Discussion: View Thread

Expand all | Collapse all

FW: Cyber Notification: Active Exploitation of SolarWinds Software Potentially Affecting HPH Sector

  • 1.  FW: Cyber Notification: Active Exploitation of SolarWinds Software Potentially Affecting HPH Sector

    Posted 12-14-2020 03:21 PM

    Hello LHIT, we are aware of the latest emergency directive that was released yesterday by CISA requesting that federal agencies power down SolarWinds products. We reached out to CISA to ask for resources to help connect you to more information. Below please find the latest bulletin from CISA regarding the directive and its impact on the HPH sector.

     

    As a reminder, we will be meeting with HHS ASPR and CISA this Wednesday, December 16, at 1pm ET to discuss the latest cybersecurity threats to HPH during COVID-19. If you have questions for either department ahead of the meeting, please let me know.

     

    We are obviously pinpointing topics that are important during COVID-19. Thank you all so much for your participation, expertise, and work to keep our communities safe. I look forward to hearing from you all!

     

    From: Christl, Thomas (OS/ASPR/SIIM) < >
    Sent: Monday, December 14, 2020 3:06 PM
    To: Angie McPherson <amcpherson@naccho.org>
    Cc: CIP Team Projects < >
    Subject: FW: Cyber Notification: Active Exploitation of SolarWinds Software Potentially Affecting HPH Sector

     

    Good afternoon Angie,

    Here is the bulletin that we just sent out regarding this issue, including the CISA Emergency Directive.

     

    Thank you.

    v/r,

    TJ

     

    CDR Thomas J (TJ) Christl

    U.S. Department of Health & Human Services

    Assistant Secretary for Preparedness & Response (ASPR)

    Office of Security, Intelligence and Information Management

    Division of Critical Infrastructure Protection

     

    From: OS CIP (HHS/OS) <CIP@hhs.gov>
    Sent: Monday, December 14, 2020 3:02 PM
    To: CIP Team Projects <Test964@HHSGOV.onmicrosoft.com>
    Subject: FW: Cyber Notification: Active Exploitation of SolarWinds Software Potentially Affecting HPH Sector

     

     

    From: Healthcare & Public Health Sector Alert
    Sent: Monday, December 14, 2020 3:00:20 PM (UTC-05:00) Eastern Time (US & Canada)
    To: OS CIP (HHS/OS)
    Subject: Cyber Notification: Active Exploitation of SolarWinds Software Potentially Affecting HPH Sector

    Healthcare and Pubic Health Sector Cyber Notification

     

    Image removed by sender. header

    Healthcare and Public Health Sector Notification 

    Active Exploitation of SolarWinds Software Potentially Affecting HPH Sector

    This email is from the Division of Critical Infrastructure Protection (CIP) within the U.S. Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response. For more information, e-mail CIP@hhs.gov or to subscribe to our email newsletters, visit our website.

    Image removed by sender.

    Traffic Light Protocol (TLP) Designation: WHITE

    Image removed by sender. Traffic Light Icon - White

    TLP: WHITE information may be distributed without restriction.

    Image removed by sender.

    The Health Sector Cybersecurity Coordination Center (HC3) has released a Sector Alert on the Active Exploitation of SolarWinds Software Potentially Affecting HPH Sector. On 13 December 2020, FireEye and SolarWinds released security advisories detailing a highly-skilled and highly-targeted manual supply chain attack on the SolarWinds Orion Platform network management system that leverages software updates to deploy a backdoor to victim organizations. SolarWinds Orion is an IT performance monitoring platform that helps organizations manage and optimize their IT infrastructure. The actors behind this campaign have likely gained access to numerous public and private organizations around the world starting as early as Spring 2020. Signatures to detect this threat are available and mitigations are detailed in this alert and should be prioritized. Links to additional resources and information are available at the end of the HC3 Alert. 

