As organizations continue to reel from the SolarWinds exploit that affected over 30,000 businesses and agencies, US authorities are looking for ways to help. Following a Microsoft tool to help mitigate the Solarigate malware, the US Cybersecurity and Infrastructure Security Agency (CISA) has released its own tool.
The command-line tool can be used by organizations in an on-premises situation to scan systems for activity of Solarigate. It will find instances of exploits against SolarWinds apps. Called the CISA Hunt and Incident Response Program (Chirp), the tool is available now:
“CHIRP scans for signs of APT compromise within an on-premises environment,” CISA says in the alert.
Underpinning CHIRP is a method for finding instances of exploits against eh SolarWinds Orion app. This is a popular networking tool used by tens of thousands of organizations. It is the backdoor vulnerability that caused the Solarigate crisis.
As noted, this tool takes a similar approach to Sparrow, a program Microsoft released last month to detect Solarigate activity on Azure and Microsoft 365. CISA says CHIRP is best used in Windows event logs and the platform Registry.
CISA advises organizations to use CHIRP to:
- “Examine Windows event logs for artifacts associated with this activity;
- Examine Windows Registry for evidence of intrusion;
- Query Windows network artifacts; and
- Apply YARA rules to detect malware, backdoors, or implants.
Network defenders should review and confirm any post-compromise threat activity detected by the tool. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP's release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).”
Ongoing Exploit
SolarWinds related attacks have infected 18,000 organizations, including government agencies. In December, the Cybersecurity and Infrastructure Security Agency (CISA) debuted a PowerShell tool to help Microsoft 365 customers mitigate Solarigate. Microsoft had recently confirmed stolen Azure/Microsoft 365 credentials and access tokens were a part of the breach.
Tip of the day:
Though many VPN providers have their own apps, you can in many cases connect to a VPN in Windows 10 without any third-party software. This is ideal if you have a self-hosted VPN or if you're using a PC with restricted permissions. In our tutorial, we're showing you how to connect to a VPN in Windows 10.