Security News > 2021 > January > FireEye publishes details of SolarWinds hacking techniques, gives out free tool to detect signs of intrusion

Any organizations that used the backdoored SolarWinds network-monitoring software should take another look at their logs for signs of intrusion in light of new guidance and tooling.

In an update and white paper [PDF] released on Tuesday, FireEye warned that the hackers - which intelligence services and computer security outfits have concluded were state-sponsored Russians - had specifically targeted two groups of people: those with access to high-level information, and sysadmins.

The paper gives a detailed rundown for how to search logs and what to look for to see if an account has been compromised, complete with step-by-step instructions for how to cut access and provide additional protection in future.

As for mitigation measures, FireEye suggests broadly: a review of all sysadmin accounts in particular to see if there are any "That have been configured or added to a specific service principal" and remove them, and then search for suspicious application credentials and remove them too.

The biz has also released a free tool on GitHub it's calling the Azure AD Investigator that will warn organizations if there are signs their networks were compromised via SolarWinds' backdoored Orion software: there were an estimated 18,000 organizations potentially infected, SolarWinds warned last month; many of them government departments and Fortune 500 companies.

Since FireEye disclosed the hack a month ago, numerous US government orgs including the Commerce Department, Treasury and Justice have discovered they were compromised thanks to a tampered update of the SolarWinds network monitoring software.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/01/19/fireeye_solarwinds_code/