N.C. Joint Cybersecurity Task Force SolarWinds Impact Incident Management

The page from the North Carolina Joint Cyber Security Task Force contains the latest information and resources regarding the SolarWinds supply chain compromise for North Carolina state agencies, local governments, academic institutions and private sector entities.

Cyber incidents may be reported using the Statewide Cybersecurity Incident Report Form.


SolarWinds Incident Management Questionnaire

The task force is asking state, local and academic entities to complete a short questionnaire to help it assess the state’s security posture. Information shared as part of this process will be protected from public disclosure under N.C. G.S. 132-6.1(c). 

Complete Questionnaire


Tab/Accordion Items

CISA Publishes Eviction Guidance for Networks Affected by SolarWinds and AD/M365 Compromise

May 14, 2021

The Cybersecurity and Infrastructure Security Agency has released Current Activity: CISA Publishes Eviction Guidance for Networks Affected by SolarWinds and AD/M365 Compromise as well as an analysis report, AR21-134A Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise.

The report provides detailed steps for affected organizations to evict the adversary from compromised on-premises and cloud environments related to compromises pertaining to the SolarWinds Orion platform vulnerabilities that were addressed in December 2020. Learn more


Using CHIRP to Detect Post-Compromise Threat Activity in On-Premises Environments

March 18, 2021

CISA Hunt and Incident Response Program is a new forensics collection tool that CISA developed to help network defenders find indicators of compromise associated with the SolarWinds and Active Directory/M365 Compromise. Learn more


Post-Compromise Threat Activity in Microsoft Cloud Environments 

Jan. 8, 2021
 
CISA has published (TLP:WHITE) Current Activity: CISA Releases New Alert on Post-Compromise Threat Activity in Microsoft Cloud Environments and Tools to Help Detect This Activity
 
CISA has evidence of post-compromise APT activity in the cloud environment. Specifically, CISA has seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment and using additional credentials and API access to cloud resources of private and public sector organizations. This activity is in addition to what has been previously detailed in AA20-352A.

In response, CISA has released AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments to describe this malicious APT activity and offer guidance on three open-source tools - including a CISA-developed tool, Sparrow, released on Dec. 24. Network defenders can use these tools to help detect and remediate malicious APT actor activity as part of the ongoing supply chain compromise.

CISA strongly encourages users and administrators to review the Activity Alert for additional information and detection countermeasures.
 
Send questions, feedback or incidents related to this product to CISA at Central@cisa.dhs.gov or call 888-282-0870.


CISA Releases New Supplemental Guidance

Jan. 6, 2021

CISA has released new supplemental guidance for Emergency Directive 21-01 and updated Activity Alert 20-352A as new information has become available.
 
Version 3 of the supplemental guidance for the CISA Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise supersedes Required Action 4 of ED 21-01 and Supplemental Guidance Versions 1 and 2 for federal government networks.  While the Emergency Directive is aimed at federal civilian agencies, CISA encourages the broader cyber community to review and consider taking these actions as part of their event management and mitigation.
 
This supplemental guidance version 3 requires:

  • Agencies that ran affected versions to conduct forensic analysis
  • Agencies that accept the risk of running SolarWinds Orion comply with certain hardening requirements
  • Reporting by agency from department-level chief information officers by Tuesday, Jan. 19 and Monday, Jan. 25. 

In addition, CISA has updated AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure and Private Sector Organizations with new information on initial access vectors, updated mitigation recommendations and new indicators of compromise. CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform and has identified legitimate account abuse as one of these vectors (for details refer to Initial Access Vectors section).  Specifically, CISA is investigating incidents in which activity indicating abuse of Security Assertion Markup Language tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified. CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques and procedures.

CISA will update this Alert as new information becomes available. 
 
Lastly, CISA released a joint statement with the FBI, the Office of the Director of National Intelligence and the National Security Agency that outlined the work of the U.S. fovernment via the Cyber Unified Coordination Group and stated that this work indicates that an advanced persistent threat actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. 
 
For more information about this incident see CISA’s supply chain compromise webpage where all the information above and previously released details are located . 


Updated Guidance from CISA

Dec. 29, 2020

The Cybersecurity and Infrastructure Security Agency has issued new guidance that supplements Emergency Directive 21-01 and Supplemental Guidance v1, issued Dec. 18, 2020. While the emergency directive is aimed at federal civilian agencies, CISA encourages the broader cyber community to review and consider taking these actions as part of their event management and mitigation. 

Specifically, all federal agencies operating versions of the SolarWinds Orion platform other than those identified as “affected versions” below are required to use at least SolarWinds Orion Platform version 2020.2.1HF2. The National Security Agency has examined this version and verified that it eliminates the previously identified malicious code. Given the number and nature of disclosed and undisclosed vulnerabilities in SolarWinds Orion, all instances that remain connected to federal networks must be updated to 2020.2.1 HF2 by COB December 31, 2020. 

Orion Platform Version Continued Use of SolarWinds Orion Permitted at This Time Update Required?
Affected versions: 2019.4 HF5, 2020.2 RC1, 2020.2 RC2, 2020.2, 2020.2 HF1 (should be powered down or removed from networks based on ED 21-01) No N/A
All other versions that are currently online (if the instance did not previously use an affected version) Yes Yes (2020.2.1HF2)

CISA Activity Alert AA20-352A Updated

Dec. 20, 2020

The Cybersecurity and Infrastructure Security Agency has updated Activity Alert (AA20-352A) Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, originally released Dec. 17.

This update states that CISA has evidence of, and is currently investigating, initial access vectors in addition to those attributed to the SolarWinds Orion supply chain compromise. This update also provides new mitigation guidance and revises the indicators of compromise table. It also includes a downloadable STIX file of the IOCs.

Read more in CISA's Dec. 19 news release.


CISA Activity Alert AA20-352A

Dec. 18, 2020

On Dec. 17, 2020, the Cybersecurity and Infrastructure Security Agency released Activity Alert (AA20-352A) Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations.

SLTT partners are encouraged to use the information in this document to assist with their response to the SolarWinds cyber incidents. Details of the alert include:

  • An analysis of adversary tactics, techniques, and procedures
  • A list of indicators of compromise to assist you in network detection efforts  
  • An updated list of affected SolarWinds Orion Products

In particular, partners should review the updated list of known affected SolarWinds products in Appendix A:

  • Orion Platform 2019.4 HF5, version 2019.4.5200.9083 
  • Orion Platform 2020.2 RC1, version 2020.2.100.12219 
  • Orion Platform 2020.2 RC2, version 2020.2.5200.12394 
  • Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432 

Key takeaways of the report are:

  • This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.
  • The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged. CISA will update this Alert as new information becomes available.
  • Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.
  • Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans. 

CISA will continue to update you with additional indicators of compromise as new information becomes available.
 
Please send any questions, feedback or incidents related to this product be reported to CISA at Central@cisa.dhs.gov or 888-282-0870.

Incident Response Checklist

Security and IT teams should ensure they are receiving the latest updates on threats and are taking necessary steps in a timely manner to mitigate risks. (Checklist updated Dec. 19, 2020.)

View Checklist