CISA Emergency Directive: Pull Plug On SOLARWINDS ORION NOW.

CISA-LOGOIt's all over the press. A wide swath of U.S. Government orgs were hacked by the Russians. They accessed those networks by slipping malware into a SolarWinds software update, according to the global cybersecurity firm FireEye, which was also compromised. The first phases of this monthslong cyberespionage campaign started in the spring. The malware gave the hackers remote access to victims' networks. Here is what CISA said:

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) tonight issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors.


This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.  

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales.


“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”  


This is the fifth Emergency Directive issued by CISA under the authorities granted by Congress in the Cybersecurity Act of 2015. All agencies operating SolarWinds products should provide a completion report to CISA by 12pm Eastern Standard Time on Monday December 14, 2020. 

Solarwinds is aware and advises customers to upgrade to Version 2020.2.1 HF 1 immediately. “We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state,” said SolarWinds CEO Kevin Thompson in a statement. The compromise is critical because SolarWinds would give a hacker “God-mode” access to the network, making everything visible, 

The company said in its SEC filing that its Microsoft Office 365 email systems had been compromised and that this incident “may have provided access to other data contained in the company’s office productivity tools.” In a Sunday blog post, Microsoft said that it hadn’t identified any vulnerabilities in its products as a result of its investigation into the incident.

The still-unfolding breach may have resulted in malicious code being pushed to nearly 18,000 customers, the
company said, Microsoft should soon have some idea which and how many SolarWinds customers were affected, as it recently took possession of a key domain name used by the intruders to control infected systems.

So, how did the hackers get into Solarwinds? A pretty good guess is a spear phishing attack on their development team so that the bad guys could take over their software dev process.  APT29 most successfully uses spear phishing to gain access to a network; from there they escalate permissions to expand into the network.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews