Webcheck Security has access to several Ex-NSA analysts in its managed threat hunting department. The following advice concerning the recent Solarwinds attack has been given from one of these key analysts. We recommend reaching out to us to set up a time to discuss the implications for your organization.
First, we recommend quarantining any vulnerable SolarWinds product from your network and if possible, take a forensic image to investigate for any indication of compromise before updating to the latest version. Reimaging all OS’s hosting instances of SolarWinds is recommended. Second: Reset all credentials used by the SolarWinds software and make sure there is a rotation policy for these accounts and enforce long, complex passwords. After quarantining and/or re-imaging, search through your network logs for any device that has called out to specific domains used as command and control servers: zupertech[.]com panhardware[.]com databasegalore[.]com incomeupdate[.]com highdatabase[.]com websitetheme[.]com freescanonline[.]com virtualdataserver[.]com deftsecurity[.]com thedoccloud[.]com digitalcollege[.]org globalnetworkissues[.]com seobundlekit[.]com virtualwebdata[.]com kubecloud[.]com lcomputers[.]com solartrackingsystem[.]net virtualdatacenter[.]com webcodez[.]com ervsystem[.]com (teardrop) infinitysoftwares[.]com (teardrop) Moving forward, we strongly recommend using an Intrusion Detection System(IDS) with the latest snort/suricata signatures that can detect this threat actor and others. FireEye has published these detection signatures here: https://github.com/fireeye/sunburst_countermeasures/blob/main/all-snort.rules There are also excellent Endpoint Detection and Response(EDR) software solutions that can detect and block these SolarWinds exploits as well as thousands of other signatures and signature-less attacks based on malicious behavior.
To set up a time to discuss enhancing your cyber security posture, please reach out to us at getintouch@WebcheckSecurity.com