Re: Solarwinds Compromise

[Frank Barton <bartonf () HUSSON EDU>]

I saw something today that one of the domains that was being used for C&C
avsvmcloud.com was 'taken over' by Microsoft earlier today - so just the
IPs being owned by microsoft may not be 'valid'

Frank

On Tue, Dec 15, 2020 at 11:53 AM Koors, Anne N. <Anne.Koors () nwtc edu> wrote:

> Many of the IPs I am finding are hosting providers like Amazon.  It is
> hard to determine if there was traffic related to this when traffic there
> is so common.  2 of the IPs below are also Microsoft.
>
>
>
> ​​​​​
>
> Anne Koors
>
> Security Analyst
>
> Northeast Wisconsin Technical College
>
> 2740 West Mason Street, P.O. Box 19042
>
> Green Bay, WI 54307-9042
>
> anne.koors () nwtc edu
>
> 920-498-6942
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Blake Brown
> *Sent:* Tuesday, December 15, 2020 10:20 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Solarwinds Compromise
>
>
>
> We are in the initial stages and have unplugged the network connection
> from our SW servers and will continue with threat hunting today. Are these
> the IOC subnets you are seeing traffic to in your network?
>
>
>
> ·  20.140.0.0/15
>
> ·  96.31.172.0/24
>
> ·  131.228.12.0/22
>
> ·  144.86.226.0/24
>
>
>
> Thanks,
> Blake
>
>
> ------------------------------
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Lee Ostrowski <
> lostrowski () STETSON EDU>
> *Sent:* Tuesday, December 15, 2020 6:54 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
> *Subject:* [SECURITY] Solarwinds Compromise
>
>
>
> *External Email*
>
> Good Morning Everyone,
>
>
>
> I’m interested in what practical steps everyone has been taking to return
> your network to normal. Please no political responses.
>
>
>
>    1. We’ve turned off our SolarWinds infrastructure at this point until
>    Solarwinds releases their HF2 update and has a little more time to vet the
>    update.
>
>
>    1. The DHS and Fireeye guidance recommend completely rebuilding the
>       Solarwinds servers from scratch with known clean media.
>
>
>    1. The DHS and FireEye recommend rebuilding any endpoints monitored
>    with Solarwinds.
>    2. We’ve added the C&C IOC IP’s to our perimeter firewalls and
>    Microsoft ATP.
>
>
>    1. The perimeter firewall has detected traffic destined to the C&C
>       IP’s, yet Microsoft ATP doesn’t.
>       2. We put the impacted computers in isolation mode in Microsoft
>       ATP, and still found the computers beaconing out the C&C IP’s. Clearly ATP
>       isn’t able to detect this traffic properly.
>
>
>    1. We’ve proactively changed passwords we believe were impacted.
>    2. Computers that are connecting to the C&C IP’s appear to do so at
>    different frequencies and rates.
>
>
>    1. We’ve tried just a password change and reboot to see if that
>       resolves the issue, however, we’re still seeing connections made to the C&C
>       IP’s.
>       2. The persistent mechanisms are undetected by Microsoft ATP.
>       3. Computers will likely need to be rebuilt.
>
>
>
>
>
> Next steps:
>
>    - Build new solarwinds hosts in preparation for a clean install
>    - Reimage and remediate computers that have indicators
>    - Determine what additional servers need to be rebuilt and to what
>    extent
>
>
>
> I’m interested to hear from each of you on what you’ve learned, what
> you’ve done, and what areas that are unclear or troubling to you.
>
>
>
> Lee Ostrowski, CISSP
>
> Chief Information Security Officer
>
> Director of Infrastructure Services
>
> Office of Information Technology
>
>
>
> STETSON UNIVERSITY
>
> 421 N. Woodland Blvd, Unit 8368| DeLand, FL 32723
>
> *Phone:* 386.822.7117 | *Email:*  lostrowski () stetson edu
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
>
> CONFIDENTIALITY: This e-mail (including any attachments) may contain
> confidential, proprietary and privileged information, and unauthorized
> disclosure or use is prohibited. If you received this e-mail in error,
> please notify the sender and delete this e-mail from your system.
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community


-- 
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University
PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community