Since the CISA reporting on SolarWinds Orion has been so well publicized and is causing a lot of concern, we wanted to provide a summary and reminder of services available. If you have already confirmed that you do not have SolarWinds Orion, this is a reminder of the services available to you.

Official details and updates, including the indicators of compromise can be found here:  https://us-cert.cisa.gov/ncas/alerts/aa20-352a

To recap, if you do not have one of the following affected versions of SolarWinds Orion, you do not need to take action:

·      Orion Platform 2019.4 HF5, version 2019.4.5200.9083

·      Orion Platform 2020.2 RC1, version 2020.2.100.12219

·      Orion Platform 2020.2 RC2, version 2020.2.5200.12394

·      Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432

 

If you are operating one of the vulnerable versions, then the information below can help you determine what category you fall in and determine the level of risk and effort necessary to put your SolarWinds back into operation:

·       Category 1 includes those who do not have the identified malicious binary. These owners can patch their systems and resume use as determined by and consistent with their internal risk evaluations.

·       Category 2 includes those who have identified the presence of the malicious binary-with or without beaconing to avsvmcloud[.]com. Owners with malicious binary whose vulnerable appliance's only unexplained external communications are with avsvmcloud[.]com-a fact that can be verified by comprehensive network monitoring for the device-can harden the device, re-install the updated software from a verified software supply chain, and resume use as determined by and consistent with a thorough risk evaluation.

·       Category 3 includes those with the binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain or IP address. If you observed communications with avsvmcloud[.]com that appear to suddenly cease prior to December 14, 2020-not due to an action taken by your network defenders-you fall into this category. Assume the environment has been compromised, and initiate incident response procedures immediately.

NSA’s recent report on detecting abuse of authentication mechanisms (like SAML) is available here: https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF.

If you are in need of assistance, the MS-ISAC and CISA are excellent resources:

·       For reporting indications of potential compromise, contact:  www.cisa.gov or central@cisa.dhs.gov.

·       For general questions and inquiries, contact: CyberLiaison@cisa.dhs.gov. 

 

If you are in need of state resources:

 

Wisconsin Statewide Intelligence Center (WSIC)

·       Reporting Cybercrime: https://wifusion.widoj.gov/ and click “Cyber Incident Reporting Form”

·       Subscribe to WSIC Analytic Reports email:  wsic@doj.state.wi.us.