Information Security

 View Only

  • 1.  SolarWinds Hack - List of impacted customers

    Posted 12-14-2020 11:35 PM
    Hi,

    The SolarWinds hack has impacted approximately 18,000 of its customers (those using the vulnerable versions of the Orion product). Does anyone know if the list of 18,000 potentially impacted customers has been made public? Although my company has not been directly impacted, I would like to know if any of our third parties has. 

    More info here: SEC filings: SolarWinds says 18,000 customers were impacted by recent hack | ZDNet


  • 2.  RE: SolarWinds Hack - List of impacted customers

    Posted 12-18-2020 11:01 AM

    Following up on Carlos' email to see if a list of impacted suppliers was published yet. We don't think we were directly impacted either but want to do more due diligence on our third/fourth party suppliers. At the very least, we may contact our critical suppliers to see if they were impacted. Is anyone taking a similar approach? Appreciate any insight. Happy holidays!


    Original Message


  • 3.  RE: SolarWinds Hack - List of impacted customers

    Posted 12-18-2020 01:59 PM

    Dave -

    I would not expect Solarwinds to release a list of affected customers. If you were one of their customers, you would not want your vulnerability advertised all over the Internet for bad actors to see.

    It is possible to pull some high-profile logo lists from the Internet Archive / Wayback Machine, for instance from this URL (which has been pulled since Mon)  https://www.solarwinds.com/fr/company/customers 

    However, I would caution you that the list of customers is over 330,000 many of which did not use the Orion network management software. Solarwinds stated that 18,000 of the 33,000 Orion customers had downloaded the infected versions of the software. So you can't be sure from any public list who may have been actually infected.

    I think the only thing you can do is reach out to your most critical vendors and ask them whether they were impacted and if so, what remediation they have put in place. If they are software developers, you can ask them about their code handling and code signing practices to ensure they have good hygiene in place.


    Original Message


  • 4.  RE: SolarWinds Hack - List of impacted customers

    Posted 12-18-2020 02:57 PM

    Thanks. Good insight. We're getting an ORT stood up to look at this more and will take these ideas into account. 


    Original Message


  • 5.  RE: SolarWinds Hack - List of impacted customers

    Posted 12-18-2020 03:17 PM

    Hi Kate,

     

    Sound advice!

     

    "I think the only thing you can do is reach out to your most critical vendors and ask them whether they were impacted and if so, what remediation they have put in place. If they are software developers, you can ask them about their code handling and code signing practices to ensure they have good hygiene in place."

     


    Larry Timmins
    Senior Technical Project Lead, PMP
    Information Technology


    PRIMMA LLC

    Attorney-in-Fact for Physicians' Reciprocal Insurers
    website:       pri.com
      
         

    THIS DOCUMENT IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL OR ENTITY TO WHOM IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED AND CONFIDENTIAL, OR THAT CONSTITUTES WORK PRODUCT AND IS EXEMPT FROM DISCLOSURE UNDER APPLICABLE LAW. IF YOU ARE NOT THE INTENDED RECIPIENT OR EMPLOYEE OR AGENT OF THE INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY USE, DISSEMINATION, DISTRIBUTION, OR COPYING OF THE COMMUNICATION IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS COMMUNICATION IN ERROR, PLEASE NOTIFY US BY TELEPHONE 516.365.6690 AND DESTROY THE DOCUMENT.
    THANK YOU.   PRIMMA LLC.

     




    Original Message


  • 6.  RE: SolarWinds Hack - List of impacted customers

    Posted 12-18-2020 03:02 PM

    Thanks for starting this topic.   It raises the question of whether we really have the tools, context and contacts to respond quickly when it comes to specific risks and our third parties.

    Still, the most important question remains (knowing where your nonpublic information is as well as who has access to it):
    Whether you have the relationship where you can easily (electronically, phone, email, community) make them aware that you want to know if they use this software and can get a response much sooner than the previous SLA's your cybersecurity onboarding might have communicated.

    Key questions: do you need to reach out to all third parties to see whether they use Orion?  How to your update your onboarding and potentially contracts to be sure you can?

