Over the past few days there have been multiple high-level breaches to platforms like Microsoft Teams, Solarwinds Orion, and companies like FireEye and some government agencies. Going into the holidays, this may be a cause for anxiety for those of you who are charged with defending your company’s networks. While a healthy level of anxiety may be needed to defend properly, I do not want you to lay awake at night or get to the point of feeling hopeless. I scrolled through my Twitter and wanted to consolidate several of the resources I found concerning these breaches and flaws.
Let’s start with Solarwinds since so many people use this network management software (NMS) platform.
What can you do to protect yourself? The Solarwinds advisory is excellent and well written, you can find it here:
If you prefer the Government’s opinion/analysis you can find that here: (read the Required Actions section carefully)
If you want to know what happened and who has been affected, there is some speculation that this was the source of compromise for some of the breaches in the government and at FireEye. It appears that an attacker was able to leverage the update mechanism within Solarwinds to deliver trojanized updates. Inserting trojan software via updates is considered a supply chain attack and could affect all users of the software.
Jake Williams will be giving a more in-depth webinar via SANS later today which you can register for here:
Next let’s delve into MS-Teams which is also a popular platform.
Here’s a write up on Github, by the researcher who discovered it, that contains both an easy-to-read summation and in-depth technical details with a screencast video demonstrating the issue:
Here is another writeup for people who want a shorter summation:
In every write-up of this Teams issue, the following response from Microsoft has been quoted:
“We mitigated the issue with an update in October, which has automatically deployed and protected customers,”
Corporate and governmental breaches are also making for splashy/scary headlines and may be tempting you to be overly scared that you are next or possibly overly comforted that you won’t be breached because your organization is too small or does not have data a hacker might want. I would urge you to take a balanced approach and diligently search for the indicators of compromise (IoCs) that have been published. Additionally, following the guidance on how to mitigate further spread is always a best practice.
Here is a write-up from FireEye on the IoCs:
FireEye developed some Yara rules to detect some of the malware here:
If you’re unfamiliar with Yara, it’s a malware detection tool you can get here:
I always get asked “Who do you think did this?” Attribution gets too much focus as far as I am concerned, and best practices/technical fixes don’t get enough attention.