The SolarWinds Attack: Guide to an Effective Defense

Next story

During the recent holiday season, organizations relying on the SolarWinds Orion platform for network monitoring and management received a most unwelcome gift: news that this key piece of their infrastructure had been compromised.

On Dec. 13, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) announced the active exploitation of versions of SolarWinds Orion released between March and June of 2020 and declared that emergency action was needed. Threat actors had succeeded at inserting malicious code into updates SolarWinds pushed out to its customers. CISA stated that the attackers could gain access to, and privileges over, highly sensitive information if left unchecked.

The impact of this incident cannot be understated. SolarWinds users include many Fortune 500 companies and a number of very large government agencies. These agencies include the U.S. departments of Treasury, State, Commerce, Homeland Security and Energy—the latter of which includes the National Nuclear Security Administration, which is responsible for the U.S. nuclear weapons stockpile. SolarWinds reported that in all, 18,000 customers were impacted. The Washington Post has reported that the elite Russian hacking team known as APT29 or Cozy Bear is behind the attack and that they have had a foothold in the affected networks since March 2020.

ESET added detection for this exploit immediately—within a single day of CISA’s Dec. 13 announcement.  We also advised managed service providers and other channel partners so they could take the proper steps to protect their customers. On Dec. 16, ESET published a product support page informing our customers that ESET protects against the SolarWinds exploit code, known as MSIL/SunBurst.A

What ESET customers should know

To maximize your protection, we recommend the following steps:

Apply hotfixes as soon as possible. As noted above, ESET products protect against all known variants of MSIL/SunBurst.A. However, we also recommend following the guidance from SolarWinds, CISA and others, which is to disconnect the affected products until you apply the hotfixes from SolarWinds that remove the vulnerability.

Keep your ESET products updated. Verify that you are running the latest product modules, and confirm that the latest modules are installed on your ESET product. Your ESET product will check for module and DNA detection updates every hour, provided you have a valid license and a working internet connection.

Keep ESET LiveGrid® enabled. New versions of malware are released frequently. ESET LiveGrid draws information from threats around the world, and when enabled, automatically creates new detection mechanisms. It can detect and block the most recently introduced threats—in most cases, before hourly updates become available. Learn more about ESET LiveGrid and how to make sure it is enabled in your ESET product.

Don’t change the default settings of your ESET product. The default configuration maximizes the protection afforded by your ESET software. We recommend not overriding the settings unless instructed to do so by ESET Technical Support.

Implement other security best practices.  Download and install the latest security patches for your operating system and applications. Back up your important data regularly. Take these and other steps to minimize the risk of malware attack.

ESET products that offer SolarWinds exploit protection

The following ESET products automatically detect, prevent execution, and clean or delete the known variants of MSIL/SunBurst.A.

ESET business products
Our core products for Windows, macOS and Linux include:

  • ESET Endpoint Security
  • ESET Endpoint Security
  • ESET File Server for Windows
  • ESET Mail Security for Exchange
  • ESET Security for Microsoft SharePoint Server
  • ESET File Security for Linux

In addition, ESET Enterprise Inspector is an Endpoint Detection and Response (EDR) tool that can be used in conjunction with our endpoint protection solutions. It monitors and evaluates all the activities happening in the network in real time and allows you to take immediate action if needed.

Our new product release, ESET PROTECT, includes business bundles that feature advanced protection against ransomware and zero-day exploits, along with your choice of security management in the cloud or on-premises. Learn more about ESET PROTECT Advanced, suitable for businesses of all sizes, here.

ESET home products
Our core products for Windows, macOS and Linux include:

  • ESET Smart Security Premium
  • ESET Internet Security
  • ESET NOD32 Antivirus
  • ESET Cyber Security
  • ESET Cyber Security Pro

More about supply chain attacks

Attacks that inject themselves into manufacturing or distribution processes are commonly referred to as supply chain attacks. The SolarWinds incident illustrates the far-reaching impacts that this method of injecting and spreading malware can have. To learn more about these types of attacks, see this list of articles written by ESET researchers as part of our WeLiveSecurity blog.

Nobody knows what endgame the attackers have in mind. That large enterprises and sensitive government agencies have had malware planted on their systems is a concern for all, but smaller businesses using the SolarWinds Orion platform face unknown and potentially great risks as well. Regardless of size, we encourage you to take all of the steps above to protect your organization.