CISA Eviction Guide for SolarWinds, Microsoft O365 Compromises

May 17, 2021 - The Department of Homeland Security Cybersecurity and Infrastructure Security Agency released eviction guidance for system compromises caused by the supply-chain attack on SolarWinds and subsequent exploits of Microsoft Active Directory or Office365.

The insights are designed to support victim organizations in evicting the threat actors from exploited on-prem and cloud environments.

As CISA previously warned, the global supply-chain attack on SolarWinds in mid-2020 led to a trojanized software update and further exploits and espionage. Once inside the network, the attackers bypassed multi-factor authentication and moved laterally to Microsoft Cloud systems via compromised federated identity solutions.

The attack resulted in threat actors gaining access to a range of public and private entities, including nine federal agencies. 

The agency first began notifying all sectors of the attack in December 2020, later attributing the threat activity to the Russian Foreign Intelligence Service. At the time, officials warned that the impact and eradication of the threat would be ongoing for the foreseeable future.

The guidance is designed for entities that either used the affected SolarWinds Orion tech and those that have evidence of follow-on threat actor activity. Impacted entities should review the document for specific instructions on best practice remediation and triage measures.

CISA explained that while the guide is directed at federal agencies, private sector entities should review the insights and apply mitigation measures, where appropriate.

Before using the guidance, administrators should investigate their networks to confirm they’ve observed related threat actor tactics and techniques.

“The steps provided in this guidance are resource-intensive and highly complex and will require the enterprise network to be disconnected from the internet for three to five days,” officials explained. 

“In order to have fully informed senior-level support, CISA recommends that agency senior leadership conduct planning sessions throughout this process to understand the resources needed and any potential disruption in business operations,” they added.

Despite the downtime, entities will bolster and build resilient networks by taking the steps outlined in the guide. Officials explained that the remediation plans will differ by organization, and administrators will need to fully outline a plan before taking the necessary steps.

The guide breaks down the plan into three phases: pre-eviction, eviction, and post-eviction. These steps outline the needed actions for detecting and identifying advanced persistent threat activity, preparing the network for eviction, remoting the threat actor from on-prem and cloud environments, and ensuring the eviction steps were successful.

CISA warned that each phase and related steps are necessary to completely eradicate the adversary from the network.

As such, failing to perform the comprehensive remediation measures will leave the enterprise networks and cloud environments vulnerable to “substantial risk for long-term undetected APT activity, and compromised organizations will risk further loss of sensitive data and erosion of public trust in their networks.”

“Although this guidance provides a level of detail that describes actions to be completed, it does not describe how these actions should be completed,” officials explained. “To successfully evict the threat actor, these actions need to be conducted in the order specified. Additionally, this guidance clearly notes caveats and provides references to help agencies develop their plan.”

The guidance also includes a list of frequently asked questions that detail estimated timeframes and offline measures.

As the healthcare sector continues to be a prime target for ransomware hacking groups and other cybercriminals, reviewing these measures and recommendations for bolstering the network will be crucial for entities working to improve network defenses.

Network administrators should also review previously provided guidance and tools provided by CISA to support the overall response to SolarWinds. Federal researchers have also shared insights on malware variants that have been tied to SolarWinds and other vulnerabilities.