Educause Security Discussion mailing list archives
Re: Solarwinds Compromise
From: Alex Keller <axkeller () STANFORD EDU>
Date: Tue, 15 Dec 2020 18:57:52 +0000
While admittedly a little confusing, please note that the IPs listed in the FireEye deep dive (https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html) under “Network Command and Control (C2)” are NOT the actual C2 servers but rather IP ranges hard coded into the malware that tell it NOT to execute if installed on an host in that range. Considering these include legitimate Microsoft ranges, the running theory is that the attackers were seeking to avoid detection within specific IP spaces they deemed risky. 20.140.0.0/15 (Microsoft) 96.31.172.0/24 (Tierpoint/Microsoft Solution Provider) 131.228.12.0/22 (Nokia) 144.86.226.0/24 (Microsoft) Best, Alex Alex Keller Stanford | Engineering Information Technology axkeller () stanford edu<mailto:axkeller () stanford edu> (650)736-6421 From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Blake Brown Sent: Tuesday, December 15, 2020 10:38 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Solarwinds Compromise I added the following IOC's to an ACL in our FMC. Still confused on if we were even affected by this as we just rebuilt our system in November from scratch and are at 2020.2.1 HF1 already. Also not seeing any hits on the below IOC's in the past 2 months. 13.59.205[.]66 54.193.127[.]66 54.215.192[.]52 34.203.203[.]23 139.99.115[.]204 5.252.177[.]25 5.252.177[.]21 204.188.205[.]176 51.89.125[.]18 167.114.213[.]199 freescanonline[.]com deftsecurity[.]com thedoccloud[.]com avsvmcloud[.]com databasegalore[.]com freescanonline[.]com highdatabase[.]com incomeupdate[.]com panhardware[.]com thedoccloud[.]com virtualwebdata[.]com websitetheme[.]com zupertech[.]com Thanks, Blake ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Koors, Anne N. <Anne.Koors () NWTC EDU<mailto:Anne.Koors () NWTC EDU>> Sent: Tuesday, December 15, 2020 8:42 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Solarwinds Compromise External Email Many of the IPs I am finding are hosting providers like Amazon. It is hard to determine if there was traffic related to this when traffic there is so common. 2 of the IPs below are also Microsoft. Anne Koors Security Analyst Northeast Wisconsin Technical College 2740 West Mason Street, P.O. Box 19042 Green Bay, WI 54307-9042 anne.koors () nwtc edu<mailto:anne.koors () nwtc edu> 920-498-6942 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Blake Brown Sent: Tuesday, December 15, 2020 10:20 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Solarwinds Compromise We are in the initial stages and have unplugged the network connection from our SW servers and will continue with threat hunting today. Are these the IOC subnets you are seeing traffic to in your network? • 20.140.0.0/15 • 96.31.172.0/24 • 131.228.12.0/22 • 144.86.226.0/24 Thanks, Blake ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Lee Ostrowski <lostrowski () STETSON EDU<mailto:lostrowski () STETSON EDU>> Sent: Tuesday, December 15, 2020 6:54 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [SECURITY] Solarwinds Compromise External Email Good Morning Everyone, I’m interested in what practical steps everyone has been taking to return your network to normal. Please no political responses. 1. We’ve turned off our SolarWinds infrastructure at this point until Solarwinds releases their HF2 update and has a little more time to vet the update. * The DHS and Fireeye guidance recommend completely rebuilding the Solarwinds servers from scratch with known clean media. 1. The DHS and FireEye recommend rebuilding any endpoints monitored with Solarwinds. 2. We’ve added the C&C IOC IP’s to our perimeter firewalls and Microsoft ATP. * The perimeter firewall has detected traffic destined to the C&C IP’s, yet Microsoft ATP doesn’t. * We put the impacted computers in isolation mode in Microsoft ATP, and still found the computers beaconing out the C&C IP’s. Clearly ATP isn’t able to detect this traffic properly. 1. We’ve proactively changed passwords we believe were impacted. 2. Computers that are connecting to the C&C IP’s appear to do so at different frequencies and rates. * We’ve tried just a password change and reboot to see if that resolves the issue, however, we’re still seeing connections made to the C&C IP’s. * The persistent mechanisms are undetected by Microsoft ATP. * Computers will likely need to be rebuilt. Next steps: * Build new solarwinds hosts in preparation for a clean install * Reimage and remediate computers that have indicators * Determine what additional servers need to be rebuilt and to what extent I’m interested to hear from each of you on what you’ve learned, what you’ve done, and what areas that are unclear or troubling to you. Lee Ostrowski, CISSP Chief Information Security Officer Director of Infrastructure Services Office of Information Technology STETSON UNIVERSITY 421 N. Woodland Blvd, Unit 8368| DeLand, FL 32723 Phone: 386.822.7117 | Email: lostrowski () stetson edu<mailto:lostrowski () stetson edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this e-mail in error, please notify the sender and delete this e-mail from your system. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Solarwinds Compromise Lee Ostrowski (Dec 15)
- Re: Solarwinds Compromise Blake Brown (Dec 15)
- Re: Solarwinds Compromise Lee Ostrowski (Dec 15)
- Re: Solarwinds Compromise Koors, Anne N. (Dec 15)
- Re: Solarwinds Compromise Frank Barton (Dec 15)
- Re: Solarwinds Compromise Blake Brown (Dec 15)
- Re: Solarwinds Compromise Alex Keller (Dec 15)
- Re: Solarwinds Compromise Blake Brown (Dec 15)
- Re: Solarwinds Compromise Blake Brown (Dec 15)