoring emails as the actor moved laterally. Therefore, it’s essential that organizations invest in their ability to identify a compromised email account.
3. Respond: This is a supply chain attack, meaning organizations of all sizes were exposed. That includes SMBs. If your organization is one of the 33,000 SolarWinds customers, it is vital that you apply the hotfix that SolarWinds has released. They’re urged to run Windows Defender or similar endpoint protection solutions. Given the fact that SUNBURST delivers various types of payloads, organizations need to invest in their ability to detect the type of malware.
4. Recover: For organizations that were compromised, the breath of impact is effectively unknown. However, we do know that attacks started earlier in 2020. Having backups that revert back to that time frame is critical for organizations to recover without the risk of being compromised again.

Learn more about the email threat protection solutions offered by Zix | AppRiver here.