*** SOC ADVISORY *** SolarWinds Orion and FireEye Red Team Tools
Incident Report for CyFlare
Resolved
This incident has been resolved.
Posted Dec 23, 2020 - 14:47 EST
Monitoring
12/18/2020

**SOC ADVISORY**

It is with utmost surety and sincerity that we have made this incident a top priority and would like to you to be rest assured that CyFlare is taking precautions in the handling of the SOLARWINDS ORION and FIREYE RED TEAM TOOL global intrusion campaign that was made public as of last week.

In the wake of recent MSSP news, regarding a supply chain compromise of the SolarWinds Orion platform by a nation-state actor, and the subsequent targeting of private sector and government organizations by said threat actor, Our SOC is diligently comparing each vendors response against the recommended guidance in eradicating the threat.

Our supplier’s Incident Response teams have begun releasing the following summaries and/or guidance and recommendations:

- CyFlare Breach Detection Service
https://desk.cyflare.cloud/portal/en/kb/articles/stellarcyber-solarwindsadvisory

- AlienVault
https://desk.cyflare.cloud/portal/en/kb/articles/att-alienvault-advisory

- SentinelOne
https://www.sentinelone.com/blog/fireeye-breached-taking-action-and-staying-protected/

- Sophos
https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/

- Tenable
https://www.tenable.com/blog/solorigate-solarwinds-orion-platform-contained-a-backdoor-since-march-2020-sunburst

In summary, we have diligently reviewed each formal response from our partnering security tool vendors listed above. The SOC has compared the responses against the known Indicators of Compromise that should be monitored as relevant for that tool. Our assessment is that each vendor has made the appropriate updates to their systems or made updates available to us which we have implemented and enabled across all clients.

The SOC now has visibility into this activity and will provide notification if observed.
If you believe your organization may have been affected prior to this campaign being made public, please contact the SOC to confirm you were unaffected.

We will continue to monitor this critical situation and update our tools and operations accordingly. Your SOC remains fully operational 24x7x365 and is continuously monitoring for any new security threats that may emerge.

Sincerely,

Evren Ince
SOC Team Lead
Posted Dec 18, 2020 - 16:32 EST
This incident affected: Breach Detection Service.