Analysis & Insights

The Situation

A widespread campaign by a nation-state actor involving SolarWinds was uncovered by FireEye recently. The campaign used a trojanised version of SolarWinds Orion updates, which was digitally signed between March and May 2020, and uploaded to the SolarWinds’ update website. At least two top vendors were breached, and this incident has serious implications to the cybersecurity industry, its supplier chains and organisations using the affected products.

Our Commitment

The situation is fast evolving as details of the breach are being announced and more affected parties are made known. Ensign will continue to keep a close watch and provide relevant insights and recommendations to the community. Throughout this year-end festive period, Ensign continues to be available to clients who require assistance on any cyber-related matters.

Our Actions

Ensuring our customers are secured - Security of our clients is key

• We have updated our detection capabilities based on the latest IOCs published, and we have compressed our SOC process to review and update such detection rules to keep pace with the rollout of such information.
• We have informed customers who are known to be affected by the incident, and we will stand ready to provide any assistance required.

Securing Ensign

• We have conducted internal threat hunt and reviewed our defences to ensure that we have eradicated known vulnerabilities in our environment.
• We have coordinated with our regional offices to step up on efforts in terms of threat detection and client support.

Enhanced Monitoring

• We are stepping up our SOC operations to keep tabs of the evolving situation and handle any response actions required.
• Deep analysis is ongoing to uncover attack trends, patterns and TTPs (tactics-techniques-procedures) - these insights will be shared when ready.

Our Recommendations

• For our clients who are using the affected versions of Orion Platform, we recommend that you update to the latest version as advised by SolarWinds. If an update to the system is not possible, we advise you to disable and isolate all applications related to Orion Platform from your network until a solution is available.
• Update your anti-virus and endpoint protection applications as AV vendors are actively pushing out updates related to this incident. Microsoft is also pushing out updates to Windows Defender based on FireEye and their findings.
• We advise that you incorporate the recommendations, as well as the rules and IOCs provided by Microsoft and FireEye wherever possible to safeguard your environment.
• Please refer to the following links for more in-depth recommendations: 
• CISA - https://us-cert.cisa.gov/ncas/alerts/aa20-352a
• Microsoft - https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
• FireEye - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

As investigations are underway, we are expecting additional malware and TTPs to be uncovered. We will continue to provide updates on the incident, and inform you about additional rules and IOCs.

If you suspect that you could have been affected by the incident, you can contact us at marketing@ensigninfosecurity.com, or call us for digital forensic and incident response services.