Security News

Security researchers have shared lists of organizations where threat actors deployed Sunburst/Solarigate malware in attempts to further compromise their networks, after ongoing investigations of the SolarWinds supply chain attack. To build the list of victims infected with the Sunburst backdoor via the compromised update mechanism of the SolarWinds Orion IT management platform, the researchers decoded a dynamically generated part of the C2 subdomain for each of the compromised devices.

In an 8-K filing to the US Securities and Exchange Commission, SolarWinds has given more details on exactly how it learned its servers were spewing out malware. Security shop FireEye, as well as other sources, have confirmed that the main malware controller being used in the SolarWinds attack has been killed off this week.

The recent SolarWinds software supply chain breach is a clear indication that strong OT cybersecurity is a must-have in today's threat environment. Waterfall's technologies have long enabled integration between OT networks and enterprise networks without the risk of any attack getting back into the protected network.

VMware and Cisco have shared information on the impact of the SolarWinds incident, and VMware has responded to reports that one of its products was exploited in the attack. The NSA advisory on the exploitation of the VMware vulnerability also mentions SAML abuse and security blogger Brian Krebs reported learning from sources that the SolarWinds attackers also exploited the VMware flaw.

VMware is the latest company to confirm that it had its systems breached in the recent SolarWinds attacks but denied further exploitation attempts. VMware also disputed media reports that a zero-day vulnerability in multiple VMware products reported by the NSA was used as an additional attack vector besides the SolarWinds Orion platform to compromise high-profile targets.

Perhaps the most chilling aspect of the attack was how it propagated itself by installing itself as part of SolarWinds' standard distribution and update system. As with so many complex infrastructure compromises, it doesn't really matter and knowing the answer won't do much to help understand the scope of the attack or the damage done.

While analyzing artifacts from the SolarWinds Orion supply-chain attack, security researchers discovered another backdoor that is likely from a second threat actor. The analysis shows that the threat actor added in the legitimate SolarWinds file four new parameters to receive signals from the command and control infrastructure.

United States secretary of state Mike Pompeo has laid the blame for the SolarWinds hack on Russia, but his boss begs to differ. The Associated Press reports that the White House was set to issue a Friday afternoon statement describing Russia as "The main actor" behind the incident, but that staff were told to stand down instead. At the time of writing the State Department, National Security Agency, White House, Cybersecurity and Infrastructure Security Agency, and president Trump all appear not to have attempted to reconcile the administration's conflicting view on the incident.

The SolarWinds supply chain attack and related hacksWhen the week before last FireEye said they've been breached by sophisticated attackers using a "Novel combination of techniques," we wondered what those were. We didn't have to wait long - news of the SolarWinds hack and the consequent revelations about the attackers using the company's products as a stepping stone towards compromising a slew of US government agencies and other targets have revealed some of the attackers' capabilities.

Since the SolarWinds supply chain attack was disclosed in December, there has been a whirlwind of news, technical details, and analysis released about the hack. The information is distilled into a format that will hopefully explain the attack, who its victims are, and what we know to this point.