In December 2020, the world discovered that the SolarWinds’ Orion Platform had been compromised by cybercriminals, potentially affecting thousands of businesses the world over. Security groups such as the National Cyber Security Centre (NCSC) provided advice and guidance to security teams and IT companies on what actions they should take to minimize the impact on them and their customers.

But the Advanced Persistent Threat (APT) carries with it a worrying sub-text that requires further exploration as companies continue to tackle the ongoing issues of a global pandemic and an increasingly fatigued and remote workforce.

Knowledge is power

In the wake of the discovery of the breach, national security agencies such as the NCSC were prompt in providing advice and guidance. Using tools such as the Cyber Information Sharing Programme (CiSP), they shared technical information on how to assess if an organization was at risk and what actions they should take if they were. Following the announcement, SolarWinds provided comprehensive advice and information, which is well worth reviewing as it also provides a detailed ‘FAQ’ section. However, it’s easy for such information to get lost in the midst of the social media hysteria and noise that tends to follow any large-scale attack.

The advice offered by the CiSP includes the following steps;

  • Assess the version of the Orion platform that had been installed
  • Analyze key files (ie. for any malicious alerts
  • Assess if anti-virus software had been disabled
  • Assess DNS logs going back to Q1 2020
  • Identify if you have ‘C:WindowsSysWOW64netsetupsvc.dll’ on any servers

The advice from the CiSP platform and SolarWinds is that all users of the SolarWinds Orion platform should consider these steps immediately. Of course, these steps should be carried out by technical staff who have experience with the SolarWinds Orion (Read more...)