Security, IT, and risk managers are asking two questions in the wake of large scale breaches resulting from the SolarWinds compromise:
Are we running affected versions and do we need immediate patches?
Where else are we running SolarWinds on our network?
While these questions sound elementary, they can be difficult to answer because asset and software inventory lists are often curated manually, updated infrequently, or incomplete.
In this blog, we’ll show how organizations are using Axonius to identify all instances of SolarWinds software, find affected versions, and confirm whether the SolarWinds vulnerabilities are present at their organization.
A Brief Primer: How to Track Installed Software With Axonius
Sometimes, the knowledge of installed applications is spread out across multiple tools, such as vulnerability assessment tools or systems management agents. In situations where these disparate tools do not overlap in coverage, aggregating their data provides significant value.
Axonius aggregates, correlates, and normalizes installed software data across all devices known in your network. As customers connect adapters, they obtain a comprehensive and credible list of installed software running on devices — whether they are workstations, laptops, virtual machines, servers, or cloud workloads.
Many Axonius adapters provide installed software information, including version type. The best data sources that provide this information include:
Endpoint Management: For example, SCCM, Tanium, BigFix, Chef, Puppet
Software Management: For example, ManageEngine, Snow Asset Management
Endpoint Protection and Antivirus: For example, i.e. Symantec, SentinelOne
Vulnerability Assessment Tools: For example, Qualys, Rapid7, Tenable.io, Tenable.sc
It is also helpful to connect adapters that provide a large device inventory to understand which software applications exist across certain device types. These adapters include:
Directory Services: For example, Active Directory, Azure AD
Virtualization: For example, VMware, HyperV, Open Stack
Cloud Infrastructure: For example, AWS, Google Compute, Azure, Oracle, IBM
Even if teams have already taken mitigating actions (either by applying patches or turning off SolarWinds infrastructure), they may want to identify all instances of SolarWinds software should any further findings emerge.
The following query will show results for any SolarWinds applications seen through any adapter connected on the Axonius platform.
How to Find Impacted Versions of SolarWinds Software
There are three SolarWinds Versions impacted by the recent major revelations of threat actor activity across both U.S. Federal Government Agencies and Fortune 500 companies.
It is now believed that at least 18,000 companies have downloaded the SolarWinds software from the SolarWinds update servers since March 2020, introducing hidden malware binaries into these environments.
The impacted versions of the Orion platform are:
2019.4 HotFix 5
2020.2 with no hotfix
2020.2 HotFix 1
Axonius can be used to query for specific software versions, as well as software vendors (i.e. SolarWinds) across any adapter you have connected in the platform. The two query examples below show how to identify the known impacted versions:
These queries search across all connected adapters, look for any known instance of SolarWinds Orion Software, and then display versions which may be susceptible.
Find version 2019.4 HotFix 5
Find version 2020.2, with or without hotfix
These queries are run continuously and can be tracked as a comparison chart, as shown below.
The same attackers also used weaknesses in other, non-SolarWinds products to attack companies. One, in particular, applies to VMware endpoint and identity management products. This vulnerability allows an attacker to take full control of any unpatched VMWare Workspace ONE system if they have valid credentials.
Monitoring Assets With RDP Enabled
As a general best practice, it is recommended to monitor corporate assets that can be accessed remotely.
One example is to search for any devices that communicate over port 3389, which is used for remote desktop protocol. Security, IT, and risk teams should ensure that remote desktop protocol is absolutely necessary if found on any devices in order to minimize their attack surface.
Automate Response Actions When Vulnerable Software is Found