    Most recent response today - Regulators getting ahead of risk
    ========================================================

    RAISING THE BAR:

    I was very happy to see regulators were responding to get a clear picture of the risk to covered entities and their affiliates so soon:

    Today at 1pm, our regulator asked for immediately notice (as opposed to the normal 72 hour window to notify) if anyone was affected.

    "You should notify the Department if your institution was directly impacted by the affected SolarWinds Orion products or if your institution has been notified of an impact by any affiliate who has access to your network or your nonpublic information.  ...  Given the sophistication and persistence of the malware and the adversary, we ask any affected institution to file a notice immediately.  Instructions on how to file notice of a Cybersecurity Event and specific information requested as part of this incident are detailed below."

    So ask yourself?  How do those those covered by the regulator know if a third party (fourth party) that matched the regulator's definition of AFFILIATE would have used SolarWindws?  How to you carry out that questioning or interview?  Does your existing onboarding capture or event consider product specific risks?

    Another point, reading the highlighted text above, if you haven't been notified, do you need to reach out to all third parties to see whether they use Orion? 


    Monitoring of this Event
    ===============================

    For instance, Dec 14th was date that I got alert from this community as well as read alerts from four threat intelligence sources.  

    A day later we sent out confirmation that we did not have the product (we had used some legacy SolarWinds products for years up to 2018, so I knew we had a hit that we have/had that vendor relationship.)

    Each day, I received updates from this community and approximately 12 other sources

    Earlier today, one vendor, that DOES NOT USE SOLARWINDS ORION SENT THE FOLLOWING "FAQ".

      Q1) Does {this third party vendor} use SOLARWINDS?
      [A. No. {Vendor} does not have SolarWinds deployed as part of their infrastructure]
     

      Q2) What has [this third party vendor] done in response to this threat?
      [A. They engaged their own SOC and threat hunting teams to find any signs of the threat using 'specially crafted analytics' and (a) ensured any network intrusion detection was updated; and (b) updated vulnerability tools and conducted scans anyway wherever potential vulnerable assets or nonpublic information was; and (c) active monitor for any new signatures while following this threat to be placed into the processes that goven (a) and (b). ]

      Q3) Where should we go for more information?
      [A. They responded with a common knowledge base article any customer who knows how to search can find].

        Plus ample information including phone numbers and way to open a ticket if anyone had questions or needed guidance.

    TAKE AWAY:
    ==================

    1. While our Cybersecurity Questionnaire identifies name and contact information, could they get us a focused answer (do you use SolarWinds Orion) across all their entities that provide us services?

    2. Do we need to expand our questionnaire to require means to question if vendor has product or feature that has high cybersecurity risk? How can this be done confidentially?

    3. Regulators are clearly taking advantage of the 72 hour notice requirements -- which is good to see tax payer money at work.


    Original Message


  • 7.  RE: SolarWinds Hack - List of impacted customers

    Posted 12-18-2020 03:17 PM

    FYI...For your reading pleasure.

     

    ��

     

    Kim Beesler,

    Vice President/MIS Specialist 

     


     

     

    E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain any confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited. The above does not represent an electronic signature for E-SIGN.

     

    "For your protection, do not submit sensitive information about yourself via non-secure email. Information sent without the use of the secure email is not encrypted, and we cannot guarantee privacy."

     

     




    Original Message


  • 8.  RE: SolarWinds Hack - List of impacted customers

    Posted 12-18-2020 04:50 PM

    Here's a partial list of Solarwinds customers from Krebs on Security…

    https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/


    Original Message


  • 9.  RE: SolarWinds Hack - List of impacted customers

    This message was posted by a user wishing to remain anonymous
    Posted 01-26-2021 03:28 PM
    This message was posted by a user wishing to remain anonymous

    We reached out to our High Risk/Tier 1 Vendors to determine if they had 1) reviewed their organization to determine exposure. 2) idenified if they were using the impacted software. 3) if any indicators of compromise were identified and requested an immediate response.
    Original Message