Replace the user account by Group Managed Service Account (gMSA). Require use of long and complex passwords (greater than 25 characters) for service principal accounts and implement a good rotation policy for these passwords. See Microsoft’s documentation on kerberoasting:
#Solarwinds fireeye windows
For Windows environments, refer to the following: Take actions to remediate kerberoasting, including, as necessary or appropriate, engaging with a 3rd party with experience eradicating APTs from enterprise networks. Such credentials should be considered compromised.ĭ. Reset all credentials used by or stored in SolarWinds software.
#Solarwinds fireeye software
Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.Ĭ. Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed.ī. Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.Īfter (and only after) all threat actor-controlled accounts and identified persistence mechanisms have been removed:Ī. Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.ī. Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available. Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain. You're probably going to want this handy to present to any leadership.Īffected agencies shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. SecureBoot will help under these circumstances, but there's no way to be 100% sure that any machine is clean unless you've rebuilt it from scratch. Once they gain any semblance of control they can move forwards from there and use other methods to compromise your infrastructure, be it zero days, or attacks via exploits in outdated software or operating systems. Solar Winds Orion is just an initial infection vector. You have to assume that anything in the networks containing infrastructure it's used on has been compromised, and work forwards from that mind set.
0 kommentar(er)
