Supply Side Security, or Slingin' Hashes.
When was the last time you checked the Hash of an update before applying it? Think About it.
On Sunday evening the US Cybersecurity & Infrastructure Security Agency issued its fifth Emergency Directive since being granted the authority to do so in 2015. Emergency Directive 21-01 requires Federal Civilian Executive Branch agencies using SolarWinds Orion, versions 2019.4 through 2020.2.1 HF1, to disconnect those systems until a forthcoming patch is available.
While the advisory is aimed at US agencies, any company using the Orion Management platform should follow the advice. SolarWinds has issued a security advisory, continuing what is hopefully the new Gold Standard of transparency and industry cooperation shown by FireEye since their breach last week. SolarWind indicates a hotfix is anticipated on Tuesday December 15.
FireEye confirmed last night that the recent spate of attacks leverages a supply chain compromise by inserting malicious code (Now named “Sunburst”) into legitimate software updates for the Orion software.
We’ve spoken at length about the importance of flowing down security requirements to supply chain partners, but it bears mentioning again. Every company must be especially vigilant when it comes to third party access to their systems. And that access can take numerous forms. This compromise was particularly tricky. The supply chain access was an update service that worked exactly as it was designed. The vulnerability wasn’t a misconfigured setting, or compromised service account. It was embedded in an update whose underlying function was to improve a systems security. Talk about a trojan horse!
The technical details on the malware are still forthcoming, but this compromise should bring one thing into clear focus. Your supply chain security measures are one of the most important parts of your Security Plan. They should not stop at limiting the permissions of service accounts and third-party access. It should also also include robust vetting processes that allow validation of updates and other system files.
Keep calm and check those Hashes!