- HOW TO INSTALL ORION SOLARWINDS ENTERPRISE OPERATION SOFTWARE
- HOW TO INSTALL ORION SOLARWINDS ENTERPRISE OPERATION TRIAL
Fidelis plans to publish best practices for identifying whether an enterprise may be under attack from an adversary like the one behind the SolarWinds attack as well as the company’s findings, Kubic said. Kubic said Fidelis’ initial review of the SolarWinds attack also included analysis of Fidelis Network metadata and various system logs using threat indicators provided by the Fidelis Threat Research Team. “While we are not happy about being targeted by the attackers behind the SolarWinds, FireEye, Microsoft and Malwarebytes attacks, we think this is a good learning opportunity both for our own internal team (i.e., drink your own champagne and practice your incident response plan), as well as the security community on the best practices to apply to an advanced adversary attack,” Kubic said. But on Friday, Kubic said Fidelis identified an additional source of passive DNS information and, using Netresec’s Sunburst Domain Decoder Tool, confirmed that hq.fidelis had been flagged by the attackers as a domain of interest and worth targeting. Using the passive DNS sources available at the time, Kubic said Fidelis did not identify the “hq.fidelis” domain in records associated with the SolarWinds attack. “To date we have not turned up any evidence that the SolarWinds compromise has impacted our networks, although our analysis continues.” “Following the FireEye/SolarWinds disclosure in December, we initiated an internal review of Fidelis networks under the assumption that we too could have been a target,” Kubic said. After news of the FireEye and SolarWinds hacks went public in December, Kubic said Fidelis used Netresec’s Sunburst Domain Decoder Tool to filter and decode passive DNS records associated with the initial phase of the attack.
HOW TO INSTALL ORION SOLARWINDS ENTERPRISE OPERATION SOFTWARE
The Orion software installation was traced to a machine configured as a test system, isolated from Fidelis’ core network, and infrequently powered on, according to Kubic. Using Fidelis Endpoint, Kubic said the company determined it had installed an evaluation copy of the trojanized SolarWinds Orion software on one of its machines as part of a software evaluation. “Our current belief, subject to change given additional information, is that the test and evaluation machine where this software was installed was sufficiently isolated and powered up too infrequently for the attacker to take it to the next stage of the attack,” Kubic wrote in a blog post Tuesday.įidelis does not use SolarWinds Orion software for management of its corporate systems, but Kubic said the nature of the company’s work requires Fidelis to test all kinds of software for compatibility with its products. However, the Bethesda, Md.-based extended detection and response vendor has not been able to identify any follow-up transactions that would enable progression to the final phase of the attack where the malware on Fidelis’ system would have been communicating with the hacker’s command and control infrastructure, according to Kubic. The malware then flagged the Fidelis machine for the second associated phase of the attack, indicating that the company was a target of interest to the SolarWinds hackers. The company said it identified a four-day period in May where a machine on its network communicated with the malware’s infrastructure in the initial passive phase of the attack, said Chief Information Security Officer Chris Kubic.
HOW TO INSTALL ORION SOLARWINDS ENTERPRISE OPERATION TRIAL
Fidelis Cybersecurity was a target of interest to the SolarWinds hackers after installing a trial copy of malicious SolarWinds Orion network monitoring software in May.