After Russian hackers allegedly weaponized SolarWinds Orion business software updates, The Department of Homeland Security’s cybersecurity wing made an extremely rare and dramatic move. Indeed, the DHS Cybersecurity Infrastructure and Security Agency (CISA) issued an emergency directive ordering all federal agencies to immediately power down SolarWinds Orion management tools to protect against a worldwide, active exploit.
The CISA, the nation's cyber central, said in the directive that it has “determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.” In addition to shutting off SolarWinds Orion, the order also requests all agencies examine their networks for “indicators of compromise.”
CISA Acting Director Brandon Wales, who President Trump appointed to the post following his firing of former director Christopher Krebs, said the agency’s public and private sector partners should “assess their exposure to this compromise and secure their networks against any exploitation.” There is a pointed urgency to CISA’s directive: Agencies running SolarWinds products were asked to inform CISA that they have completed the shutdown by Monday, December 14, 2020. It’s not clear how many and which agencies have complied to this point.
CISA Order and SolarWinds' Guidance
The order informed agencies to wait for “further guidance” from CISA regarding any new patches for the vulnerabilities before reinstalling the SolarWinds software. It also asked agencies to refer to the MITRE ATT&CK framework for possible “tactics the threat actors are using to maintain persistence in the environment.”
The emergency directive remains in effect until all agencies have "applied the forthcoming patch" or the directive is terminated through other appropriate action.
CISA Order: Deeper Details
Here’s CISA’s directive for agencies:
- Forensically image system memory and/or host operating systems hosting all instances of affected SolarWinds Orion versions.
- Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts have had connections.
- Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain.
- Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.
- Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.
- Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed.
- Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.
- Reset all credentials used by or stored in SolarWinds software--such credentials should be considered compromised.
- Require use of long and complex passwords (greater than 25 characters) for service principal accounts and implement a good rotation policy for these passwords.
- CISA will continue to work with our partners to monitor for active exploitation associated with this vulnerability. CISA will release additional indicators of compromise as they become available.
- CISA will provide additional guidance to agencies via the CISA website, through an emergency directive issuance coordination call, and through individual engagements upon request (via [email protected]).