Fallout from the SolarWinds Attack and the Webroot Response

  • 16 February 2021
  • 1 reply
Fallout from the SolarWinds Attack and the Webroot Response
Userlevel 7
Badge +48

By now visitors to the Webroot Community will certainly have heard about the SolarWinds attack at the end of last year. From the earliest news, it was clear that this was no ordinary cyberattack, both because of who was targeted and how the attack was carried out.

While many details remain unknown, we know that the IT management platform SolarWinds was the subject of a cyberattack that spread to its clients and went undetected for months. The attackers were essentially able to Trojanize a SolarWinds update, known as Orion, allowing them to collect data on machines that had the update installed.

The Cybersecurity Infrastructure & Security Agency (CISA) first disclosed the attack on December 13, 2020. While many believe the attack was state sponsored, many of the specifics have yet to be confirmed.

We post this not to sling mud at anyone in our industry, but because supply chain attacks like this one will certainly be replicated and we owe it to our customers and partners to advise on this important issue to the best of our ability. Any number of IT security vendors could have been the target of these attacks and more certainly will be in the future.

Webroot MSP partners and end users should know that Webroot BrightCloud®️ Threat Intelligence had associated an IP address involved in the attack with a botnet in the summer of last year. A properly configured security tool using our threat intelligence feed would have blocked communication with the command and control server. We also ensured that the reported indicators of compromise (IOCs) including URLs, IP addresses, and file hashes were marked as threats in our databases within 24 hours of being shared with the broader security community.

Those interested in our threat intelligence response to the attack via the Webroot®️ Platform can find more information here.

Our threat analysts will continue to track newly revealed information about the attack campaign and we will be posting advice for containing the associated fallout in a series of posts both here and on our blog.

Until then, we advise the following for both our MSP and small business customers:

  • Use security technology that includes threat intelligence for URLs, IP addresses and files as part of a layered cybersecurity approach. This type of threat intelligence is most often deployed in network and security devices, such as firewalls, SIEMs, TIPs and other tools.
  • Make sure you’re following best practices within your policies, and ensure your devices are set to block high-risk and suspicious objects based on real-time intelligence criteria.
  • Consider adding DNS Protection to your technology stack to deepen your protection around malicious IP addresses and URLs that are frequently used in attacks.

We will be expanding on each of these recommendations in the coming days, so stay tuned.

1 reply

Userlevel 2
Badge +2

So if the client machine had been running Webroot endpoint protection and Webroot DNS would the command and control c ontact have been blocked last summer?