Charles J. Zigmund, Vice President
Cathy Morley Foster
Incident Response to SolarWinds Orion Software Compromise for SMEs
Scottsdale, Ariz., March 1, 2021 — In early December 2020, it was revealed that a state-sponsored cyber attack had been launched through a supply chain compromise of the SolarWinds’ Orion monitoring software, initially affecting FireEye, a cybersecurity company. The cyber threat worked by inserting a backdoor, known as Sunburst, into the software to enable hackers to remote control the SolarWinds platform and use it to exfiltrate sensitive data from private-sector businesses, organizations, and government agencies. The attacks appear to have started in September 2019 and were discovered almost a year later.
More recently, it was learned that a separate, unconnected attack — also believed to be state-sponsored — was launched at the same time on certain government payroll systems. Now, others have been attacked. While SolarWinds announced it has patched the vulnerabilities, investigations into the incidents are ongoing, especially in light of additional attacks via Microsoft 365 and the Azure cloud environment.
“These hacks present ongoing risks to businesses and organizations, with the potential to compromise networks, employee and consumer data, and intellectual property,” said Chris Clements, vice president, solutions architecture, Cerberus Security Officer, Cerberus Sentinel. “Small and mid-sized enterprises (SMEs) can be particularly vulnerable, often operating with smaller staffs and limited budgets.”
Cerberus Sentinel Corporation (OTC: CISO), a cybersecurity consulting and managed services firm based in Scottsdale, Ariz., reinforces the need for all organizations to be vigilant in keeping their cybersecurity defenses up to date. Specifically, the company offers the following counsel to SMEs to ensure protection against exploitation of mission-critical operations, resources, and software by the SolarWinds attack.
Questions for IT Teams
- Do you know if your organization has a SolarWinds product installed in production or if IT has tested it in a free trial demo?
- If not, do the following:
- Contact your IT department and ask if the SolarWinds Orion product suite is or has ever been in use in your environment. The known affected software of the Orion platform are as follows:
- Application Centric Monitor (ACM)
- Database Performance Analyzer Integration Module (DPAIM)
- Enterprise Operations Console (EOC)
- High Availability (HA)
- IP Address Manager (IPAM)
- Log Analyzer (LA)
- Network Automation Manager (NAM)
- Network Configuration Manager (NCM)
- Network Operations Manager (NOM)
- Network Performance Monitor (NPM)
- NetFlow Traffic Analyzer (NTA)
- Server & Application Monitor (SAM)
- Server Configuration Monitor (SCM)
- Storage Resource Monitor (SRM)
- User Device Tracker (UDT)
- Virtualization Manager (VMAN)
- VoIP & Network Quality Manager (VNQM)
- Web Performance Monitor (WPM)
- If IT can’t say for certain or needs help determining with assurance whether backdoored instances of SolarWinds product are present, consider utilizing a network inventory or scanning tool or working with a third party to assist with detection.
- If you know you are using or have used a SolarWinds product in the past, do the following:
- Review all instances of the product (e.g., production, DR, lab) to learn what version of the software is installed. Versions of the software known to contain the Sunburst malware are:
- v2019.4 HF5
- v2020.2 (no hotfix)
- v2020.2 HF1
If infected versions of SolarWinds are detected, enact the organization’s incident response plan but at a minimum:
- Block outbound network access from the SolarWinds system(s) or take them offline.
- Apply the Solar Winds v2020.2.1 HF1 or v2019.4 HF6 patches that remove the Sunburst backdoor.
- Reset any passwords used by the SolarWinds software to monitor organization computer or network devices.
- Review the rest of the environment for known indicators of compromise (IoC)s to determine the extent of the exposure.
- Do you know if any of your vendors or business partners utilize SolarWinds?
What to do:
- Ensure your vendor list is current plus ensure you have a clear understanding what data your vendors have access to.
- Communicate with the vendor’s point of contact and ask what response the vendor has taken as part of the attack revelations.
- If a vendor has been affected, enact your incident response plan to ensure that you have contained any exposure that may stem from a compromise of the affected vendor(s).
Are you prepared for the next SolarWinds style supply chain attack from other vendors?
What to do:
- Review or create a comprehensive vendor (compliance) management program to ensure all vendor interaction with your organization’s network or data are understood and that the appropriate contractual requirements are in place for vendors to demonstrate they follow information security best practices.
- Review all available internal controls that may be implemented to limit exposure stemming from a future vendor supply chain attack.
- Ensure your incident response plan takes into consideration #1, and #2.
For additional information, contact Cerberus Sentinel advisors at https://www.cerberussentinel.com, 480-389-3444
About Cerberus Sentinel
Cerberus Sentinel is a U.S. provider of consulting and managed services, focused solely on cybersecurity. The company seeks to expand by acquiring world-class cybersecurity talent and utilizes the latest technology to create innovative solutions that protect the most demanding businesses and government organizations against continuing and emerging security threats.
Safe Harbor Statement
This news release contains forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. Statements including words such as “believes,” “expects,” “anticipates,” “intends,” “estimates,” “plan,” “will,” “may,” “look forward,” “intend,” “guidance,” “future” or similar expressions are forward-looking statements. Because these statements reflect Cerberus Sentinel’s current views, expectations and beliefs concerning future events, these forward-looking statements involve risks and uncertainties. Investors should note that many factors, as more fully described under the caption “Risk Factors” and elsewhere in Cerberus Sentinel’s Form 10-K, Form 10-Q and Form 8-K filings with the Securities and Exchange Commission and as otherwise enumerated herein, could affect Cerberus Sentinel’s future financial results and could cause actual results to differ materially from those expressed in such forward-looking statements. The forward-looking statements in this press release are qualified by these risk factors. These are factors that, individually or in the aggregate, could cause the Cerberus Sentinel’s actual results to differ materially from expected and historical results. You should not place undue reliance on any forward-looking statements, which speak only as of the date they are made. We assume no obligation to publicly update any forward-looking statements, whether as a result of new information, future developments or otherwise.