Our Customer and Community Approach to the SolarWinds Compromise
The SolarWinds Orion compromise has impacted potentially 18,000 customers worldwide, including government agencies and Fortune 500 companies. Censys currently sees 1,336 Orion hosts as of December 29, 2020. The top locations of these hosts are the following:. This is highly concerning due to the fact that these hosts should not be Internet-facing and could potentially be communicating with the adversary’s C2 servers.
We know that when a compromise of this scale occurs, it is crucial to work together as a community to understand the impact. Censys is committed to supporting our customers and the community as best we can. While much remains unknown, Censys has unmatched visibility across the Internet that can help current investigations by both defenders and threat researchers alike. Our goal is to continue to provide valuable information and tooling to these groups.
We have notified Censys ASM Platform customers about the SolarWinds Orion compromise and any potential impact to their network. We are also offering an attack surface assessment and 30 days of monitoring through our ASM Platform to Enterprise and Pro Data customers. We hope that this improved visibility will enable responders to more quickly remediate and understand the actions they should take to secure their attack surface.
To support the broader community, we have published Censys Search Free / Pro queries that defenders and threat researchers can utilize to identify Orion-associated infrastructure visible on the Internet. We have also begun to notify likely vulnerable companies that control one of the 1,336 active SolarWinds Orion hosts we have uncovered in our Internet-wide scans. More details on the vulnerable hosts we found, our approach, and analysis can be found here and will continue to be updated. The full impact is still unknown and organizations should follow the CISA Emergency Directive last revised on Sunday, December 14, 2020.
We hope to help with any efforts to identify assets but encourage you to follow directives outlined in the resources below for further guidance:
- Using Censys Search Free / Pro for Remediation: https://censys.io/solarwinds-tracking-using-censys-search
- Detailed DHS Emergency Directive: https://cyber.dhs.gov/ed/21-01
- FireEye SolarWinds Analysis: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- FireEye’s Additional Threat Hunting Rules: https://github.com/fireeye/sunburst_countermeasures
- Microsoft’s DLL Analysis: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/