Both commercial enterprise and government agencies have been facing off for the last several days against a highly sophisticated attack being propagated through supply chain software. IT company SolarWinds noted recently that monitoring products it released in March and June of this year may have been tampered with in a “highly-sophisticated, targeted and manual supply chain attack by a nation-state.” Hackers reportedly injected malware into SolarWinds Orion network management platform and, according to news accounts, subsequent software updates distributed malware throughout SolarWinds customer base. This attack is believed to have infected all versions of Orion software released between March and June 2020 with SUNBURST malware, a sophisticated backdoor that uses HTTP to communicate with attacker infrastructure. FireEye and Cisco are just some of the high profile companies believed to have been affected by the SolarWinds hack.
U.S. government cybersecurity agencies also warned this week that the attackers behind the SolarWinds hack are believed to have used weaknesses in other, non-SolarWinds products to attack high-value targets. There have been multiple breaches under investigation in the U.S. Treasury and the Department of Commerce. Russian state-sponsored hackers have emerged as the likely perpetrators.
Department of Homeland Security Emergency Directive 21-01
The Department of Homeland Security (DHS) released an emergency directive 21-01 on steps to “Mitigate SolarWinds Orion Code Compromise.” This type of directive applies broadly to Federal Agencies, but does not apply to “national security systems” or to systems operated by the Department of Defense or the Intelligence Community. The security directive notes that the vendor’s products (affected versions are 2019.4 through 2020.2.1 HF1) are currently being exploited by malicious actors. The tactics employed allow an attacker to gain access to network traffic management systems.
The Cybersecurity and Infrastructure Security Agency (CISA) states that this exploitation of SolarWinds products “poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.” CISA also notes that the vendor is working to provide updated software patches. However, agencies must wait until CISA provides further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software in their enterprise. Meanwhile, it has provided required actions for Civilian Federal Agencies to follow.
Security of Infoblox Platforms
Infoblox was not impacted by the Sunburst hack and we are not a SolarWinds customer. Further, to defend against other attacks that may mimic the Sunburst hack, we have conducted a comprehensive review of our codebase, our build process, post-build application integrity, and our platform access policies [least privilege/minimal access]. We’ve also evaluated our implementation and use of Duo and other third party software that are believed to have flaws that were exploited as part of this attack, and increased our vigilance with respect to auditing our people, our processes, and our technologies—in the cloud, at the perimeter, and on these critical internal systems. At this time, Infoblox remains confident in the integrity of our enterprise systems and our products that customers rely on to manage their enterprises.
We understand that this was a highly sophisticated attack and all leading vendors should take this as a learning opportunity. Infoblox will apply what we have learned from Sunburst to strengthen our processes to continue to provide safe and effective solutions for our customers. We believe good security hygiene, along with safeguarding people, resources and components that contribute to our product offerings, is the foundation of providing safe solutions to our customers. Infoblox has made a significant investment in US Government and industry certifications including FedRAMP, Common Criteria, FIPS 140-2, DoD Approved Products List, and is pursuing SOC2 and the DoD’s Cybersecurity Maturity Model Certification (CMMC).
Protecting Your Enterprise with Foundational Security
This attack shows that relying on one or two security technologies alone is unlikely to provide protection against sophisticated attacks. In addition to following security best practices such as password rotation, account audits and staying on top of emergency advisories, customers need to use defense in depth for detection and threat containment.
Using a DNS security solution like Infoblox BloxOne Threat Defense as part of a multi-solution architecture to look at all possible threats using any channel including network control protocols like DNS is recommended. When an attack like this happens, BloxOne Threat Defense is designed to detect anomalous behaviors in the network such as malicious communications, advanced persistent threat activity, domain generation algorithm activity, botnet communications, DNS tunneling, and data exfiltration. The solution also integrates with Security Orchestration Automation and Remediation (SOAR) systems, ITSM solutions, vulnerability scanners and other security ecosystem tools to trigger remediation actions automatically if any malicious activity is detected.
Updated Threat Intelligence
Infoblox automatically distributed all known indicators related to this attack to all BloxOne Threat Defense customers without any action needed on their part. We will continue to monitor the situation and continue to add more if needed. B1TD also offers customers the flexibility to insert IOCs from other sources into the solution to further strengthen their defenses.
The Value of DDI (DNS, DHCP, IPAM) data and DNS logs
Analyzing historical DNS logs is an effective way to see any network activity over a longer period of time and find out what resources a client has been accessing. DHCP fingerprint and IPAM metadata provide contextual information on affected devices such as type of device, OS information, network location and current and historical IP address allocations. All this data helps with event correlation and understanding the scope of a breach.
To learn more about the SolarWinds Supply Chain Attack, read our Cyber Threat Advisory.
Learn more about DNS security here:
If you have further questions, please reach out to us directly via firstname.lastname@example.org.