CISA updates on SolarWinds compromise

The Cybersecurity and Infrastructure Security Agency updated its guidance for mitigating the SolarWinds Orion code compromise on Dec. 30.

The supplemental guidance requires federal agencies running versions of the SolarWinds Orion platform that are not considered “affected versions” to use at least SolarWinds Orion Platform version 2020.2.1HF2. According to CISA, the National Security Agency has verified that this version eliminates previously identified malicious code.

“Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks must be updated to 2020.2.1 HF2 by COB December 31, 2020,” the guidance said. CISA plans to follow up with additional clarifications and hardening requirements.

To help agency leaders manage the fallout from the Orion software compromise in enterprise networks, CISA also posted two new resources.

A CISA Insights publication, What Every Leader Needs to Know About the Ongoing APT Cyber Activity, describes the risks to organizations that the advanced persistent threat actor can cause. The immediate danger, CISA said, is that the APT actors can use their access to networks “to create new accounts, evade common means of detection, obtain sensitive data, move across a network unnoticed, and establish additional persistence mechanisms.”

As soon as possible, organizations should determine if they are running one of the affected SolarWinds Orion versions, CISA said, keeping in mind that managed service providers may also have been compromised.

IT staff should be empowered to take actions based on their expertise and to collaborate with internal and external partners. Organizational leadership should ensure security teams have enough support because they may “need to rebuild all network assets monitored by SolarWinds Orion,” CISA said, which will be “a resource-intensive, highly complex, and lengthy undertaking.”

The security agency said it strongly recommends that all organizations investigating and remediating the compromise “share information with those assisting in this massive response effort.”

CISA has also created a new Supply Chain Compromise webpage, where it has consolidated the resources it had already released on the compromise. CISA said it will update the webpage to include partner resources that are of value to the cyber community.

This article first appeared on GCN, a Defense Systems partner site.