Security News

SCSW Back in 2020, Eric Scales led the incident response team investigating a nation-state hack that compromised his company's servers along with those at federal agencies and tech giants including Microsoft and Intel. "It was similar to a fraternity rush - the best experience I never want to do again," Scales, head of incident response at Mandiant, told The Register.

In early 2021, IEEE Security and Privacy asked a number of board members for brief perspectives on the SolarWinds incident while it was still breaking news. The lessons are many, but I want to focus on one important one we've learned: the software that's managing our critical networks isn't secure, and that's because the market doesn't reward that security.

The hack of SolarWinds' software more than two years ago pushed the threat of software supply chain attacks to the front of security conversations, but is anything being done? More recently, attackers have targeted code repositories like GitHub and PyPI and companies like CI/CD platform provider CircleCI, an incident that expanded the definition of a supply chain attack, according to Matt Rose, field CISO for cybersecurity vendor ReversingLabs.

SolarWinds has agreed to pay $26 million to settle a shareholder lawsuit, and it's also expecting to be slapped with an enforcement action by Uncle Sam - both related to its infamous 2020 supply chain security fiasco, according to the software maker's most recent US regulatory filing. At the end of October, SolarWinds reached a deal with investors who sued the company, alleging they were misled about its security posture in advance of the Russian cyberattack on the business, according to an 8-K filing [PDF] with the US Securities and Exchange Commission.

The threat actor behind the RomCom RAT has refreshed its attack vector and is now abusing well-known software brands for distribution. In a new campaign discovered by BlackBerry, the RomCom threat actors were found creating websites that clone official download portals for SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro, essentially disguising the malware as legitimate programs.

The operators of RomCom RAT are continuing to evolve their campaigns with rogue versions of software such as SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro. Targets of the operation consist of victims in Ukraine and select English-speaking countries like the U.K. "Given the geography of the targets and the current geopolitical situation, it's unlikely that the RomCom RAT threat actor is cybercrime-motivated," the BlackBerry Threat Research and Intelligence Team said in a new analysis.

SolarWinds Security Event Manager is a SIEM tool that collects and analyzes security event log records to help organizations improve their security and compliance practices. SolarWinds Security Event Manager has real-time automated threat detection capabilities, with continuous system-wide threat detection, monitoring and alerting.

SolarWinds warned customers of attacks targeting Internet-exposed Web Help Desk instances and advised removing them from publicly accessible infrastructure. "A SolarWinds customer reported an external attempted attack on their instance of Web Help Desk 12.7.5. The customer's endpoint detection and response system blocked the attack and alerted the customer to the issue," SolarWinds said.

What makes the SolarWinds attack so astonishing is its scale. The infected Orion software was sold to more than 33,000 customers.

The threat actor behind the supply chain compromise of SolarWinds has continued to expand its malware arsenal with new tools and techniques that were deployed in attacks as early as 2019, once indicative of the elusive nature of the campaigns and the adversary's ability to maintain persistent access for years. According to cybersecurity firm CrowdStrike, which detailed the novel tactics adopted by the Nobelium hacking group last week, two sophisticated malware families were placed on victim systems - a Linux variant of GoldMax and a new implant dubbed TrailBlazer - long before the scale of the attacks came to light.