SolarWinds Deploys CrowdStrike To Secure Systems After Hack

SolarWinds says its breached Orion network monitoring platform now meets the security requirements of U.S. federal and state agencies following the release of a final hotfix Tuesday night.

SolarWinds rolled out CrowdStrike’s Falcon Endpoint Protection across the endpoints on its systems to ensure that its internal systems are secure following the massive cyberattack.

The Austin, Texas-based IT infrastructure management vendor said that the hotfix updates released in recent days should, when implemented, close the backdoor on vulnerable SolarWinds Orion network monitoring products. SolarWinds said it has retained third-party cybersecurity experts to help the company secure its systems following the attacks against FireEye and the U.S. government via Orion.

“Our top priority has been to take all steps necessary to ensure that our and our customers’ environments are secure,” SolarWinds wrote in a filing late Thursday with the U.S. Securities and Exchange Commission (SEC). “We are taking extraordinary measures to accomplish this goal.”

[Related: Feds: SolarWinds Attack ‘Poses a Grave Risk’ To Government, Business]

SolarWinds’ stock is down $5.96 (25.3 percent) to $17.60 per share since it was revealed Sunday that malicious Orion updates served as the initial attack vector in crippling attacks against federal agencies. CrowdStrike didn’t immediately respond to a CRN request for comment.

The vulnerability wasn’t evidence in the Orion products’ source code but appears to have been inserted during the Orion software build process, SolarWinds disclosed Thursday. SolarWinds said it’s still investigating its non-Orion products, but to date hasn’t seen any evidence that they’re impacted by the backdoor attack believed to be carried out by the Russian intelligence service, or APT29.

SolarWinds said its Orion Platform now meets the security requirements of U.S. federal and state agencies following the release of a final hotfix Tuesday night. The company is providing direct support to those customers and will help them complete those upgrades quickly, SolarWinds said.

“We are providing our customers, experts and others in the IT and security industries detailed information regarding the incident to aid with identifying indicators of compromise and steps they can take to further harden their systems against unauthorized incursion,” SolarWinds said.

However, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) ordered federal agencies to wait until further guidance is provided before using any forthcoming patches to reinstall SolarWinds Orion software in their enterprise. The restoration process won’t begin until all threat actor-controlled accounts and identified persistence mechanisms have been removed from Orion, CISA directed.

Once that happens, CISA said in its Emergency Directive that federal agencies should treat all hosts monitored by SolarWinds Orion as compromised by threat actors and assume that further persistence mechanisms have been deployed. Credentials used by or stored in SolarWinds software should also be reset since CISA considers them to be compromised.

SolarWinds said CEO Kevin Thompson was advised Saturday by a FireEye executive of the Orion backdoor, and soon discovered it had been the victim of a cyberattack that impact both Orion tools as well as its internal systems. Immediately after the call, SolarWinds said it mobilized its incident response team and quickly shifted significant internal resources to investigate and remediate the backdoor.

“We have reached out and spoken to thousands of customers and partners in the past few days, and we will continue to be in constant communications with our customers and partners to provide timely information, answer questions and assist with upgrades,” SolarWinds said.

Additionally, SolarWinds said that all sales of its stock by executive officers in November were made under a pre-established trading plan and were not discretionary sales. SolarWinds majority owners Silver Lake and Thoma Bravo have been in hot water this week for selling $286 million of stock Dec. 7, just two days before the company announced a new CEO and six days before disclosing the cyberattack.

“We are committed to being deliberate as we take this on,” SolarWinds said. “At the same time, of course, we know that we are the subject of scrutiny and speculation.”