Cisco Event Response: SolarWinds Orion Platform Software Attack


Version 1.2: January 12, 2021

On December 13, 2020, SolarWinds announced it experienced a highly sophisticated, manual supply chain attack on versions of its Orion network monitoring product released between March and June 2020.

Due to the exceptional nature of this industry-wide issue, Cisco will provide updates on the investigation process and answers to common questions via this page which serves as the most up-to-date authoritative status. This information is based on Cisco’s investigation to-date, currently available Indicators of Compromise (IOCs), and is subject to change.

Cisco will notify affected organizations directly or through our established communication processes if information is found that requires customer/partner-specific action.

Resources

The following resources provide further detail about this security issue and Cisco’s recommendations for customers.

Cisco Response

Following the SolarWinds cyberattack announcement, Cisco Security immediately began our established incident response processes. We have isolated and removed Orion installations from a small number of Cisco assets. At this time, there is no known impact to Cisco products, services, or to any customer data. We continue to investigate all aspects of this evolving situation with the highest priority.

Common Questions

Q: Is Cisco aware of alleged stolen source code on a website solarleaks[.]net?

Cisco is aware of this website and has no evidence at this time of any theft of intellectual property related to recent events. We are committed to transparency and should we find information our customers need to be aware of, we will share it through our established channels. 

Q: Did Cisco use SolarWinds Orion software?

Yes. While Cisco does not generally use SolarWinds for its enterprise network management or monitoring, we have isolated and removed Orion installations from a small number of Cisco assets. 

Q: Did Cisco use SolarWinds software identified by them as impacted?

Yes. While Cisco does not generally use SolarWinds for its enterprise network management or monitoring, we have isolated and removed the Orion installations from a small number of Cisco assets. 

Q: Has Cisco confirmed no devices are running impacted Orion software builds?

Yes. To date, Cisco has isolated and removed the small number of Orion installations based on the data available.

Q: What remediation actions have you taken or planned?

Cisco has extensive network and endpoint monitoring capabilities. We have used these capabilities to search for the Indicators of Compromise (IOCs) shared by the security community to look for evidence of threat actor activity. Any device suspected of running the compromised software is isolated from the Cisco network for a full investigation and remediation. Cisco has also blocked access to all the published command and control servers.

Q: Has any customer data been exposed as a result of this issue?

There is no evidence at this time to indicate customer data has been exposed as a result of this incident.

Q: What is the impact to Cisco’s business?

At this time, there is no known impact to Cisco products, services, or to any customer data.

Q: Does this issue impact Cisco's ability to deliver services?

No.

Q: Has Cisco's environment been used to attack others?

Cisco has no indications that its systems were used to attack others.

Q: Does Cisco use FireEye products in its network?

No. Cisco does not use FireEye in its production network.

Q: Has Cisco incorporated the latest protections into its products and services?

Yes, at this time, Cisco products and services incorporate the latest protections against these threats. Please see the Cisco Talos threat intelligence for the latest information:
https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html
https://blog.talosintelligence.com/2020/12/fireeye-breach-guidance.html

Q: Is the SolarWinds impacted software present in the Cisco environment?

At this time, all identified devices have been isolated based on the data available.

Q: How does Cisco protect its environment from potentially impacted Orion software?

Cisco has extensive network and endpoint monitoring capabilities. We have used these capabilities to search for the Indicators of Compromise (IOCs) shared by the security community to look for evidence of threat actor activity. Any device suspected of running the compromised software is isolated from the Cisco network for a full investigation and remediation. Cisco has also blocked access to all the published command and control servers.

Q: How is sensitive customer information protected by Cisco?

Information shared by customers with Cisco is considered highly confidential and Cisco requires storage on approved endpoints or approved shared storage tools. Cisco requires disk encryption and encrypted enterprise backup as well as various other technical and organizational measures designed to protect data against accidental/unauthorized loss, destruction, or access.

Q: If the vulnerability is present, have you shut down vulnerable systems until the patch is available?

Any system identified as suspicious is isolated from the Cisco network until full investigation and remediation completes. Cisco has also blocked access to all the published command and control servers.

Q: How does Cisco protect the integrity of its software development environment?

At Cisco, security is a top priority, and specific initiatives to protect Cisco, our products, and our customers include:

  • The Cisco Secure Development Lifecycle - This process arms our developers with tools as well as technology and processes that are grounded in securely building, storing, and signing code from creation/collection all the way to destruction.
  • Enterprise Monitoring - We monitor across our enterprise for intrusions and take a broad range of steps to both prevent and detect adversarial activity within our organization.
  • Threat Intelligence - We are very active in threat intelligence organizations. We share and receive actionable information with the broader security community to help increase our awareness and protect the global Internet.
  • Value Chain Security - We have a robust Value Chain Security program that governs our risk of third parties we do business with and obligate them to meet our standards.

Q: Is Cisco’s manufacturing supply chain affected by this issue?

Cisco’s manufacturing supply chain is comprised of third-party manufacturers’ business networks that are monitored by Cisco. Cisco’s manufacturing supply chain IT networks have shown no evidence of compromise. If Cisco third party manufacturers have IT networks not associated with Cisco’s business, Cisco does not have visibility to those networks.

Q: When will Cisco receive impact assessments for its vendors/suppliers?

Cisco is actively engaging with vendors to assess any potential impacts to their business.

Q: What is Cisco's response to the Volexity research post on December 14 describing an attack involving SolarWinds that bypasses Duo MFA to access email accounts?

This bypass technique is not due to a vulnerability in the Duo product, rather, it is a potential consequence that can occur if Duo integration credentials are exposed to attackers. Similar to other highly privileged APIs such as those used for cloud infrastructure management, HR platforms, or software build systems, the credentials used for Duo integrations must be securely handled and stored for the security properties of the Duo integration to be maintained. For information on how to reset the credentials for a Duo-protected app, please see https://help.duo.com/s/article/2306. For more general information on what Duo application credentials are and how to protect them, please see https://help.duo.com/s/article/application-credentials.

Product Support

Please note that Cisco is receiving a high volume of information requests, and we are actively updating this page with our latest information. Due to high-demand and the ongoing nature of this investigation, we may be unable to provide individual responses beyond the information provided on the page.

Cisco customers or partners with questions related to Cisco products are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

 


This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.


Back to Top