Palo Alto Networks Rapid Response: Navigating the SolarStorm Attack

This post is also available in: 简体中文 (Chinese (Simplified)) 繁體中文 (Chinese (Traditional)) 日本語 (Japanese)

Since learning of the SolarWinds supply chain attack last weekend, security teams everywhere have been scrambling to determine whether they were compromised by the “SolarStorm” attacks. Every few hours a new compromised entity is identified. 

They’re right to pay attention. We will soon be talking about this as one of the most serious cyberattacks in history. Tainted updates to SolarWinds Orion software were distributed for months before they were identified, positioning attackers to obtain administrative privileges and establish long-term network access – potential for a complete compromise of an organization by malicious actors. We must come together to defend against an attack of this magnitude. 

In an effort to help the broader community, I’d like to share our experience successfully preventing a SolarStorm attack. 

Recently, we experienced an attempt to download Cobalt Strike on one of our IT SolarWinds servers. Cortex XDR instantly blocked the attempt with our Behavioral Threat Protection capability and our SOC isolated the server, investigated the incident and secured our infrastructure. We also deployed a set of IOCs to our customer-facing Palo Alto Networks products as a result of this. 

We thought this was an isolated incident, however, on Dec. 13, we became aware that the SolarWinds software supply chain was compromised and it became clear that the incident we prevented was an attempted SolarStorm attack. Given this new information, we analyzed our entire infrastructure extensively one more time. The magnitude of the SolarStorm attack requires us to continuously evaluate our infrastructure, but we remain confident that Palo Alto Networks continues to be secure. 

It is our top priority to protect our customers from these attacks leveraging our experience, industry intelligence, products and services. To help our customers, we have set aside expert resources to support two distinct programs: 

• SolarStorm rapid assessment: This assessment will quickly determine if you have been compromised by this threat actor by leveraging best-in-class capabilities of our Expanse platform together with our Crypsis incident response team. The assessment is complimentary and reflects our commitment to securing our customers.
• SolarStorm cybersecure engagement: Customers who believe they have been impacted can engage directly in a short-term retainer with our incident response team who will help you contain and recover from the attack. During this period, you will also receive licenses for both Cortex XDR and Expanse for two months.

The SolarStorm attack has highlighted again that organizations are defending an ever increasing attack surface against threats that are more and more sophisticated. We’re committed to working with enterprises, governments and others in the security community to help them better understand and defend against this threat.

For more resources to help you navigate the SolarWinds supply chain compromise, visit our Rapid Response resources page.