Security News > 2020 > December > SolarWinds hackers’ capabilities include bypassing MFA

As the list of known organizations compromised by way of the SolarWinds supply chain attack is slowly growing - according to Reuters, the attackers also breached U.S. Department of Homeland Security's systems, the State Department, and the National Institutes of Health - Microsoft has decided that its Defender Antivirus will start blocking/quarantining the known malicious SolarWinds binaries today - even if the process is running.

As security researcher Vinoth Kumar pointed out, the attackers might have easily compromised the company's update server by using a password that was published on their public Github repository for over a year or, as several Reuters sources noted, they might have bought access to SolarWinds' computers through underground forums.

We're likely still far from getting concrete information about how the attackers actually got into SolarWinds' systems, but the company's recent report to the U.S. Securities and Exchange Commission seems to point to Microsoft Office 365 account compromise as the initial vector.

The security teams of organizations using the Orion platform have a lot of work ahead of them: they have to perform a thorough check of all their systems, networks and assets, all the while hoping that they weren't singled out by the attackers for thorough compromise.

"In order to reduce the likelihood of such an event, it is critical to protect integration secrets from exposure within an organization and to rotate secrets if compromise is suspected. Compromise of a service that is integrated with an MFA provider can result in disclosure of integration secrets along with potential access to a system and data that MFA protects."

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/91Sx-VCw7kg/