On Sunday, December 13th, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for federal civilian agencies to power down SolarWinds Orion products as they have been part of an active security exploit.
The notification can be found here: https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network
Compudyne runs an impacted version of the SolarWinds Orion platform.
Approximately an hour after being made aware of this directive, Compudyne limited internet access for its SolarWinds access.
Today, Monday, December 14th, Compudyne began following the recommended actions found at https://cyber.dhs.gov/ed/21-01/.
Compudyne has completed both Steps 3a and 3b, and neither step has shown any indication of compromise.
We are taking all precautions necessary, regardless. We will be using the Department of Homeland Security’s guidance listed above, including (but not limited to) a complete teardown and rebuild of our SolarWinds environment and engaging our outside security firm to continue to evaluate and determine whether there is any evidence of compromise.
Compudyne will continue to update this post to keep our clients informed.
Update 12/14/20 4:15 CST- Security Notice: SolarWinds Orion
At this time, Compudyne does not have any evidence suggesting that our systems were compromised.
- Our SolarWinds instances remain segregated to a sandbox environment
- Multiple AV scans with different AV platform of our SolarWinds instances do not flag for any infections
- Compudyne has scanned historical logs of all traffic in and out of Compudyne’s management environments and found no communication with known bad-actors related to this incident
Our SolarWinds instances ran in a segregated environment, separated from our corporate environment, Client environments and other management environments. This separation is very intentional for security purposes.
Out of an abundance of caution, the passwords of all Compudyne team members who had access to SolarWinds have been changed, and we are continuing to implement the DHS recommendations: https://cyber.dhs.gov/ed/21-01/.
Compudyne has kept our SolarWinds instances offline, and they will not be brought back online. We are evaluating the next steps with respect to network monitoring systems. Should we continue to use SolarWinds, it will be with freshly built instances, after we are certain SolarWinds has fully remediated the issue internally.
Update 12/15/20 5:15 CST- Security Notice: SolarWinds Orion
Over the last 24 hours, Compudyne has continued to:
- Scan the impacted systems for signs of compromise with multiple toolsets
- Review IPS, SIEM, and DNS logs for contact with known bad-actors
- Ensure there’s no evidence of lateral spread within the segregated environment in which the impacted system ran
The above investigations reveal no evidence of compromise. Regardless, we have followed the extended DHS recommendations. We are continuing to track the incident as added information becomes available. The systems remain offline in a sandbox for investigation, and we have no intention of bringing them back into production. Moreover, we are evaluating our use of SolarWinds products overall, given the nature of the issue.
Update 12/17/20 10:30 CST – Security Notice: SolarWinds Orion
Yesterday afternoon, Compudyne’s SIEM partner informed us that after further review of communications, our SolarWinds instance was found to have issued DNS requests, also known as “beaconing,” for domains linked to the compromise. This DNS traffic occurred between June 10, 2020, and June 30, 2020.
Only DNS beaconing has been discovered thus far and is associated with the isolated environment alone, in which our SolarWinds instance ran.
No such beaconing (or any other traffic) has been discovered in our Client, corporate management environments.
The SolarWinds instances remain sandboxed for forensics and will not be brought online.
Compudyne continues to monitor the situation as additional information becomes available.
Update 12/18/20 5:30 pm CST – Security Notice: SolarWinds Orion
Continued forensics on our sandboxed SolarWinds instances show no signs of infection.
Continued review of SIEM logs has revealed nothing beyond the previously described beaconing.
Continued investigation of potential lateral spread has not uncovered anything.
The underlying malware that shipped with the SolarWinds code, known as SUNBURST, has been found to use a built-in “killswitch.” This killswitch was triggered via its own DNS beaconing. The DNS beaconing we found via DNS and SIEM logs shows that our SolarWinds instance did in fact trigger the SUNBURST killswitch.
The background of the killswitch can be found here:
Specifically, in the “Network Command and Control (C2)” section of that document, the subnet 220.127.116.11/24 is a killswitch DNS response.
We see that our SolarWinds instance resolved a [.]avsvmcloud.com A record to 18.104.22.168 at 2020-06-30T06:40:48.951033 (UTC), which was the last communication observed to the command-and-control network.
This appears to indicate that the SUNBURST compromise shipped to our SolarWinds installation disabled and erased itself at that time.
We will continue to update clients as additional information becomes available.
Update 12/23/20 1:30 pm CST – Security Notice: SolarWinds Orion
At this time, no news is good news.
Compudyne continues to monitor the situation. Continued review shows no signs of compromise to Compudyne or it’s clients.
We will continue to update clients as new information becomes available.
Final Update 1/20/21 12:30 pm CST – Security Notice: SolarWinds Orion
Continued monitoring and forensics have revealed no evidence of infection outside of the SolarWinds instance itself, which was decommissioned in December.
At this time, Compudyne considers this Incident resolved.
As always, please reach out to your Compudyne representative with any questions or concerns.