Re: Solarwinds Compromise

[Blake Brown <Blake.Brown () MHCC EDU>]

We are in the initial stages and have unplugged the network connection from our SW servers and will continue with 
threat hunting today. Are these the IOC subnets you are seeing traffic to in your network?

  *   20.140.0.0/15
  *   96.31.172.0/24
  *   131.228.12.0/22
  *   144.86.226.0/24

Thanks,
Blake

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Lee Ostrowski 
<lostrowski () STETSON EDU>
Sent: Tuesday, December 15, 2020 6:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Solarwinds Compromise

External Email


Good Morning Everyone,



I’m interested in what practical steps everyone has been taking to return your network to normal. Please no political 
responses.



  1.  We’ve turned off our SolarWinds infrastructure at this point until Solarwinds releases their HF2 update and has a 
little more time to vet the update.
     *   The DHS and Fireeye guidance recommend completely rebuilding the Solarwinds servers from scratch with known 
clean media.
  2.  The DHS and FireEye recommend rebuilding any endpoints monitored with Solarwinds.
  3.  We’ve added the C&C IOC IP’s to our perimeter firewalls and Microsoft ATP.
     *   The perimeter firewall has detected traffic destined to the C&C IP’s, yet Microsoft ATP doesn’t.
     *   We put the impacted computers in isolation mode in Microsoft ATP, and still found the computers beaconing out 
the C&C IP’s. Clearly ATP isn’t able to detect this traffic properly.
  4.  We’ve proactively changed passwords we believe were impacted.
  5.  Computers that are connecting to the C&C IP’s appear to do so at different frequencies and rates.
     *   We’ve tried just a password change and reboot to see if that resolves the issue, however, we’re still seeing 
connections made to the C&C IP’s.
     *   The persistent mechanisms are undetected by Microsoft ATP.
     *   Computers will likely need to be rebuilt.





Next steps:

  *   Build new solarwinds hosts in preparation for a clean install
  *   Reimage and remediate computers that have indicators
  *   Determine what additional servers need to be rebuilt and to what extent



I’m interested to hear from each of you on what you’ve learned, what you’ve done, and what areas that are unclear or 
troubling to you.



Lee Ostrowski, CISSP

Chief Information Security Officer

Director of Infrastructure Services

Office of Information Technology



STETSON UNIVERSITY

421 N. Woodland Blvd, Unit 8368| DeLand, FL 32723

Phone: 386.822.7117 | Email:  lostrowski () stetson edu<mailto:lostrowski () stetson edu>



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community