As many as 18,000 business customers may be impacted by a high-profile security breach involving the SolarWinds Orion monitoring platform, which is believed to have been attacked by nation-state actors as part of a conspiracy to monitor US government communications.
Your customers may be among those affected by the attack.
AVANT Communications strongly recommends that Trusted Advisors engage with any allied Managed Security Service Providers (MSSPs) to proactively reach out to potentially impacted customers in order to conduct an assessment and mitigate any issues.
The cyberattack inserted a vulnerability within the SolarWinds Orion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix installed or 2020.2 HF 1. The exposures of corporate assets are believed to be a collateral effect of an espionage attack on multiple US government agencies, including the US military, State Department, Treasury, Commerce Department, and White House.
The attack, which was announced on Sunday, December 13th after it was discovered in connection with the theft of FireEye white-hat hacking tools, is believed to have been initiated by a hacker group that is likely connected to one or more Russian government intelligence services.
The SolarWinds investigations and remediation efforts are still ongoing, and Trusted Advisors should continue to check the Security Advisory Page on the SolarWinds website for updated information. https://www.solarwinds.com/securityadvisory
Although SolarWinds has issued detailed technical instructions at customerportal.solarwinds.com, U.S. government experts are advising that Trusted Advisors temporarily disconnect their customers from SolarWinds Orion, block external traffic to and from hosts, treat all hosts as though they are compromised, look for any newly added accounts, reset credentials, require complex passwords, and complete other remediation requirements.
Please contact your customers to arrange for necessary assessment and mitigation. A full malware scan on suspected hosts is highly recommended, as well as the engagement of the incident response plan and MDR.
As a trusted advisor, you should be the first person contacted by your customer in the midst of a breach or security question. However, at times like these, we recommend that you proactively reach out to your customers to offer necessary assistance. Your AVANT channel manager can provide details designed to help stimulate the necessary level of discussion. For more information, please contact your AVANT channel manager and please register for our January 14th Battle Briefing here.
Known affected products: Orion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix or with 2020.2 HF 1, including:
- Application Centric Monitor (ACM)
- Database Performance Analyzer Integration Module (DPAIM)
- Enterprise Operations Console (EOC)
- High Availability (HA)
- IP Address Manager (IPAM)
- Log Analyzer (LA)
- Network Automation Manager (NAM)
- Network Configuration Manager (NCM)
- Network Operations Manager (NOM)
- Network Performance Monitor (NPM)
- NetFlow Traffic Analyzer (NTA)
- Server & Application Monitor (SAM)
- Server Configuration Monitor (SCM)
- Storage Resource Monitor (SRM)
- User Device Tracker (UDT)
- Virtualization Manager (VMAN)
- VoIP & Network Quality Manager (VNQM)
- Web Performance Monitor (WPM)
- SolarWinds products believed to be NOT AFFECTED by this security vulnerability:
- 8Man
- Access Rights Manager (ARM)
- AppOptics
- Backup Document
- Backup Profiler
- Backup Server
- Backup Workstation
- CatTools
- Dameware Mini Remote Control
- Dameware Patch Manager
- Dameware Remote Everywhere
- Dameware Remote Support
- Database Performance Analyzer (DPA)
- Database Performance Monitor (DPM)
- DNSstuff
- Engineer’s Toolset
- Engineer’s Web Toolset
- FailOver Engine
- Firewall Security Monitor
- Identity Monitor
- ipMonitor
- Kiwi CatTools
- Kiwi Syslog Server
- LANSurveyor
- Librato
- Log & Event Manager (LEM)
- Log & Event Manager Workstation Edition
- Loggly
- Mobile Admin
- Network Topology Mapper
- Papertrail
- Patch Manager
- Pingdom
- Pingdom Server Monitor
- Security Event Manager (SEM)
- Security Event Manager Workstation Edition
- Server Profiler
- Service Desk
- Serv-U FTP Server
- Serv-U Gateway
- Serv-U MFT Server
- Storage Manager
- Storage Profiler
- Threat Monitor
- Virtualization Profiler
- Web Help Desk
- SQL Sentry
- DB Sentry
- V Sentry
- Win Sentry
- BI Sentry
- SentryOne Document
- SentryOne Test
- Task Factory
- DBA xPress
- Plan Explorer
- APS Sentry
- DW Sentry
- SQL Sentry Essentials
- SentryOne Monitor
- BI xPress