December 15, 2020

Netsurion’s Customers and Partners,

As you have likely seen in recent news reports, over the weekend SolarWinds discovered a supply chain attack that compromised their Orion business software platform. The specific Orion software builds that were inflicted were versions 2109.4 HF through 2020.2.1 which spanned release timelines between March 2020 and June 2020. The notoriety of this attack is immense; multiple high-profile U.S. government agencies were affected as well as the cybersecurity firm FireEye.

Within this statement, we would like to inform you of three critical, but independent, sets of information:

  1. How does this affect Netsurion’s EventTracker and its product security?
  2. How Netsurion’s EventTracker will ensure you are protected.
  3. Detailed information about the attack and what is recommended as mitigation.

Security of the EventTracker Platform

Netsurion’s EventTracker platform does not use SolarWinds Orion in any of its environments and none of our infrastructure or applications were affected by this attack. Should new information arise that shows potential risk, we will take immediate actions to maintain the integrity of our production and development environments. Also, we have seen no evidence that any of the systems we monitor for our customers, partners, partners’ customers’ were impacted or at risk. We are following the developments of this attack closely and will communicate any potential security risks promptly.

How Netsurion’s EventTracker will Ensure you are Protected

Our security experts have been analyzing the details of the breach as they emerge. We have added the indicators of compromise (IOC) to our Threat Intelligence Platform – EventTracker Threat Center and thereby throughout our offerings. These include alerts via EventTracker EDR, various P-1 alerts including communications with suspect IP addresses, and updates to the EventTracker Intrusion Detection System (ETIDS) rules. All these improvements will result in enhanced alerts and reports which our Security Operations Center (SOC) will continue to leverage to keep you safe.

Detailed Attack Information and Recommendations for Mitigation

Malicious code, known as SUNBURST, was installed within the versions of SolarWinds’ Orion platform listed above. This malware enabled an attacker to gain access to network traffic management systems. Additionally, according to FireEye threat researchers, the malware disguises its network traffic and stores reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity,. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Additional, in-depth information about the breach can be found at the following FireEye blog.

SolarWinds is recommending that users who have the affected versions of their Orion platform take immediate action to ensure the security of your environment. Details of this recommendations, as well as additional information for security updates, can be found at SolarWinds’ Security Advisory Page.

If you are unable to make the recommended upgrades immediately, please follow the recommended set of guidelines for securing your Orion Platform instance seen here.

Read Our Advisory & Remediation Recommendations

If you have any questions about your risk from this breach, please check your SolarWinds software versions immediately. Additionally, if you have any questions or concerns about your networks, or the security of your end-customer networks, please reach out to our SOC team at SOC@Netsurion.com

Thank You,
Your Netsurion Team