<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Franklin Gothic Heavy";
panose-1:2 11 9 3 2 1 2 2 2 4;}
@font-face
{font-family:"Franklin Gothic Demi";
panose-1:2 11 7 3 2 1 2 2 2 4;}
@font-face
{font-family:"Franklin Gothic Book";
panose-1:2 11 5 3 2 1 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
p.Default, li.Default, div.Default
{mso-style-name:Default;
margin:0in;
margin-bottom:.0001pt;
text-autospace:none;
font-size:12.0pt;
font-family:"Franklin Gothic Demi",sans-serif;
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Good morning!<o:p></o:p></p>
<p class="MsoNormal">We would like to confirm that there are no active SolarWinds implementations at connected MVECA client sites. Below is a full description of the SolarWinds exploit from CISA. It is important that SolarWinds implementations using the Orion
Platform are currently isolated from the Internet. Please report back to us if you have a SolarWinds/Orion implementation and indicate how you’ve removed or isolated the associated servers from the network. This will allow us to report back to DAS and ODE
regarding the overall security of all connected network segments. At this time, we know of no exploited servers or SolarWinds implementations on network.<o:p></o:p></p>
<p class="MsoNormal">Please let me know if you have any questions.<o:p></o:p></p>
<p class="MsoNormal">Thank you,<o:p></o:p></p>
<p class="MsoNormal">Thor<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Thor Sage<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Executive Director<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Miami Valley Educational Computer Association<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">937-767-1468 x3101<o:p></o:p></span></p>
<p class="MsoNormal"><a href="http://www.mveca.org/"><span style="color:#1F497D;text-decoration:none"><img border="0" width="174" height="64" style="width:1.8125in;height:.6666in" id="Picture_x0020_1" src="cid:image001.jpg@01D6D379.36364C40" alt="http://www.mveca.org/images/logo.gif"></span></a><span style="color:#1F497D">
</span><a href="https://www.linkedin.com/company/mveca/"><span style="color:#1F497D;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="_x0000_i1027" src="cid:image002.jpg@01D6D379.36364C40" alt="i"></span></a><a href="https://twitter.com/mvecarcog"><span style="color:#1F497D;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="Picture_x0020_2" src="cid:image003.jpg@01D6D379.36364C40" alt="t"></span></a><a href="https://www.facebook.com/MVECA-707401659416692/"><span style="color:#1F497D;text-decoration:none"><img border="0" width="32" height="32" style="width:.3333in;height:.3333in" id="Picture_x0020_3" src="cid:image004.jpg@01D6D379.36364C40" alt="f"></span></a><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span style="color:#1F497D">Not-for-profit Technology Services for Education and Local Governments<o:p></o:p></span></i></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Franklin Gothic Heavy",sans-serif;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Franklin Gothic Heavy",sans-serif;color:black"></span><span style="font-size:14.5pt;font-family:"Franklin Gothic Heavy",sans-serif;color:black">Active Exploitation of SolarWinds Software</span><o:p></o:p></p>
<p class="Default"><o:p> </o:p></p>
<p class="Default"><span style="font-size:12.5pt">Executive Summary <o:p></o:p></span></p>
<p class="Default"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif">On 13 December 2020, FireEye and SolarWinds released security advisories detailing a highly-skilled and highly-targeted, manual supply chain attack on the SolarWinds
Orion Platform network management system that leverages software updates to deploy a backdoor to victim organizations. SolarWinds Orion is an IT performance monitoring platform that helps organizations manage and optimize their IT infrastructure. The actors
behind this campaign have likely gained access to numerous public and private organizations around the world starting as early as Spring 2020. Signatures to detect this threat are available and mitigations are detailed in this alert and should be prioritized.
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="Default"><span style="font-size:12.5pt">Analysis <o:p></o:p></span></p>
<p class="Default"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif">This supply chain compromise can allow attackers to gain access to victim organizations via Trojanized updates in the SolarWinds Orion Platform. While the attacker’s
post compromise activity leverages multiple techniques to evade detection and obscure their activity, there are also opportunities for detection. FireEye is tracking this threat actor as UNC2452 and news outlets suggest that APT29, also known as Cozy Bear,
is behind the campaign. </span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="Default"><span style="font-size:12.5pt">Alert <o:p></o:p></span></p>
<p class="Default"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif">On 13 December 2020, FireEye and SolarWinds released security advisories detailing active exploitation of SolarWinds Orion Platform software versions 2019.4 through
2020.2.1, released between March 2020 and June 2020. According to FireEye, SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party
servers. This Trojanized version of the Orion plug-in has been given the names SUNBURST by FireEye and Solorigate by Microsoft. After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability
to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration
files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="Default"><span style="font-size:12.5pt">Patches, Mitigations & Workarounds:
<o:p></o:p></span></p>
<p class="Default"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif">FireEye has released an Advisory with additional details as well as signatures to detect this threat actor and supply chain attack in the wild found on its public
GitHub page with detection rules in multiple languages including Snort, Yara, IOC, ClamAV. Additional mitigations include the following:
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="Default" style="margin-bottom:1.35pt"><span style="font-size:10.0pt"> </span>
<span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif">Ensure that SolarWinds servers are isolated / contained until a further review and investigation is conducted. This should include blocking all Internet egress from SolarWinds servers.
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="Default"><span style="font-size:10.0pt"> If SolarWinds infrastructure is not isolated, consider taking the following steps:
<o:p></o:p></span></p>
<p class="Default" style="margin-bottom:1.3pt"><span style="font-size:10.0pt"> </span>
<span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif">Restrict scope of connectivity to endpoints from SolarWinds servers, especially those that would be considered Tier 0 / crown jewel assets
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="Default" style="margin-bottom:1.3pt"><span style="font-size:10.0pt"> Restrict the scope of accounts that have local administrator privileged on SolarWinds servers.
<o:p></o:p></span></p>
<p class="Default"><span style="font-size:10.0pt"> Block Internet egress from servers or other endpoints with SolarWinds software.
<o:p></o:p></span></p>
<p class="Default" style="margin-bottom:.5pt"><span style="font-size:10.0pt"> </span>
<span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif">Consider (at a minimum) changing passwords for accounts that have access to SolarWinds servers / infrastructure. Based upon further review / investigation, additional remediation measures
may be required. </span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="Default"><span style="font-size:10.0pt"> </span><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif">If SolarWinds is used to manage networking infrastructure, consider conducting a review of network device configurations
for unexpected / unauthorized modifications. Note, this is a proactive measure due to the scope of SolarWinds functionality, not based on investigative findings.
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="Default"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Franklin Gothic Book",sans-serif">SolarWinds recommends upgrading to Orion Platform version 2020.2.1 HF 1 as soon as possible. An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tuesday,
December 15, 2020 and SolarWinds recommends updating to HF 2 once released as this both replaces the compromised component and provides several additional security enhancements.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Franklin Gothic Book",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html">https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><a href="https://github.com/fireeye/sunburst_countermeasures">https://github.com/fireeye/sunburst_countermeasures</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>