Day 3 of the fallout from the SolarWinds Orion hack.
Microsoft announced today that they will be blocking versions of SolarWinds Orion that contain the compromised code, versions 2019.4 through 2020.2.1, released between March 2020 and June 2020. In most cases, the malware is present yet dormant, as the attackers were focused on specific uses. Microsoft has also intervened to seize the domain used for command and control, and is using a technique called “sinkholing”, where data is captured from the beacons on all systems to help identify compromises.
The National Security Council is invoking Presidential Directive-41, which “facilitates continuous and comprehensive coordination for whole-of-government efforts to identify, mitigate, remediate and respond to this incident,”. This creates a chain of command for responding to the cyber incident.
CRN is reporting of Microsoft’s relationship to the hack, as two key victims had their Microsoft Office 365 accounts compromised, which allowed Russian intelligence to monitor staff emails at the Commerce Department’s National Telecommunications and Information Administration.
The Washington Post is reporting that investors Silver Lake and Thoma Bravo sold significant portions of their shares in SolarWinds on December 7, the same day CEO Kevin Thompson resigned and two days before the announcement of its new CEO.
Why do we care?
Tactically, while I don’t expect most small service providers are using Orion products, that likelihood increases with size, and ensuring you are not running a compromised version is important, as well as knowing that they will soon be blocked by Microsoft Defender.
There’s clearly a theme today, and it’s government oversight. It may be slow, but there will be more actions to come on this.
Before anyone makes too many assumptions, focus on the patience of letting the system play out. Watch attentively, and do not fill in the gaps in knowledge with speculation. That said, be mindful of observing.