Cybersecurity Bulletin: Responding to Attack on FireEye and SolarWinds

The recent FireEye and SolarWinds incident, VMware's recent zero-day vulnerability, and other nefarious or suspicious findings have the intelligence community, FBI, NSA, and private-sector cybersecurity firms asking important questions. And only time and prudent investigations will show the true impact of these cases and any relationships between them.

The SolarWinds compromise is thought to have affected a vast array of organizations, both public and private. Major antivirus, endpoint protection, and other cybersecurity product vendors have released indicators of compromise, threat identification strings and signatures to uncover potential malware used within these lateral supply chain attacks. 

The cybersecurity community is also taking action as various U.S. federal agencies are bracing for a potential national impact from these events and are paying attention to critical infrastructure, electricity, nuclear power, defense, government, and the financial sectors. 

IGI's cybersecurity experts will continue to monitor the events as they unfold over the coming days, weeks, and possibly years.

Based on the early findings, it is important to take immediate action:

1. While SolarWinds has released their formal guidance on the situation here (https://www.solarwinds.com/securityadvisory), IGI recommends that if possible, block all SolarWinds affected products and activity in and out of your networks. This will contain related malicious activity and allow your cybersecurity team, along with SolarWinds the opportunity to get control of the situation.
2. Update software packages within the organization across other products, including operating systems, business software systems, production systems, financial systems, authentication systems, and others.
3. Pay close attention to endpoint protection suites and configure them as per best practices. Ensure that these tools are working as intended and set to the most restrictive settings possible.
4. Ensure that external access sources and remote connections such as VPNs, gateways, virtual desktops, and cloud services are locked down with stringent access controls, multifactor authentication, and are hardened and patched. One word of caution: Make sure to verify the source of your security patches. We at IGI expect that the bad-actor community will quickly leverage the panic from this incident to launch new attacks through fraudulent patch updates.
5. Stay up to date on all related threat intelligence sources as this situation develops. Most recently, there has been a lot of speculation and unsubstantiated claims. For more developing news, IGI recommends following these sources:
   1. https://www.cisa.gov/newsroom
   2. https://www.dhs.gov/all-news-updates
   3. https://www.solarwinds.com/certadvisory
   4. https://threatpost.com/

Whether you are an existing IGI Cybersecurity client or partner or new to IGI Cybersecurity, the IGI Cybersecurity team is here to support the needs of the greater community in response to the recent attacks on FireEye, SolarWinds and the organizations they serve and support. IGI Cybersecurity stands in support of these two industry leaders, as we all need to work together to address the bigger challenge.

Finger-pointing and assigning blame in a time of crisis management is not an approach we condone; rather we all should work to find not only better ways to avoid this in the future but also address the challenges at hand. Those of us who work in cybersecurity know that attacks like this are an assault on not only the companies that are targeted, but even more importantly, directly on our fabric of trust as consumers. Let’s keep our resolve, regroup, learn, and address the situation while getting ready to better prepare for the future.

In the event the bad actors decide to implement nefarious campaigns leveraging embedded malware; their attack patterns and lateral movements will likely leverage techniques that we have seen before. In addition to what the cybersecurity community has already mapped, anomalies in behavior, lateral movements, spreading of malware, exploitation of vulnerabilities, and other common secondary attacks could be used and are expected. In light of the increased cyber-activity, it’s important to closely monitor all network activity and take action on any alert.

IGI Cybersecurity is actively working with existing clients to address concerns and respond to suspicious activity. If you are not an existing IGI client and feel you are encountering an incident, a breach, or have questions related to this crisis, please contact IGI at sales@igius.com.

Now is not the time to broker fear. Now is the time to learn, educate and take action.