Security News

More information has come to light about the Sunburst backdoor that could help defenders get a better handle on the scope of the sprawling SolarWinds espionage attack. With Sunburst embedded, the attackers have since been able to pick and choose which organizations to further penetrate.

State-sponsored hackers who exploited a security hole in a SolarWinds monitoring tool to infiltrate government and business networks have apparently left a long line of victims in their wake. Asserting that this threat "Poses a grave risk" to the federal, state, and local governments as well as to critical infrastructure providers and the private sector, CISA sees the removal of the attackers from compromised networks as a highly complex and challenging endeavor.

An analysis of the infrastructure and the malware involved in the attack targeting SolarWinds indicates that the Texas-based IT management and monitoring company was hacked at least one year prior to the discovery of the breach. An analysis of the threat actor's infrastructure conducted by threat intelligence company DomainTools, which specializes in DNS and domain analysis, suggests that SolarWinds was breached at some point in 2019.

VMware released a software update to plug the security hole on Dec. 3, and said it learned about the flaw from the NSA. The NSA advisory came less than 24 hours before cyber incident response firm FireEye said it discovered attackers had broken into its networks and stolen more than 300 proprietary software tools the company developed to help customers secure their networks. On Dec. 13, FireEye disclosed that the incident was the result of the SolarWinds compromise, which involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for users of its Orion network management software as far back as March 2020.

The ongoing, growing campaign is "Effectively an attack on the United States and its government and other critical institutions," Microsoft warned. There are six known federal entities that have been impacted by the attack: The Pentagon, the Department of Energy, the Department of Homeland Security, the National Institute of Health, the Department of Treasury and the Department of Commerce.

The NSA has published an advisory outlining how "Malicious cyber actors" are "Are manipulating trust in federated authentication environments to access protected data in the cloud." This is related to the SolarWinds hack I have previously written about, and represents one of the techniques the SVR is using once it has gained access to target networks. The actors leverage privileged access in the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources.

More high-profile organizations are named as victims of the cyber-espionage campaign that involved an attack on Texas-based IT management and monitoring company SolarWinds. Politico reported on Thursday that the U.S. Energy Department and National Nuclear Security Administration were also targeted in the attack.

Microsoft has confirmed that it, too, is among the companies who have downloaded the compromised SolarWinds Orion updates, but that they have isolated and removed them. "While investigations continue, Microsoft has identified and has been working this week to notify more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures," Smith said.

After the malicious Orion upgrades were installed on the systems of thousands of SolarWinds customers, Microsoft President Brad Smith said that the suspected Russian hacking group were able to "Pick and choose" targets of interest already compromised organizations. Based on information gathered while investigating the still ongoing hacking campaign, Microsoft has notified the over 40 organizations that were "Targeted more precisely and compromised through additional and sophisticated measures."

America's nuclear weapons agency was hacked by the suspected Russian spies who backdoored SolarWinds' IT monitoring software and compromised several US government bodies, and Microsoft was caught up in the same cyber-storm, too, it was reported Thursday. The Windows giant uses SolarWinds' network management suite Orion, downloads of which were secretly trojanized earlier this year so that when installed within certain targets - such as the US government departments of State, Treasury, Homeland Security, and Commerce - the malicious code's masterminds could slip into their victims' networks, execute commands, read emails, steal data, and so on.