Security News

Microsoft on Thursday revealed that the threat actors behind the SolarWinds supply chain attack were able to gain access to a small number of internal accounts and escalate access inside its...

Microsoft acknowledged Thursday that attackers who spearheaded a massive hack of government and private computer networks gained access to its internal "source code," a key building block for its...

The threat actors behind the SolarWinds attack could breach internal Microsoft accounts to view the source code for Microsoft products. [...]

The Cybersecurity and Infrastructure Security Agency has ordered all US federal agencies to update the SolarWinds Orion platform to the latest version by the end of business hours on December 31, 2020. CISA's Supplemental Guidance to Emergency Directive 21-01 demands this from all agencies using Orion versions unaffected in the SolarWinds supply chain attack.

Microsoft says that the end goal of the SolarWinds supply chain compromise was to pivot to the victims' cloud assets after deploying the Sunburst/Solorigate backdoor on their local networks. As the Microsoft 365 Defender Team explains, after infiltrating a target's network with the help of the Sunburst backdoor, the attackers' goal is to gain access to the victims' cloud assets.

A piece of malware named by researchers Supernova and a zero-day vulnerability exploited to deliver this malware indicate that SolarWinds may have been targeted by a second, unrelated threat actor. "In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," Microsoft said in a recent blog post mentioning Supernova.

It's an increasingly common way to attack networks. Once inside a network, SVR hackers followed a standard playbook: establish persistent access that will remain even if the initial vulnerability is fixed; move laterally around the network by compromising additional systems and accounts; and then exfiltrate data.

An authentication bypass vulnerability in the SolarWinds Orion software may have been leveraged by adversaries as a zero-day to deploy the SUPERNOVA malware in target environments. According to an advisory published yesterday by the CERT Coordination Center, the SolarWinds Orion API that's used to interface with all other Orion system monitoring and management products suffers from a security flaw that could allow a remote attacker to execute unauthenticated API commands, thus resulting in a compromise of the SolarWinds instance.

SolarWinds has released an updated advisory for the additional SuperNova malware discovered to have been distributed through the company's network management platform. After analyzing the SolarWinds breach, both Palo Alto Networks Unit 42 and Microsoft reported on an additional malware named SuperNova distributed using the App Web logoimagehandler.

As the probe into the SolarWinds supply chain attack continues, new digital forensic evidence has brought to light that a separate threat actor may have been abusing the IT infrastructure provider's Orion software to drop a similar persistent backdoor on target systems. "The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," Microsoft 365 research team said on Friday in a post detailing the Sunburst malware.