Urgent Cybersecurity Alert

Urgent Cybersecurity Alert

The Texas Department of Information (DIR) has asked the Texas Association of Counties (TAC) for help notifying Texas counties of a critical security threat, and of suggested action to take to prevent potential breaches in counties. In the event of an incident, contact your cybersecurity coverage provider. If you are a member of the TAC Risk Management Pool (RMP), contact the 24/7 Claims Hotline at (855) 47CLAIM or (855) 472-5246.

More information can be found in the notice from DIR below.

Urgent Notification: Recommended Mitigation of SolarWinds Orion Platform Compromise

DATE: Dec. 14, 2020

The Texas Department of Information Resources (DIR) is aware of active exploitation of a vulnerability in SolarWinds Orion Platform software versions 2019.4 through 2020.2.1, which was released between March 2020 through June 2020.

In response, CISA has published an urgent Current Activity Alert: Active Exploitation of SolarWinds Software and Emergency Directive 21-01, "Mitigate SolarWinds Orion Code Compromise," directed at Federal Civilian Agencies, further emphasizing the urgency of this Alert: https://cyber.dhs.gov/ed/21-01/.

At this time, we are not aware of any entities within Texas that have been breached via this method. In alignment with CISA Emergency Directive 21-01, we recommend all instances of SolarWinds Orion Platform software versions 2019.4 through 2020.2.1 be isolated and shut down as soon as possible.

RECOMMENDED IMMEDIATE ACTIONS:

1. Immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from your network.
2. Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.
3. If you have the capability, forensically image system memory and/or host operating systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1. 
4. Analyze your network for new user or service accounts, privileged or otherwise.
5. Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections.
6. Configure your anti-malware and intrusion detection and prevention systems to block the following:
7. File hashes:
   • MD5: b91ce2fa41029f6955bff20079468448
   • SHA256: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
8. Internet Indicators:
   • Domain: acsvmcloud[.]com
   • URL: /swip/Events
   • String: OrionImprovementBusinessLayer
   • Named Pipe: 583da945-62af-10e8-4902-a8f205c72b2e

UNTIL FURTHER NOTICE, WE ALSO RECOMMEND:

1. Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed.
2. Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.
3. Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.
4. Take actions to remediate kerberoasting, including, as necessary or appropriate, engaging with a third party with experience eradicating APTs from enterprise networks. For Windows environments, refer to the following:
   • See Microsoft's documentation on kerberoasting: https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448
   • Require use of long and complex passwords (greater than 25 characters) for service principal accounts and implement a good rotation policy for these passwords.
   • Replace the user account by Group Managed Service Account (gMSA). See https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview and Implement Group Managed Service Accounts: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview.
   • Set account options for service accounts to support AES256_CTS_HMAC_SHA1_96 and not support DES, RC4, or AES128 bit encryption
   • Define the Security Policy setting, for Network Security: Configure Encryption types allowed for Kerberos. Set the allowable encryption types to AES256_HMAC_SHA1 and Future encryption types.https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos
   • See Microsoft’s documentation on how to reset the Kerberos Ticket Granting Ticket password, twice: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password

FOR MORE INFORMATION, VISIT

1. SolarWinds Security Advisory
2. FireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST Backdoor
3. FireEye GitHub page: Sunburst Countermeasures 
4. Microsoft Advisory

REPORTING

In the event of an incident, contact your cybersecurity coverage provider. If you are a member of the TAC Risk Management Pool (RMP), contact the 24/7 Claims Hotline at (855) 47CLAIM or (855) 472-5246.

We also recommend you report to DIR via the ISAO Threat Reporting Form and quarantine the following:

1. SolarWinds.Orion.Core.BusinessLayer.dll with a file hash of b91ce2fa41029f6955bff20079468448
2. C:\WINDOWS\SysWOW64\netsetupsvc.dll

If you have evidence of impacts related to this issue, please call the DIR OCISO on-call number at 877-DIR-CISO (347-2476).​