The Cybersecurity and Infrastructure Security Agency (CISA) added a notice to its advisory to warn about the latest details as the incident management and danger hunting environment focuses on the SolarWinds Orion items as the initial entry point for the assaults. According to the revised warning, “CISA has evidence of additional initial access vectors other than the SolarWinds Orion platform, but these are still under investigation” (PDF). As new information becomes available, the department did not provide further data, but agreed to monitor its correspondence. In its correspondence, the department has reinforced the terminology, identifying the danger as posing a “serious risk” to the federal government and national, provincial, tribal, and territorial governments, as well as vital infrastructure agencies and other organisations of the private sector. Multiple U.S. government departments, vital infrastructure institutions, and private sector companies have been targeted by the recently uncovered threat, suspected to be an intelligence activity by a foreign state-backed actor. In these intrusions, this APT agent has demonstrated patience, organisational security, and nuanced tradecraft. CISA expects it to be incredibly difficult and daunting for organisations to eliminate this threat agent from vulnerable environments,” CISA noted. An emergency memorandum directing federal civilian executive branch offices and organisations to disable affected equipment has been released by the U.S. government. Many of the new CISA warning’s additional highlights include:
The supply chain breach of SolarWinds Orion is not the only original infection vector that this APT agent leveraged. Not all organisations that have delivered the backdoor by SolarWinds Orion have been threatened with follow-on actions by the adversary. Organizations of alleged compromises, particularly when engaged in incident management operations and preparing and executing remediation strategies, ought to be highly mindful of internal protection.
Earlier today, it was announced that one of the pieces of malware distributed by threat actors as part of the attack targeting SolarWinds and its customers has been detected and triggered by a killswitch. Several U.S. government agencies and according to FireEye, several government, technology, consulting, extractive and telecom industry organisations in North America, Europe, the Middle East and Asia are the victims of the supply chain attack. Symantec, which also investigated the threat, said it had found more than 100 customers with Trojan malware upgrades on over 2,000 machines.