On Dec 13, 2020, Solarwinds, an IT company that creates software for network management, stated they were investigating an incident that appears to be the product of a “highly-sophisticated, targeted and manual supply chain attack by a nation-state.” SolarWinds said they are in contact with the FBI and that a vulnerability which existed until the March-June 2020 timeframe was leveraged to take advantage of their Orion software product.
The attack is a supply-chain based attack in which the adversary can leverage the software’s update mechanism. The Solarwinds attack has been linked to the Treasury Department and FireEye compromises at this time.
Information is being released continuously by those investigating the incidents across the thousands of organizations that use SolarWinds, including governments, militaries, and commercial entities around the world.
As indicators of compromise continue to be released, organizations and their incident response teams should prioritize hunting for adversary behaviors and Tools, Techniques, and Procedures (TTPs) associated with their SolarWinds installs, as that platform could be leveraged as a launching point into their organization.
Participants will learn about:
– The latest information regarding the Solarwind’s incident and the mechanics of the supply chain attack.
– Any known detection mechanisms, including IOCs, have been released at this point.
– How the incident could impact organizations that use SolarWinds and where to begin investigations.
Jake Williams @malwarejake is a SANS analyst, senior SANS instructor and course author. Jake spent more than a decade in information security roles at several government agencies, developing specialties in offensive forensics, malware development and digital counterespionage. Jake is the founder of Rendition Infosec, which provides penetration testing, digital forensics and incident response, expertise in cloud data exfiltration, and the tools and guidance to secure client data against sophisticated, persistent attacks on-premises and in the cloud.
SANS is the most trusted and by far the largest source for information security training and security certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet’s early warning system – the Internet Storm Center.