FYSA
This evening CISA has released new supplemental guidance for Emergency
Directive 21-01<https://cyber.dhs.gov/ed/21-01/#supplemental-guidance-v3> and
updated Activity Alert 20-352A<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>
as new information has become available.
Version 3 of the supplemental guidance for the CISA Emergency Directive (ED)
21-01: Mitigate SolarWinds Orion Code Compromise supersedes Required Action 4
of ED 21-01 and Supplemental Guidance Versions 1 and 2 for federal government
networks. While the Emergency Directive is aimed at federal civilian agencies,
we encourage the broader cyber community to review and consider taking these
actions as part of your event management and mitigation.
This supplemental guidance version 3 requires (1) agencies that ran affected
versions to conduct forensic analysis, (2) agencies that accept the risk of
running SolarWinds Orion comply with certain hardening requirements, and (3)
reporting by agency from department-level Chief Information Officers (CIOs) by
Tuesday, January 19, and Monday, January 25, 2021.
In addition, CISA has updated AA20-352A: Advanced Persistent Threat Compromise
of Government Agencies, Critical Infrastructure, and Private Sector
Organizations with new information on initial access vectors, updated
mitigation recommendations, and new indicators of compromise (IOCs). CISA has
evidence that there are initial access vectors other than the SolarWinds Orion
platform and has identified legitimate account abuse as one of these vectors
(for details refer to Initial Access Vectors section). Specifically, we are
investigating incidents in which activity indicating abuse of Security
Assertion Markup Language (SAML) tokens consistent with this adversary's
behavior is present, yet where impacted SolarWinds instances have not been
identified. CISA is continuing to work to confirm initial access vectors and
identify any changes to the tactics, techniques, and procedures (TTPs). CISA
will update this Alert as new information becomes available.
Lastly, last night CISA released a joint
statement<https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure>
with the Federal Bureau of Investigation (FBI), the Office of the Director of
National Intelligence (ODNI), and the National Security Agency (NSA) that
outlined the work of the U.S. Government via the Cyber Unified Coordination
Group (UCG) and stated that this work indicates that an Advanced Persistent
Threat (APT) actor, likely Russian in origin, is responsible for most or all of
the recently discovered, ongoing cyber compromises of both government and
non-governmental networks.
For more information about this incident see CISA's supply chain compromise
webpage<https://www.cisa.gov/supply-chain-compromise> where all the information
above and previously released details are located .
Theresa A. Masse
Cyber Security Advisor, Region X (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671 Email:
theresa.masse@xxxxxxxxxxxx<mailto:theresa.masse@xxxxxxxxxxxx>
[cid:image002.png@01D6E444.9921B340]