SolarWinds Orion – How Armis Helps Protect Your Organization

By Nadir Izrael, CTO & Cofounder

This week, SolarWinds disclosed that they had been victim of a cyber attack earlier this year. SolarWinds acknowledged that the attackers inserted malicious code within certain builds of their Orion Platform software which were subsequently distributed to many customers. This breach comes on the heels of FireEye’s announcement that it had suffered an intrusion that resulted in the theft of some 300 proprietary software tools the company provides to clients to help secure their IT operations. It is also known that the SolarWinds vulnerability was used to breach FireEye.

Armis Can Help 

To identify presence of the malicious code, it is important to look for anomalous behavior indicative of its presence. The Armis platform has the ability to look at current and historical traffic patterns, and identify connections to command and control (C2) servers utilized as part of the malicious code execution. Armis provides continuous monitoring for and can detect Indicators of Compromise (IOC) by identifying traffic to specific IPs or domains known to be C2 servers such as:

• avsvmcloud.com,freescanonline.com
• deftsecurity.com
• thedoccloud.com
• websitetheme.com
• highdatabase.com
• incomeupdate.com
• databasegalore.com,panhardware.com
• zupertech.com
• Virtualdataserver.com
• digitalcollege.org

SolarWinds is asking customers with any affected versions of the Orion platform to upgrade as soon as possible to ensure the security of their environment. Armis discovers and classifies every device on the network, and can detect all systems that are running SolarWinds that exist at any time on the network. Using Armis, customers can search for affected systems to identify which ones are vulnerable and need to be updated. Further, the Armis Threat engine has been updated to not only identify SolarWinds, but also the FireEye Red Tools. 

Moving Forward

The Armis platform can help you quickly find vulnerable systems and create policies to alert you to their presence. With the Armis Simple Query tool, it is simple to find applications such as SolarWinds in your environment. We maintain a history that includes communications information which is useful for identifying and investigating if an attack has happened in the past. Armis has 100% visibility to everything here – the compromised product, the vulnerability, the activity history of the compromised product, and the attacks themselves. From visibility to detection, investigation and remediation. We can identify / see Orion, we can see if it’s vulnerable and we can see if there was an attack / there is an attack / any future attack.