News Flash Home
The original item was published from 12/28/2020 1:55:10 PM to 2/6/2021 12:00:04 AM.

News Flash

Home

Posted on: December 28, 2020

[ARCHIVED] Cybersecurity Alert & Resources for You

URGENT Cybersecurity Alert & Resources for You

Summary: The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.

Message & Resources from the Wisconsin Department of Administration, Bill Nash, Chief Information Security Officer:

Since the CISA reporting on SolarWinds Orion has been so well publicized and is causing a lot of concern, we wanted to provide a summary and reminder of services available. If you have already confirmed that you do not have SolarWinds Orion, this is a reminder of the services available to you.

Official details and updates, including the indicators of compromise can be found here:  https://us-cert.cisa.gov/ncas/alerts/aa20-352a

To recap, if you do not have one of the following affected versions of SolarWinds Orion, you do not need to take action:
Affected Versions:
·      Orion Platform 2019.4 HF5, version 2019.4.5200.9083
·      Orion Platform 2020.2 RC1, version 2020.2.100.12219
·      Orion Platform 2020.2 RC2, version 2020.2.5200.12394
·      Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
 
If you are operating one of the vulnerable versions, then the information below can help you determine what category you fall in and determine the level of risk and effort necessary to put your SolarWinds back into operation:

·       Category 1 includes those who do not have the identified malicious binary. These owners can patch their systems and resume use as determined by and consistent with their internal risk evaluations.

·       Category 2 includes those who have identified the presence of the malicious binary-with or without beaconing to avsvmcloud[.]com. Owners with malicious binary whose vulnerable appliance's only unexplained external communications are with avsvmcloud[.]com-a fact that can be verified by comprehensive network monitoring for the device-can harden the device, re-install the updated software from a verified software supply chain, and resume use as determined by and consistent with a thorough risk evaluation.

·       Category 3 includes those with the binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain or IP address. If you observed communications with avsvmcloud[.]com that appear to suddenly cease prior to December 14, 2020-not due to an action taken by your network defenders-you fall into this category. Assume the environment has been compromised, and initiate incident response procedures immediately.

NSA’s recent report on detecting abuse of authentication mechanisms (like SAML) is available here: https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF.

If you are in need of assistance, the MS-ISAC and CISA are excellent resources:
·       For reporting indications of potential compromise, contact:  www.cisa.gov or central@cisa.dhs.gov.
·       For general questions and inquiries, contact: CyberLiaison@cisa.dhs.gov
·       For reporting indications of potential compromise, contact: https://us-cert.cisa.gov/report.
·       Please also include the MS-ISAC SOC, soc@msisac.org, on any outreach to CISA if you are an MS-ISAC member.
 
If you are in need of state resources:
 
Wisconsin Statewide Intelligence Center (WSIC)
·       Reporting Cybercrime: https://wifusion.widoj.gov/ and click “Cyber Incident Reporting Form”
·       Subscribe to WSIC Analytic Reports email:  wsic@doj.state.wi.us.
 
Wisconsin Cyber Response Team (CRT)
·       To become a CRT member email: crt@wisconsin.gov
·       For cyber incident assistance call: WEM Duty Officer at 800-943-0003

Bill Nash | Chief Information Security Officer
Department of Administration
Division of Enterprise Technology

Additional Info...
Facebook Twitter Email