The SolarWinds code compromise cybersecurity incident has become one of the biggest stories as the year comes to an end. In short, SolarWinds Orion products were actively exploited by malicious actors. The breach occurred as a result of a supply-chain attack that tampered with software updates via rootkits and other means. As many United States government agencies use SolarWinds Orion products, the Cybersecurity and Infrastructure Security Agency (a division of the Department of Homeland Security) has issued an emergency directive on the SolarWinds Orion breach.
Emergency Directive 21-01 was released on Dec. 13, 2020, to reduce the compromise of government agencies. The emergency directive is a result of Section 3553(h) of title 44, U.S. Code, which gives the DHS direct power to take drastic actions “in response to a known or reasonably suspected information security threat.” CISA’s Emergency Directive 21-01 enforces a number of immediately effective restrictions, including the following:
Forensically image system memory and/or host operating systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1]. Analyze for new user or service accounts, privileged or otherwise... Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections... Affected agencies shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain.
The directive also requires agencies to assume any host handling SolarWinds Orion products as compromised. Even further, it requires a total credential reset so that malicious actors do not have access. CISA plans on enforcing Emergency Directive 21-01 until one of two circumstances come to pass. The first is that all affected software is patched and determined to be secure. In the second scenario, CISA can cancel the emergency directive through a rather vague “other appropriate action.”
Not surprisingly, the SolarWinds Orion breach incident is a rapidly developing story. We will be keeping an eye on any major developments.
Featured image: Pixabay