Over the past two weeks, reports of Advanced Persistent Threat (APT) cyberattacks, leveraging a supply chain compromise, indicate a new bar is being set for potential damage to critical infrastructure, industrial and government organizations. While the extent of the attacks is not yet known and still being investigated many details are becoming available to act up on.
SolarWinds discovered a supply chain attack compromising their Orion business software updates that distributed malware known as SUNBURST. The sophisticated malware permits an attacker to gain access to network traffic management systems, and the attacker can leverage this to gain elevated credentials. This compromise was used to target multiple U.S. government agencies and potentially thousands of SolarWinds customers. For more information on the details of the breach, please see the advisory from the Cybersecurity & Infrastructure Security Agency .
ISSQUARED Inc does not use any SolarWinds products internally. However, we are following the developments of this news closely and ensuring that we validate our processes and environment as new information becomes publicly available.
The security of our products, our partners, and our partner data is of critical importance, and while we have no evidence to suggest that any of our systems are involved or impacted, below are the following actions we are proactively taking while this cyber event unfolds:
1. Our Security Operations Center (SOC) will continue to carefully monitor the situation. Regarding the SUNBURST malware, the SOC has taken actions to blacklist the known IOCs related to the compromised files globally on our BitDefender consoles.
2. Although ISSQUARED is not affected by this event, we are considering the impacts to develop our own lessons learned and use it as an opportunity to seek improvements in our processes and controls.
As you imagine, your executive management as well as the board are acutely aware of the situation by now. They would be asking of you at least these questions to assess the situation at your organization:
- Are we impacted?
- Do we have the same problem with other third-party vendors and how do we know that we do not have a problem?
- How do we gain a level of confidence that we do not have an issue that we do not know about?
ISSQUARED can help you with answering the questions above.
- If you are not using SolarWinds, you are not directly impacted by the compromise. However, that does not mean you have not been compromised. Proactive threat hunting could help to identify if your environment has not been compromised.
- Review of your Third-Party vendor management program can help to identify potential vendors that could have devastating impacts on your organization.
- Review of your cybersecurity program to ensure that appropriate controls are in place to detect a potential event
- Review of your Cyber Incident Response procedures to ensure that your organization is capable and prepared to respond to such event.
Due to the extent of the compromise, we recommend the following steps:
- Shutdown/Disable SolarWinds application in your environment until further notice from Cybersecurity and Infrastructure Security Agency (CISA)
- Block communication from SolarWinds
- Engage with your cyber security provider to assess the situation
We will continue to provide updates and information as necessary.
As always, if you ever see anything that you suspect may be malicious or fraudulent activity within our products, please report them immediately to our InfoSec team at email@example.com .