CISA noted evidence of initial access vectors beyond SolarWinds’ Orion platform, and abuse of SAML authentication tokens that mirror behaviors of the actor behind the compromise. (Elizabeth Cooper/CC BY 2.0)

Largely lost in the fallout from yesterday’s Capitol riots was an update on a mandatory order to federal agencies responding the SolarWinds hack.

An alert from the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security pointed to evidence of initial access vectors beyond SolarWinds’ Orion platform, and abuse of SAML authentication tokens that mirror behaviors of the actor behind the compromise. An attacker gaining access to these tokens could be catastrophic for identity validation and likely requires a full rebuild of the network. The agency referenced guidance from Microsoft for further instructions.

“If the adversary has compromised administrative level credentials in an environment — or if organizations identify SAML abuse in the environment, simply mitigating individual issues, systems, servers, or specific user accounts will likely not lead to the adversary’s removal from the network,” CISA wrote. “In such cases, organizations should consider the entire identity trust store as compromised. In the event of a total identity compromise, a full reconstitution of identity and trust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the most capable, and in many cases, a full rebuild of the environment is the safest action.”

As with many of its directives responding to widespread vulnerabilities, the agency made it clear that while only federal civilian agencies are required to follow the directive, it can also serve as general guidance to those outside the federal government.

“CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” the agency wrote.

It also updated a Dec. 18 Binding Operational Directive, released indicators of compromise and issued supplemental guidance on which agencies can turn back on their Orion software and under what conditions. For the following versions, agencies must run forensic analysis, comply with new hardening requirements and reporting from department and agency-level Chief Information Officers  by Jan. 25.

Versions that have been confirmed to be unaffected by the initial compromise are safe to turn back on following an upgrade to the latest version of Orion. The agency said IT teams may need to rebuild or reinstall their SolarWinds components.

For affected versions, a more complex decision-set must take place. Networks that do not have the malicious code and can confirm through forensics that it was never present are safe to use Orion software again. So too are networks where forensic analysis indicates they have not beaconed out to a command and control server or had secondary command and control activity to other domains. That guidance applies to the following versions of Orion:

2019.4 HF5

 2020.2 RC1

 2020.2 RC2

 2020.2

 2020.2 HF1

In both cases, the organization would still need to go through a full network rebuild and reset all accounts before its safe to continue using the Orion platform.

For agencies or organizations that lack the capability to conduct forensic analysis, CISA recommends at least using the available indicators of compromise and other available evidence of the adversary’s behavior to hunt for suspicious activity on their network.

The follow up guidance comes days after CISA along with the FBI, National Security Agency and Office of Director of National Intelligence issued a joint statement that “an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing [SolarWinds] cyber compromises of both government and non-governmental networks.”

On a Jan. 7 virtual conference hosted by the Aspen Institute, Sen. Mark Warner, D-Va., said the White House had “watered down” the attribution statement and claimed the government’s real position is much more categorical. Multiple news reports citing intelligence officials have pinned the blame on APT29, or Cozy Bear, one of two groups tied to Russian intelligence that were behind the 2016 DNC hack. The public hack and leak campaign of DNC emails, not remotely considered run of the mill espionage, was done by a second APT group, Fancy Bear, with ties to the Russian GRU.

It also follows disclosures that 3,000 Department of Justice email accounts and the federal courts system were also impacted by the hack. While some U.S. lawmakers and other observers have likened the hack to an act of war, the agencies continue to assert the objective was espionage, a far more commonly accepted method of intelligence gathering that the U.S. and other nations engage in regularly. It’s not just the government that is seeing an expanded list of victims. Warner indicated more breach disclosures in the private sector are forthcoming, saying the number of well-known brands who know they have been compromised but haven’t announced was surprising.