Skip to main content
Monthly Archives

December 2020

SolarWinds Orion Data Breach

By Cyber Security, Risk Management No Comments

Hello everyone. As many of you know, SolarWinds just suffered a significant data breach. Our CEO, Mike Meline, spent quite a bit of this week researching the compromise and have gathered some details to aid you in your response. We, at Cyber Self-Defense, will continue to monitor and update you.

There is some information available on the breach, that shows that in March (or perhaps before), a nation state injected a trojanized DLL into the SolarWinds.Orion.Core.BusinessLayer.dll (with a file hash of [b91ce2fa41029f6955bff20079468448]) into the update CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp. After a dormant period (that seems to differ for each compromised system; but around two weeks), the trojan attempts to resolve a subdomain of avsvmcloud.com (I placed a generic link of google.com into the previously listed link, to prevent someone from accidentally clicking on it and going to the website). The ensuing DNS response returned, points the system that was compromised to a command and control network.

Good morning, As many of you know, SolarWinds suffered a significant data breach. Our CEO, Mike Meline, spent quite a bit of this week researching the compromise and have gathered some details to aid you in your response. We, at Cyber Self-Defense, will continue to monitor and update you.

There is some information available on the breach, that shows that in March (or perhaps before), a nation state injected a trojanized DLL into the SolarWinds.Orion.Core.BusinessLayer.dll (with a file hash of [b91ce2fa41029f6955bff20079468448]) into the update CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp. After a dormant period (that seems to differ for each compromised system; but around two weeks), the trojan attempts to resolve a subdomain of avsvmcloud.com (I placed a generic link of google.com into the previously listed link, to prevent someone from accidentally clicking on it and going to the website). The ensuing DNS response returned, points the system that was compromised to a command and control network.

a. Identification of vulnerability
i. This affects “SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1.”
1. Known affected products: Orion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix or with 2020.2 HF 1, including:
a. Application Centric Monitor (ACM)
b. Database Performance Analyzer Integration Module (DPAIM)
c. Enterprise Operations Console (EOC)
d. High Availability (HA)
e. IP Address Manager (IPAM)
f. Log Analyzer (LA)
g. Network Automation Manager (NAM)
h. Network Configuration Manager (NCM)
i. Network Operations Manager (NOM)
j. Network Performance Monitor (NPM)
k. NetFlow Traffic Analyzer (NTA)
l. Server & Application Monitor (SAM)
m. Server Configuration Monitor (SCM)
n. Storage Resource Monitor (SCM)
o. User Device Tracker (UDT)
p. Virtualization Manager (VMAN)
q. VoIP & Network Quality Manager (VNQM)
r. Web Performance Monitor (WPM)
2. I recommend that you determine if you have SolarWinds.Orion.Core.BusinessLayer.dll
a. with a file hash of [b91ce2fa41029f6955bff20079468448];
b. [C:\WINDOWS\SysWOW64\netsetupsvc.dll] (unknown hash)
c. If you have Tenable Nessus installed, you can use plugin 62117 to detect SolarWinds Orion and 144198 To detect the specific version believed to have been affected.
b. Actions to take
i. There is an update that should be applied, which came out yesterday and one that will come out today. See https://www.solarwinds.com/securityadvisory
ii. It is recommended that if you have these products, that you;
1. Review logs, to ensure that there are no indicators of compromise.
iii. Forensically image system memory and/or host operating systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1].
1. Analyze for new user or service accounts, privileged or otherwise. (from https://cyber.dhs.gov/ed/21-01/)
2. Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of hosts (e.g., SolarWinds systems) have had connections. (from https://cyber.dhs.gov/ed/21-01/)
iv. Block all traffic to and from any devices that have SolarWinds installed
v. Monitor traffic
c. For more information;
i. please review the SolarWinds advisory at; https://www.solarwinds.com/securityadvisory
ii. see the guidance provided by DHS at; https://cyber.dhs.gov/ed/21-01/
d. Assistance
i. We do have Tenable Nessus and forensic tools and can run tests for you; please let us know if you need help or further guidance.

If you have any questions or would like to discuss this further, don’t hesitate to reach out to us. Stay safe!

UPDATE: Cybersecurity Maturity Model Certification

By Cyber Security, Risk Management No Comments

 

 

We have all been hearing about Cybersecurity Maturity Model Certification (CMMC).  Cyber Self-Defense has been posting quite a bit about this program as we want you to be well-informed.  As we begin preparations for 2021, I thought I would write another article that answers two of the questions we are asked by everyone who calls us; and we have been receiving plenty of questions.

 

The first question I receive most often is, “Do I have to be compliant with CMMC?”  My initial response is that as business leaders, it is our responsibility to protect our company and customers.  Cybersecurity is another business risk that MUST be addressed.  This theory does not take into account whether or not you have a legal requirement to do so, so let me dig in some more. A NON-CMMC question I receive often is, “What standard for cybersecurity should I follow?”  My answers vary, based on the needs of the company.  Having looked at many companies, I think a middle of the road approach is the CMMC.  This standard is laser focused and one that allows for certification, without the heavy overhead required by many of the standards.  It is well mapped out and provides a realistic approach to cybersecurity, while being adaptable to the needs of the organization.

 

Let’s now discuss the “legal” stuff.  I am not an attorney, nor do I play one on television.  What I keep hearing is that the Department of Defense has the ability to hold companies accountable for three times the cost of the contract plus per claim in accordance with the False Claims Act.  If you are currently doing business with the DOD, you are already accountable for compliance.  If you plan on doing business with the DOD, you will (eventually) have to achieve compliance.  In addition, your employees have an incentive to report your non-compliance; they receive between 15% and 30% of any award under the False Claims Act.  I have read that the Department of Justice has already obtained over $3 Billion dollars in settlements and judgements in fiscal year ending September 30, 2019.  Based on this, I recommend the certification.

 

Another question/statement we receive is something to the effect of “I am going to wait and see if the DOD will enforce it, I don’t have to be complaint right now, do I?”  On November 23rd, 2020, I received a communication from Idaho PTAC that stated, “Idaho’s PTAC has been made aware of a fast-approaching deadline for prime and sub-contractors working with the Department of Defense (DoD). All contractors must complete and submit a NIST SP 800-171 cyber self-assessment to the DoD Supplier Performance Risk System (SPRS) through their approved vendor, Project Spectrum, in compliance with CMMC requirements. The deadline for this self-assessment is Monday, November 30, 2020. Those who do not complete and submit this initial self-assessment are at risk of losing their contracts with the DoD.”  In every circle I belong to, I am hearing that this WILL be enforced.  If you wait until the last minute, you will not make it!!!  The CMMC is based on maturity, so if you think you will be able to put a plan together, last minute, and pass the certification; you are incorrect!!!  This program is designed to ensure that you are mature, not that you threw something up overnight.

As this is a program that we care about and REALLY want to help you with, please reach out to us for answers to your questions.  We have put together a PowerPoint with key information and this is a free service we offer, to help you with your decision as to whether you should prepare for the certification. Just give us a call at (866) 292-3796 to start the conversation!