Re: Solarwinds Compromise

[Blake Brown <Blake.Brown () MHCC EDU>]

Thanks for the clarification on this massive amount of confusing information!

~Blake

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Alex Keller 
<axkeller () STANFORD EDU>
Sent: Tuesday, December 15, 2020 10:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Solarwinds Compromise

External Email

While admittedly a little confusing, please note that the IPs listed in the FireEye deep dive 
(https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html)
 under “Network Command and Control (C2)” are NOT the actual C2 servers but rather IP ranges hard coded into the 
malware that tell it NOT to execute if installed on an host in that range.
Considering these include legitimate Microsoft ranges, the running theory is that the attackers were seeking to avoid 
detection within specific IP spaces they deemed risky.

20.140.0.0/15 (Microsoft)

96.31.172.0/24 (Tierpoint/Microsoft Solution Provider)

131.228.12.0/22 (Nokia)

144.86.226.0/24 (Microsoft)



Best,

Alex



Alex Keller

Stanford | Engineering

Information Technology

axkeller () stanford edu<mailto:axkeller () stanford edu>

(650)736-6421



From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Blake Brown
Sent: Tuesday, December 15, 2020 10:38 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Solarwinds Compromise



I added the following IOC's to an ACL in our FMC. Still confused on if we were even affected by this as we just rebuilt 
our system in November from scratch and are at 2020.2.1 HF1 already. Also not seeing any hits on the below IOC's in the 
past 2 months.



13.59.205[.]66

54.193.127[.]66

54.215.192[.]52

34.203.203[.]23

139.99.115[.]204

5.252.177[.]25

5.252.177[.]21

204.188.205[.]176

51.89.125[.]18

167.114.213[.]199



freescanonline[.]com

deftsecurity[.]com

thedoccloud[.]com

avsvmcloud[.]com

databasegalore[.]com

freescanonline[.]com

highdatabase[.]com

incomeupdate[.]com

panhardware[.]com

thedoccloud[.]com

virtualwebdata[.]com

websitetheme[.]com

zupertech[.]com



Thanks,
Blake

________________________________

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Koors, Anne N. <Anne.Koors () NWTC EDU<mailto:Anne.Koors () NWTC EDU>>
Sent: Tuesday, December 15, 2020 8:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Solarwinds Compromise



External Email

Many of the IPs I am finding are hosting providers like Amazon.  It is hard to determine if there was traffic related 
to this when traffic there is so common.  2 of the IPs below are also Microsoft.



​​​​​

Anne Koors

Security Analyst

Northeast Wisconsin Technical College

2740 West Mason Street, P.O. Box 19042

Green Bay, WI 54307-9042

anne.koors () nwtc edu<mailto:anne.koors () nwtc edu>

920-498-6942



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Blake Brown
Sent: Tuesday, December 15, 2020 10:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Solarwinds Compromise



We are in the initial stages and have unplugged the network connection from our SW servers and will continue with 
threat hunting today. Are these the IOC subnets you are seeing traffic to in your network?



•  20.140.0.0/15

•  96.31.172.0/24

•  131.228.12.0/22

•  144.86.226.0/24



Thanks,
Blake



________________________________

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Lee Ostrowski <lostrowski () STETSON EDU<mailto:lostrowski () STETSON EDU>>
Sent: Tuesday, December 15, 2020 6:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Solarwinds Compromise



External Email

Good Morning Everyone,



I’m interested in what practical steps everyone has been taking to return your network to normal. Please no political 
responses.



  1.  We’ve turned off our SolarWinds infrastructure at this point until Solarwinds releases their HF2 update and has a 
little more time to vet the update.

     *   The DHS and Fireeye guidance recommend completely rebuilding the Solarwinds servers from scratch with known 
clean media.

  1.  The DHS and FireEye recommend rebuilding any endpoints monitored with Solarwinds.
  2.  We’ve added the C&C IOC IP’s to our perimeter firewalls and Microsoft ATP.

     *   The perimeter firewall has detected traffic destined to the C&C IP’s, yet Microsoft ATP doesn’t.
     *   We put the impacted computers in isolation mode in Microsoft ATP, and still found the computers beaconing out 
the C&C IP’s. Clearly ATP isn’t able to detect this traffic properly.

  1.  We’ve proactively changed passwords we believe were impacted.
  2.  Computers that are connecting to the C&C IP’s appear to do so at different frequencies and rates.

     *   We’ve tried just a password change and reboot to see if that resolves the issue, however, we’re still seeing 
connections made to the C&C IP’s.
     *   The persistent mechanisms are undetected by Microsoft ATP.
     *   Computers will likely need to be rebuilt.





Next steps:

  *   Build new solarwinds hosts in preparation for a clean install
  *   Reimage and remediate computers that have indicators
  *   Determine what additional servers need to be rebuilt and to what extent



I’m interested to hear from each of you on what you’ve learned, what you’ve done, and what areas that are unclear or 
troubling to you.



Lee Ostrowski, CISSP

Chief Information Security Officer

Director of Infrastructure Services

Office of Information Technology



STETSON UNIVERSITY

421 N. Woodland Blvd, Unit 8368| DeLand, FL 32723

Phone: 386.822.7117 | Email:  lostrowski () stetson edu<mailto:lostrowski () stetson edu>



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community



CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged 
information, and unauthorized disclosure or use is prohibited. If you received this e-mail in error, please notify the 
sender and delete this e-mail from your system.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community