Earlier this week, both the Canadian Government and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which is a part of the U.S. Department of Homeland Security, issued an emergency directive calling on all federal civilian agencies to review their computer networks for signs of compromise and to disconnect from SolarWinds Orion products immediately.
The SolarWinds Supply Chain Compromise incident that has affected many Governments and Government agencies such as the U.S. Treasury and Commerce departments, as well as security company FireEye, was a “highly sophisticated” attack. It is considered a supply chain attack on the company’s Orion Platform that was intended to be a narrow, extremely targeted and manually executed attack. As a result of this incident, the Government of Canada has issued a security incident alert to notify IT professionals and managers of organizations who may be using the SolarWinds platform.
The cyberattacks against the SolarWinds Orion Platform occurred when hackers inserted a vulnerability into its software update builds for versions 2019.4 HF 5 and 2020.2 with no hotfix installed or 2020.2 HF 1. This vulnerability successfully trojanized the platform and actors were successfully able to distribute malware. The campaign may have begun as early as Spring 2020 and could be currently ongoing. Post compromise activities leverage multiple techniques to evade detection and obscure activities, which could include lateral movement and data theft.
In the case of the SolarWinds, attack, Wedge can confirm that its WedgeARP solution is made for real-time threat prevention and that the Wedge solution can stop the transmission of the trojan malware “Sunburst / Solorigate”, in real-time. All customers are advised to immediately enable the security policy of Anti-Malware functions on their WedgeARP. This will immediately stop this malware from getting into your IT network and systems.
How do you know if you still have SUNBURST / SOLORIGATE infected hosts? With WedgeARP’s rapidly updated threat intelligence (zero-day), customers who license our Wedge Web Filter security function have the ability to detect Sunburst / Solorigate infected hosts. By enabling outbound network security policies for Web Filter, you will be able to detect and block the infected hosts’ activities that steal your confidential data and that would send it to tracked Sunburst C2 servers. Wedge and its threat intelligence partners are updating the tracked server lists in real-time and on a global scale.
To find out more about WedgeARP and the benefits of Real-time Threat Prevention, please contact us at: info@wedgenetworks. Our team will be happy to answer your questions and provide an introduction to the WedgeARP platform.