How Goverlan Supports SolarWinds Orion Users After The Hack

The following information is for any organization that may have been a victim of the SolarWinds Orion breach.

Goverlan Reach was built to facilitate real-time scanning, detection, and remediation. All endpoints can be scanned, both inside and outside of the firewall, to identify Indicators of Compromise (IOC).  These IOC’s can then be remediated individually or on multiple endpoints.  Goverlan’s process automations can be used to run detection and remediation protocols across tens, hundreds or even thousands of endpoints simultaneously.

How can Goverlan help with the SolarWind Orion Breach?

While the extent of the damage has not been fully determined and may not be for some time, there may be Indicators of Compromise. Using Goverlan Reach Process Automation, you may be able to audit, detect and/or remediate certain IOCs.

  • Detect and remove strange or unusual registry keys or files such as malicious EXEs or DLLs
  • Detect and remove specific running EXEs
  • Locate and uninstall out-of-date software installs
  • Look for, identify, and remove unusual AD or local account creations
  • Scan for, identify, and remove service accounts that may be compromised

 

All of these actions can be done individually on a single machine or using Goverlan Process Automations run across all endpoints and automatically remediate any issues found.

 

What to do next: Use Goverlan Reach for Free

For organizations that are not current Goverlan customers, download Goverlan Reach free trial and use it to identify any IOCs for any number of endpoints and technicians for free for 15 days.

Goverlan Engineers are available to assist you:

  • Existing Goverlan customers, please click here to get support from Goverlan Customer Support Engineers
  • To get help using the Free Trial, click here to schedule a 15-minute Technical Session with a Goverlan Engineer

 

What is the SolarWind’s Orion Breach?

Hackers have compromised SolarWind’s main endpoint monitoring and management software by including payloads in SolarWind’s March and June software updates. This supply chain attack effectively provides backdoor access to SolarWinds customer’s infrastructures and thereby compromises all customer systems.  The hacker group responsible for this breach is widely believed to be Russian hackers, known by the nicknames APT29 or Cozy Bear, and are part of the SVR, the Russian’s foreign intelligence service.  The same Russian group allegedly hacked the State Department and the White House email servers during the Obama administration.  The FBI is investigating the hack, which may have started as early as the spring, and has affected government, consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East, according to FireEye.

Was FireEye hacked?

FireEye, one of the most regarded security actors on the market, went public about being hacked on their blog on Sunday, December 13, 2020.  In the blog, FireEye said that it has been compromised due to the SolarWinds breach and has lost or seen critical data exfiltrated, as well as lost its personal arsenal of cyber weapons. The FireEye codename for this breach is SUNBURST.

Leave a Reply