Security News

Since the SolarWinds supply chain attack was disclosed in December, there has been a whirlwind of news, technical details, and analysis released about the hack. The information is distilled into a format that will hopefully explain the attack, who its victims are, and what we know to this point.

The NSA has published an advisory outlining how "Malicious cyber actors" are "Are manipulating trust in federated authentication environments to access protected data in the cloud." This is related to the SolarWinds hack I have previously written about, and represents one of the techniques the SVR is using once it has gained access to target networks. The actors leverage privileged access in the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources.

All fingers are pointing to Russia as the source of the worst-ever hack of U.S. government agencies. To be sure, it's not uncommon for administrations to refrain from leveling public accusations of blame for hacks until they've accumulated enough evidence.

Microsoft has confirmed that it, too, is among the companies who have downloaded the compromised SolarWinds Orion updates, but that they have isolated and removed them. "While investigations continue, Microsoft has identified and has been working this week to notify more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures," Smith said.

After the malicious Orion upgrades were installed on the systems of thousands of SolarWinds customers, Microsoft President Brad Smith said that the suspected Russian hacking group were able to "Pick and choose" targets of interest already compromised organizations. Based on information gathered while investigating the still ongoing hacking campaign, Microsoft has notified the over 40 organizations that were "Targeted more precisely and compromised through additional and sophisticated measures."

"Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others." Characterizing the hack as "a moment of reckoning," Microsoft president Brad Smith said it has notified over 40 customers located in Belgium, Canada, Israel, Mexico, Spain, the UAE, the UK, and the US that were singled out by the attackers.

Microsoft has confirmed that they were hacked in the recent SolarWinds attacks but denied that their software was compromised in a supply-chain attack to infect customers. Tonight, Reuters released a report stating that sources indicated that Microsoft was not only compromised in the SolarWinds supply-chain attack but also had their software modified to distribute malicious files to its clients.

Few people were aware of SolarWinds, a Texas-based software company providing vital computer network monitoring services to major corporations and government agencies worldwide. It's raising questions about whether company insiders knew of its security vulnerabilities as its biggest investors sold off stock.

The US Cybersecurity and Infrastructure Security Agency said that the APT group behind the recent compromise campaign targeting US government agencies used more than one initial access vector. "CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available," the agency said.

A killswitch has been identified and activated for one of the pieces of malware delivered by threat actors as part of the attack targeting IT management and monitoring firm SolarWinds and its customers. FireEye, which disclosed the attack earlier this month after the threat actor managed to breach its systems and steal some Red Team tools, revealed that the attacker had compromised SolarWinds systems and used its access to deliver a piece of malware named SUNBURST. The malware, which is configured to remain dormant for a certain period after installation, is capable of collecting information about the infected computer, downloading and executing code, creating and deleting files, reading and manipulating registry entries, and rebooting the system.