What do we know so far?
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.
One of the initial access vectors for this activity is a supply chain compromise of the following SolarWinds Orion products.
- Orion Platform 2019.4 HF5, version 2019.4.5200.9083
- Orion Platform 2020.2 RC1, version 2020.2.100.12219
- Orion Platform 2020.2 RC2, version 2020.2.5200.12394
- Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
How does this relate to me?
As this is an ongoing investigation, cybersecurity teams continue to act as first responders to these attacks. We know that customers and partners will have ongoing questions and we are committed to providing timely updates as new information becomes available.
Based upon our current investigation,we have found no evidence that our SolarWinds MSP product is vulnerable to the supply chain attack. Wendego nor our customers use or used SolarWinds Orion in the past. Please note, a Solarwinds updated security advisory provides additional details and answers to frequently asked questions about this issue, including specific product lists: www.solarwinds.com/securityadvisory.
Key Takeaways
- This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.
- CISA is investigating other initial access vectors in addition to the SolarWinds Orion supply chain compromise.
- Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.
- Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.
- Wendego DOES NOT UTILIZE the SolarWinds Orion product!
- Wendego ONLY utilize a single SolarWinds product called SolarWinds RMM. SolarWinds RMM is NOT KNOWN TO BE AFFECTED by this security vulnerability.
Where do we go from here?
As a best practice, to further enhance the security of our products, we are closely monitoring third-party cybersecurity experts from Microsoft and SolarWinds to assist us in these matters, guiding us in improving our processes and controls. To that end and to provide additional assurance to all our customers, SolarWinds have made the decision to digitally re-sign all their products and have requested (and received) a new digital certificate, which reflects a recertification of the authenticity of SolarWinds products, both current and future. New SolarWinds RMM agents along with the new certificates have already been pushed to end user clients!
Please feel free to reach out to us for any questions or concerns you may have.
