cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 10

Where do we go from here?

Jump to solution

Like many here, I have been using SolarWinds products for awhile now. The recent hysteria seems to have tarnished SolarWinds reputation. At my company I am seeing an uphill battle to get things turned back on. People are questioning if they can trust SolarWinds, Yet they don’t seem to have a problem trusting the applications that were suppose to protect us from these sort of attacks. As I recall FireEye discovered this attack after successfully being compromised. So why is SolarWinds currently being banned in my enterprise and everything is being locked down with FireEye?

1 Solution

Many people are panicking, especially if those at the top of the tree are not technical themselves, and therefore are simply following public opinion/loudest voice. 

What you need to do is check the versions you are on against those which were compromised. SolarWinds have provided a list in their security advisory FAQ:

https://www.solarwinds.com/securityadvisory/faq

For your convenience, the table is posted below: 

silverbacksays_0-1608298875673.png

If you're version is not listed as vulnerable YOU ARE SAFE. This should be fed back to your security team. Upgrading to 2020.2.1 Hotfix 2 is the best option. This is known to be safe, and will also give you all the latest versions

If you are on any of the versions which are NOT safe, then the first question to ask is:

Q: Are any of my Orion servers open to the internet?

If the answer is NO, then the trojanised DLL will NOT have activated. If YES, then you need to upgrade to 2020.2.1 Hotfix 2 as soon as possible.

If your instance is powered off, you can approach this in another way: 

  1. BACKUP YOUR ORION DATABASE
  2. Build NEW polling engines, to replace which have been powered off. 
  3. Download and install the Orion 2020.2.1 with Hotfix 2 offline installer on the server which is to be your new Mail Polling Engine. 
  4. Run the configuration wizard, pointing to your old Orion database. Depending on what version you were on, this SHOULD upgrade the database schema to the latest version at the same time. A diagonal upgrade, of sorts. Any 2020.x version should support this.
  5. Once you've got your new polling engine(s) up and running, go into Manage Nodes and move your nodes onto the new polling servers.
  6. Once all nodes have been moved, go into Settings>Polling Engines, and hit the 'remove unused poller', which will delete the old ones from the database, tidying it up.

 

In closing, this ISN'T a SolarWinds issue. It's much, much larger than that. Many others have been hacked, not because of SolarWinds products being used by them. Orion is still THE BEST cross-platform element manager in the business, and will continue to be.

To close. another useful link to send to any concerned parties is the security advisory itself: 

https://www.solarwinds.com/securityadvisory

This details the state of play, and is updated when new information is available. If you have any follow up questions, please respond or if you'd rather keep it confidential, feel free to PM me and I will do my best to help. 

- Jez Marsh

View solution in original post

4 Replies

Many people are panicking, especially if those at the top of the tree are not technical themselves, and therefore are simply following public opinion/loudest voice. 

What you need to do is check the versions you are on against those which were compromised. SolarWinds have provided a list in their security advisory FAQ:

https://www.solarwinds.com/securityadvisory/faq

For your convenience, the table is posted below: 

silverbacksays_0-1608298875673.png

If you're version is not listed as vulnerable YOU ARE SAFE. This should be fed back to your security team. Upgrading to 2020.2.1 Hotfix 2 is the best option. This is known to be safe, and will also give you all the latest versions

If you are on any of the versions which are NOT safe, then the first question to ask is:

Q: Are any of my Orion servers open to the internet?

If the answer is NO, then the trojanised DLL will NOT have activated. If YES, then you need to upgrade to 2020.2.1 Hotfix 2 as soon as possible.

If your instance is powered off, you can approach this in another way: 

  1. BACKUP YOUR ORION DATABASE
  2. Build NEW polling engines, to replace which have been powered off. 
  3. Download and install the Orion 2020.2.1 with Hotfix 2 offline installer on the server which is to be your new Mail Polling Engine. 
  4. Run the configuration wizard, pointing to your old Orion database. Depending on what version you were on, this SHOULD upgrade the database schema to the latest version at the same time. A diagonal upgrade, of sorts. Any 2020.x version should support this.
  5. Once you've got your new polling engine(s) up and running, go into Manage Nodes and move your nodes onto the new polling servers.
  6. Once all nodes have been moved, go into Settings>Polling Engines, and hit the 'remove unused poller', which will delete the old ones from the database, tidying it up.

 

In closing, this ISN'T a SolarWinds issue. It's much, much larger than that. Many others have been hacked, not because of SolarWinds products being used by them. Orion is still THE BEST cross-platform element manager in the business, and will continue to be.

To close. another useful link to send to any concerned parties is the security advisory itself: 

https://www.solarwinds.com/securityadvisory

This details the state of play, and is updated when new information is available. If you have any follow up questions, please respond or if you'd rather keep it confidential, feel free to PM me and I will do my best to help. 

- Jez Marsh

View solution in original post

My Orion servers would require proxy authentication to reach the internet. All license and installation activity must be completed offline. My problem is there are tools we use to warn and protect against this type activity and nothing, Big goose egg.. Not even a single email until the issue shows up in the newspaper...  It's not just SolarWinds fault. Many of these tools like FireEye cost many more dollars a year then SolarWinds. 

0 Kudos

"In closing, this ISN'T a SolarWinds issue. It's much, much larger than that. Many others have been hacked, not because of SolarWinds products being used by them."

I don't think this is an accurate statement.  Orion provided an open door to a threat that took advantage of a lot of customers that trusted them (literally).  The situation was created because SolarWinds products allowed it to (unknowingly or otherwise).  I love Orion dearly but I don't think this is the right attitude to have going into this issue.  This IS a SolarWinds issue....

0 Kudos

A very basic Configuration item using SCCM could have alerted on file hash change (if the MSPs were hosted on Windows).

So many simple things that big companies CAN do in the name of security, but most do not for lack of resources, discipline and a proactive security posture.

How in G-ds name did FireEye not catch outbound connections to those nefarious domains?

Simple, simple stuff.

Lets face it - none of us can go to a competitor like LogicMonitor or Kaseya.

So indeed, where do we go....not sure why Bezos hasn't built a solid monitoring platform.

0 Kudos