    Coordination Call

    The Cybersecurity and Infrastructure Security Agency (CISA) invites you to participate on a call today (December 14, 2020) at 4 pm Eastern addressing active exploitation of a vulnerability in SolarWinds Orion Platform software versions 2019.4 through 2020.2.1, which was released between March 2020 through June 2020.

    Date/Time: Monday, December 14, 2020 (4-4:30pm EST)

    Participant Toll Free Dial in Number: 1-800-857-6546 (passcode 9936839)

    International Dial in Number:  1-312-470-7237 (passcode 9936839)

    Image removed by sender.

    Analysis

    This supply chain compromise can allow attackers to gain access to victim organizations via Trojanized updates in the SolarWinds Orion Platform. While the attacker's post compromise activity leverages multiple techniques to evade detection and obscure their activity, there are also opportunities for detection. FireEye is tracking this threat actor as UNC2452 and news outlets suggest that APT29, also known as Cozy Bear, is behind the campaign.

    Image removed by sender.

    Alert

    On 13 December 2020, FireEye and SolarWinds released security advisories detailing active exploitation of SolarWinds Orion Platform software versions 2019.4 through 2020.2.1, released between March 2020 and June 2020. According to FireEye, SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. This Trojanized version of the Orion plug-in has been given the names SUNBURST by FireEye and Solorigate by Microsoft. After an initial dormant period of up to two weeks, it retrieves and executes commands, called "Jobs", that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.

    Image removed by sender.

    Patches, Mitigations & Workarounds

    FireEye has released an advisory with additional details as well as signatures to detect this threat actor and supply chain attack in the wild found on its public GitHub page with detection rules in multiple languages including Snort, Yara, IOC, ClamAV. Additional mitigations include the following:

    • Ensure that SolarWinds servers are isolated/contained until a further review and investigation is conducted. This should include blocking all Internet egress from SolarWinds servers.
    • If SolarWinds infrastructure is not isolated, consider taking the following steps:
      • Restrict scope of connectivity to endpoints from SolarWinds servers, especially those that would be considered Tier 0/crown jewel assets.
      • Restrict the scope of accounts that have local administrator privileged on SolarWinds servers.
      • Block Internet egress from servers or other endpoints with SolarWinds software.
    • Consider (at a minimum) changing passwords for accounts that have access to SolarWinds servers/infrastructure. Based upon further review/investigation, additional remediation measures may be required.
    • If SolarWinds is used to manage networking infrastructure, consider conducting a review of network device configurations for unexpected/unauthorized modifications. Note, this is a proactive measure due to the scope of SolarWinds functionality, not based on investigative findings.

    SolarWinds recommends upgrading to Orion Platform version 2020.2.1 HF 1 as soon as possible. An additional hotfix release, 2020.2.1 HF 2, is anticipated to be made available Tuesday, December 15, 2020, and SolarWinds recommends updating to HF 2 once released as this both replaces the compromised component and provides several additional security enhancements.

    Image removed by sender.

    DISCLAIMER: This product is provided "as is" for informational purposes only. The U.S. Department of Health and Human Services (HHS) does not provide any warranties of any kind regarding any information contained within. HHS does not endorse any commercial product or service referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking noted above.

    You are receiving this information because you previously signed up for an ASPR CIP mailing list. If you do not want to receive communications from ASPR CIP or the HPH Sector, you can unsubscribe using the link at the bottom of this message. 

    Image removed by sender.

    Image removed by sender. Assistant Secretary for Preparedness and Response

    U.S. Department of Health & Human Services, Office of the Assistant Secretary for Preparedness & Response
    200 C Street, SW
    Washington, DC 20024

    Image removed by sender.

    Privacy Policy | GovDelivery is providing this information on behalf of U.S. Department of Homeland Security, and may not use the information for any other purposes.

    Unsubscribe

    This email was sent to cip@hhs.gov using GovDelivery Communications Cloud, on behalf of: Cybersecurity and Infrastructure Security Agency · 707 17th St, Suite 4000 · Denver, CO 80202

    Image removed by sender. GovDelivery logo