Massive SolarWinds Breach Exposes Supply Chain Risks
Published On December 21, 2020
Blog Post by Brian Selfridge, Partner at Meditology Services
Meditology discusses impacts and provides recommendations for healthcare entities
A groundbreaking cyberattack against the Texas-based IT network solutions provider SolarWinds has resulted in unauthorized access to a wide range of government and private sector organizations. The extent, scale, and impact of the attack are still being assessed; however, initial indications are that the attack will have lasting security impacts for months and possible years to come for organizations including healthcare entities.
According to a security advisory issued by SolarWinds, “this attack was very sophisticated supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with a goal of being able to attack subsequent users of the software.” SolarWinds and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued alerts and guidance that should be reviewed for all affected organizations.
This blog provides a summary of the attack as well as recommendations for healthcare entities to assess and take mitigation actions relative to this attack for their own organizations and the third- and fourth-party vendors in their supply chain that may be affected.
The sophisticated attack leverages a compromise of the SolarWinds Orion software updates to create a backdoor into the networks that leverage the popular network monitoring solution. The malicious code was embedded in SolarWinds software updates and pushed down to unsuspecting organizations from March through June 2020. The Orion platform is reportedly used by over 18,000 organizations in the public and private sectors.
The attack is being attributed Russian state-sponsored actors by several sources, although a formal investigation is still underway.
Initial indications are that the majority of impacted entities are US federal and governmental entities. However, several high-profile private sector organizations including FireEye, Microsoft, and VMWare have been impacted. Many healthcare organizations leverage the SolarWinds product and the impact to healthcare entities specifically is still being assessed.
Microsoft, in particular, has taken aggressive response and mitigation measures following the detection of the attack. Specifically, they have removed the digital security certificates used in the attack, which essentially instructs Windows-based devices not to trust communications from the attackers. They also took over one of the primary network domains used in the attack, which is referred to as creating a “sinkhole” to redirect traffic away from malicious actors.
What Should Healthcare Entities Do to Respond?
The following is a checklist of activities to perform if you have the SolarWinds Orion deployed in your environment:
Near-term Mitigation Steps
- Validate that you have SolarWinds configured in your environment, specifically the Orion product. If so, continue to #2 below. If not, refer recommendations 12 through 17 below.
- If you have the capability and skill sets in house, then take a forensics image or snapshot of the operating systems for host systems running the Orion solution. If such capabilities are not available in the short-term then proceed to other recommendations listed below.
- Consider a full uninstall or disabling of SolarWinds in your environment if feasible or if you are uncertain as to your potential exposure. Consider a clean reinstallation of SolarWinds with a new build on the latest software versions if you require the software for critical functions.
- Update the Orion software to the latest patched version immediately if you plan to continue active use of SolarWinds.
- Reset passwords for service accounts and other credentials used in support of the SolarWinds application and service.
- Set up monitoring of activity related to SolarWinds accounts and determine if any abnormal activity has occurred (e.g. connections to unrelated systems and services, user or system account creation or modification).
- Establish monitoring of known Indicators of Compromise (IoCs) for the attack. Identify if any network traffic is coming to or from known malicious IP addresses associated with the attack. See the SolarWinds alert and CISA alert for the latest IoCs and response activities.
- If you have indications or concerns of active compromise of your network related to this attack, contract a third-party forensics analysis firm to conduct an assessment of your network to determine the extent and nature of compromise for your environment.
- Isolate affected systems and other critical systems from the network using firewalls and network segmentation capabilities.
- Reset local administrative passwords on workstations and servers where feasible.
- Review privileged access accounts and monitor activity for any abnormal or suspicious behavior; limit privileged accounts and service accounts access to minimum necessary access rights (i.e. reduce the number of domain administrator accounts). Cycle passwords for privileged accounts if you have the software and processes in place to do so safely without adversely impacting production systems.
- Leverage your third-party vendor risk program to identify vendors that have deployed the SolarWinds Orion platform and track updates and mitigation underway to better understand and address any potential exposures to your organization.
Longer-term Mitigation Steps
- Bolster investments in your third-party vendor risk program; consider augmenting your program with third-party risk technology and managed services support (e.g. via Meditology’s sister company CORL Technologies).
- Prepare and test your business continuity, disaster recovery, and IR capabilities.
- Conduct enterprise risk assessments, pen tests, tabletop exercises, and phishing tests on a routine basis; work your corrective action plans.
- Require the use of multi-factor authentication for all external network access.
- Build a robust and comprehensive risk management program aligned with industry standard controls. HITRUST and NIST are the most common frameworks in play for healthcare entities.
We will continue to monitor the attack and provide updates as this situation unfolds. Contact us to learn more about the attack and ways you can protect your organization and third-party supply chain.