Today we are releasing two new automated Denied Lists in order to provide protection from the high profile SolarWinds Orion software attacks. These two new Denied Lists are available immediately and can be found via the ThreatBlockr management portal:
- “SolarWinds Compromised Domains”
- “SolarWinds Compromised IPs”
Like all of our threat intelligence data, these lists will be automatically updated with the most current threat indicators as they are released.
*Please Note: By default, these lists will not be enabled. You can enable them via the management portal using the Denied List menu option, and selecting the “Enabled” radio button as seen below.
ThreatBlockr STRONGLY recommends that these lists be enabled ASAP.
The release of these two new automated Denied Lists shows the power of our platform – Smart, Simple, Scalable and Everywhere.
Smart – ThreatBlockr uses best-in-class threat intelligence to secure your networks, data and users in real-time.
Simple – We deliver automated threat intelligence that is immediately actionable and accessed from anywhere.
Scalable – Our platform blocks attacks from up to 150M malicious IPs and domains, including those associated with this most recent attack, in real-time with no latency.
Everywhere – We protect users wherever they are – on-prem, in the cloud, remote, or all of the above.
Details on the SolarWinds Supply Chain Attack
On Dec 13, 2020, SolarWinds, an IT company that creates software for network management, announced that they were investigating an incident that appeared to have been the product of a highly-sophisticated, targeted and manual supply chain attack by a nation-state. SolarWinds announced that they were working with the FBI and had concluded that the attack leveraged a vulnerability in their Orion software product. The vulnerability, which existed until the March-June 2020 timeframe, allowed cyber criminals to launch a supply-chain based attack in which the adversary leveraged the software’s update mechanism. The SolarWinds attack has been linked to the Treasury Department, Commerce Department, and FireEye compromises at this time.
Information is being released continuously by those investigating incidents across the thousands of organizations that use SolarWinds, including governments, militaries, and commercial entities around the world.
According to Pat McGarry, CTO at ThreatBlockr, “It is NOT shocking that ‘household IT & security’ names like SolarWinds and FireEye got hacked like this. It is really easy for organizations of any type to be hacked by any reasonably competent and well-funded actor, especially those with nation-state backed training. Much of this started with Snowden’s theft of critical tools, techniques and procedures and the dissemination of those throughout the world to a variety of nefarious entities. The bottom line is that “we” here in the US are no longer the only folks with high-caliber offensive hacking capability at the nation-state level. And this recent breach is another clear indicator of that. Unlike many other recent breaches, this particular one was … extremely well planned and executed, and absolutely used some techniques that were never seen previously. What does that mean? It means that threat actors are evolving beyond the “Snowden leaks”. That’s not good.”
After recon and identification of a vulnerability, persistent threat actors will “embed” themselves into the compromised system, thereby creating accounts for themselves and covering their tracks. According to Pat McGarry, “This generally happens by attaching to a command and control network, and, you guessed it, that happens by going to a malicious set of domains, URLs, and eventually, that means … IP addresses.”
Our enemies attack when we are most vulnerable. We must be vigilant in protecting from those who wish to do us harm. ThreatBlockr is committed to helping our customers do just that – make blocking threats smart and simple, at scale – everywhere.
If you are a current customer and have any questions, feel free to reach out to our customer support team at firstname.lastname@example.org
If you’d like to learn more about ThreatBlockr’s platform, go to www.threatblockr.com
If you’d like to get started with ThreatBlockr’s platform today, contact email@example.com