The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has released "What Every Leader Needs to Know About the Ongoing APT Cyber Activity," a warning that details the risks associated with advanced persistent threats (APT).
The warning comes after FireEye's discovery that an APT actor has been exploiting SolarWinds Orion software.
During the SolarWinds incident, an APT actor inserted malicious code into Orion software updates, according to CISA. Once these updates were applied, an APT actor could use them to access customer networks.
To date, the APT actor involved in the SolarWinds incident has only targeted certain organizations, CISA stated. However, all organizations that have installed compromised Orion updates remain at risk.
How to Remediate Risk Following the SolarWinds Security Incident
CISA offered the following recommendations to help organizations remediate risk following the SolarWinds incident:
- Determine if your organization has been affected. Evaluate software use to find out if one of the affected versions of Orion is being used or has been used.
- Prioritize incident response and remediation. If an organization is using or has used Orion, its legal, financial and operations personnel should work with cybersecurity professionals to take the proper response and remediation actions.
- Allocate resources appropriately. Empower information security staff to investigate an IT environment for adversary activity.
- Seek additional support. Review CISA guidelines and watch for future guidance relating to the SolarWinds incident.
- Optimize operational security. Ensure advanced security processes and protocols are in place throughout incident response and remediation.
In addition, CISA has created a new Supply Chain Compromise webpage to consolidate all of the resources it has released relating to the SolarWinds incident. CISA also will continue to update the webpage to include new cyber community partner resources.
SolarWinds Statements About Orion Security Incident
Meanwhile, SolarWinds has provided the following updates to partners and customers:
- SolarWinds continues to update a SUNBURST / Orion Security Advisory here;
- A related SolarWinds SUNBURST FAQ about the incident is here;
- The company says SolarWinds MSP tools — widely deployed by managed IT services providers (MSPs) to support SMB customers — were not involved in the breach. But as a precaution, SolarWinds MSP revoked digital certificates for its MSP tools and required customers to digitally re-sign into its products; and
- SolarWinds MSP President John Pagliuca’s statement is here.