Tenable – SolarWinds Backdoor Mitigation Guidance and Tenable Detection Support
by Secutec
On December 13, Reuter’s broke news of a breach by nation-state actors in two U.S. Government Agencies, the US Department of Treasury (USDOT) and the National Telecommunications and Information Administration (NTIA). In the hours that followed, it became clear that more organizations across the world, and in various industries, are also being targeted by this attack, which has been linked to SolarWinds® Orion® Platform software builds for versions 2019.4 through 2020.2.1.
The Cybersecurity and Infrastructure Security Agency has released an Emergency Directive indicating that disconnecting affecting devices is the only known mitigation at this time. On Sunday evening, SolarWinds released a security advisory for this incident with some initial mitigation recommendations and a hotfix (2020.2.1 HF 1), a second hotfix will be released on December 15 that replaces the compromised component.
While details have only just emerged, Tenable’s guidance echoes that of Chris Krebs – organizations using the SolarWinds Orion Platform should assume their networks have been compromised and activate existing incident response plans, working with in-house existing information security teams or partnering with an organization that conducts incident response to identify the impact. Tenable customers can utilize our existing detection plugin (62117) to identify all of the SolarWinds Orion assets in your environment.
Tenable has also released a version check plugin (144198) so you can identify specifically the impacted versions of SolarWinds in your environment.
While information and specific mitigations recommendations are still being released, Tenable is committed to keeping customers as informed as possible. We will be updating our Tenable blog post as additional information on this attack and Tenable plugins to identify vulnerable versions of the SolarWinds Orion Platform are available.
For additional guidance, join us 1pm ET, Wednesday, December 16 for a webinar, Alert – SolarWinds Orion Platform Backdoor.