On January 13, 2021, the Market Participant Division (MPD) of the CFTC sent an email to registrants informing them about an alert that was issued by the DHS Cybersecurity and Infrastructure Security Agency (CISA). In the alert CISA highlighted post compromise activity related to the SolarWinds Breach.
More specifically, the alert highlighted that threat actors were able to compromise some Microsoft Azure and/or Office 365 environments after gaining access through the initial SolarWinds vector of infection.
In the alert issued by the MPD, they informed market participants to run one of following three tools to determine if they were compromised:
- Sparrow: https://github.com/cisagov/Sparrow
- Hawk: https://github.com/T0pCyber/hawk
- Crowdstrike’s reporting tool: https://github.com/CrowdStrike/CRT
If a market participant identified they were compromised, they were informed by the MPD to reach out to them directly over the phone. The MPD is requesting to be contacted before close of business on January 18, 2021 if you have reason to believe your firm has been compromised.
What should you do if you are using Microsoft Azure and/or Office 365?
- If you are CFTC registered and your firm determined that the SolarWinds products were in use at your firm, you should run one of these tools and identify if you were compromised.
- If you were compromised reach out to the numbers provided to you in the email you received (or should have received) from the CFTC. If you need those numbers, feel free to reach out to us.
- If you are CFTC registered, but do not use any of the SolarWinds products, you should consider running the tool. It may not be necessary, but it does not hurt verifying to give you peace of mind.
- If you are not CFTC registered, and your firm determined that the SolarWinds products were in use, you should run one of these tools to identify if you were compromised.
- If you were compromised, work with your IT team to address the issue, and/or call use for our assistance.
- If you are not CFTC registered, and there is no SolarWinds use in your environment, consider running the tool anyway to get a glimpse of your environment.
If you need assistance with performing verification in your environment, feel free to reach out and ask us how we can help. Please note that your IT team and or providers should be able to do this for you, but if you want some independence and security experts validating it, we are an email or phone call away.