Urgent Cybersecurity Alert
The Texas Department of Information (DIR) has asked the Texas Association of Counties (TAC) for help notifying Texas counties of a critical security threat, and of suggested action to take to prevent potential breaches in counties. In the event of an incident, contact your cybersecurity coverage provider. If you are a member of the TAC Risk Management Pool (RMP), contact the 24/7 Claims Hotline at (855) 47CLAIM or (855) 472-5246.
More information can be found in the notice from DIR below.
Urgent Notification: Recommended Mitigation of SolarWinds Orion Platform Compromise
DATE: Dec. 14, 2020
The Texas Department of Information Resources (DIR) is aware of active exploitation of a vulnerability in SolarWinds Orion Platform software versions 2019.4 through 2020.2.1, which was released between March 2020 through June 2020.
In response, CISA has published an urgent Current Activity Alert: Active Exploitation of SolarWinds Software and Emergency Directive 21-01, "Mitigate SolarWinds Orion Code Compromise," directed at Federal Civilian Agencies, further emphasizing the urgency of this Alert: https://cyber.dhs.gov/ed/21-01/.
At this time, we are not aware of any entities within Texas that have been breached via this method. In alignment with CISA Emergency Directive 21-01, we recommend all instances of SolarWinds Orion Platform software versions 2019.4 through 2020.2.1 be isolated and shut down as soon as possible.
RECOMMENDED IMMEDIATE ACTIONS:
- Immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from your network.
- Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.
- If you have the capability, forensically image system memory and/or host operating systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1.
- Analyze your network for new user or service accounts, privileged or otherwise.
- Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections.
- Configure your anti-malware and intrusion detection and prevention systems to block the following:
- File hashes:
- MD5: b91ce2fa41029f6955bff20079468448
- SHA256: 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
- Internet Indicators:
- Domain: acsvmcloud[.]com
- URL: /swip/Events
- String: OrionImprovementBusinessLayer
- Named Pipe: 583da945-62af-10e8-4902-a8f205c72b2e
UNTIL FURTHER NOTICE, WE ALSO RECOMMEND:
- Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed.
- Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.
- Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.
- Take actions to remediate kerberoasting, including, as necessary or appropriate, engaging with a third party with experience eradicating APTs from enterprise networks. For Windows environments, refer to the following:
FOR MORE INFORMATION, VISIT
- SolarWinds Security Advisory
- FireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST Backdoor
- FireEye GitHub page: Sunburst Countermeasures
- Microsoft Advisory
In the event of an incident, contact your cybersecurity coverage provider. If you are a member of the TAC Risk Management Pool (RMP), contact the 24/7 Claims Hotline at (855) 47CLAIM or (855) 472-5246.
We also recommend you report to DIR via the ISAO Threat Reporting Form and quarantine the following:
- SolarWinds.Orion.Core.BusinessLayer.dll with a file hash of b91ce2fa41029f6955bff20079468448
If you have evidence of impacts related to this issue, please call the DIR OCISO on-call number at 877-DIR-CISO (347-2476)