On December 13, 2020, the Department of Homeland Security announced that malicious actors were actively exploiting SolarWinds Orion versions 2019.4 through 2020.2.1 HF1. As there was no mitigation, the DHS advised government agencies to disconnect systems operating the affected versions. This sent shockwaves through the industry, as numerous entities such as FireEye, Microsoft, Mimecast, the Department of Commerce, and the Department of Justice disclosed they were breached.
Since the breach, SolarWinds has urged customers to upgrade to Orion 2020.2.4. The SUNBURST attack referred to specific versions of 2019.4 and 2020.2.2 that contained backdoor code that was actively compromised. Another malware, named SUPERNOVA, impacted a wider set of Orion versions. Security Advisory | SolarWinds
Upon disclosure of the SolarWinds breach, RiskRecon immediately focused its open-source intelligence analytics engines on helping its customers and the larger community to identify potentially breached companies. Since December 13, 2020, RiskRecon has monitored SolarWinds' exposure, providing a valuable view into how companies have responded to the incident.
One objective RiskRecon view into the SolarWinds Orion response is the number of organizations running SolarWinds Orion on the Internet and the version they are operating. Through this view taken on December 13 and again on February 1, RiskRecon can see the change in the number of companies operating Orion on the Internet and, for those still doing so, if they patched the software as urged by SolarWinds.
Number of Entities Running SolarWinds Directly on the Internet
In the 50 days since the disclosure of the SolarWinds Orion breach, the number of entities operating any version of Orion directly on the Internet has decreased by 25%. On December 13, 2020, RiskRecon observed 1,785 organizations exposing SolarWinds Orion to the Internet, about 5% of all Orion customers. By February 1, 2021, the number of companies doing so decreased to 1,330.
Over the same timeframe, vendors of RiskRecon customers have decreased their operation of SolarWinds Orion on the Internet by 52%. On December 13, 2020, RiskRecon observed 209 vendors of RiskRecon third-party risk management customers operating Orion on the Internet. By February 1, 2021, the number of companies doing so decreased by 52%.
The 2x greater decrease of operation of Orion on the Internet by vendors of RiskRecon customers is a testament to the power of third-party risk management teams leveraging data to address risk in their supply chain. Almost without exception, RiskRecon customers contacted their vendors that RiskRecon identified as running SolarWinds on the Internet and encouraged them to address the issue.
Check back soon for our next post which will examine how many organizations are continuing to run SolarWinds Orion without applying the recommended security fixes. The number may shock you!
