The Department of Homeland Security has issued an emergency directive with specific instructions for US Federal Agencies: https://cyber.dhs.gov/ed/21-01/ . Steps 1-3 are not required for US ProTech customers.
For all US ProTech customers, Step 4 of this directive provides the steps required to remediate and update any at risk or impacted systems. SolarWinds recommends all customers immediately upgrade to Orion Platform release 2020.2.1 HF 1, which is currently available via the SolarWinds Customer Portal. In addition, SolarWinds has released additional mitigation and hardening instructions at https://www.solarwinds.com/securityadvisory.
Per FireEye, in the event you are unable to follow SolarWinds’ recommendations, the following are immediate mitigation techniques that could be deployed as first steps to address the risk of trojanized SolarWinds software in an environment. If attacker activity is discovered in an
Post the whole thing on the website as a landing page: “Regarding the SolarWinds Breach”
environment, it is recommended to conduct a comprehensive investigation, designing and executing a remediation strategy driven by the investigative findings and details of the impacted environment.
Ensure that SolarWinds servers are isolated/contained until a further review and investigation is conducted. This should include blocking all Internet egress from SolarWinds servers.
If SolarWinds infrastructure is not isolated, consider taking the following steps:
Restrict scope of connectivity to endpoints from SolarWinds servers, especially those that would be considered Tier 0 / crown jewel assets.
Restrict the scope of accounts that have local administrator privileged on SolarWinds servers.
Block Internet egress from servers or other endpoints with SolarWinds software.
Consider (at a minimum) changing passwords for accounts that have access to SolarWinds servers / infrastructure. Based upon further review / investigation, additional remediation measures may be required.
If SolarWinds is used to manage networking infrastructure, consider conducting a review of network device configurations for unexpected / unauthorized modifications. Note, this is a proactive measure due to the scope of SolarWinds functionality, not based on investigative findings.
If possible, block the following domains and IP addresses at the firewall level:
Domains:
avsvmcloud[.]com
deftsecurity[.]com
freescanonline[.]com
thedoccloud[.]com
websitetheme[.]com
highdatabase[.]com
incomeupdate[.]com
databasegalore[.]com
panhardware[.]com
zupertech[.]com
IP Addresses:
13.59.205.66
54.193.127.66
54.215.192.52
34.203.203.23
139.99.115.204
5.252.177.25
5.252.177.21
204.188.205.176
51.89.125.18
167.114.213.199
107.161.23.204
209.141.38.71
192.161.187.200
US ProTech Detections:
US ProTech is currently in the process of building and operationalizing several detections in response to this campaign. These detections cover various network and host indicators. We will alert you via ticket if there is evidence you are impacted by this attack.
Next steps:
US ProTech recommends all customers confirm if they have or do not have SolarWinds Orion Platform software versions 2019.4 through 2020.2.1 in their environment. If you do have SolarWinds Orion Platform software versions 2019.4 through 2020.2.1, follow the steps outlined in the “Mitigation Recommendations” section above.
US ProTech will continue to watch the evolution of this campaign and will provide further advisories if necessary. Please contact US ProTech if you have any questions.
Additional References:
Anamo.io