
SolarWinds
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Rebuild impacted servers and start with a fresh updated install of SolarWinds Orion. Note: SOCRadar recommends this step even for organizations that are not believed to have been subject to secondary targeting.
Reset all credentials that may have been impacted in the organization and ensure new passwords are not similar to previous passwords. This would likely include all accounts in an active directory domain, to include user accounts, service accounts, etc.
Ensure that unique local administrative passwords are used on all devices; use a password management solution where possible.
Reset/replace/re-issue all sensitive API key integrations, such as those leveraged by multi-factor, SAML integrations, website configuration files, etc.