According to new reports, close to a third of the victims of a sophisticated threat actor leveraging the compromised SolarWinds’ Orion IT management platform didn’t run the popular network management software, raising fear that the hack goes deeper and into other software providers.
The Wall Street Journal reports that about 30% of the private sector and government victims that were hacked by the suspected Russian hackers had no direct connection to SolarWinds.
The Journal, citing investigators, say the threat actors appear to have broken into companies by exploiting known vulnerabilities, guessing online passwords and leveraging Microsoft’s cloud configuration.
Approximately 30% of both the private-sector and government victims linked to the campaign had no direct connection to SolarWinds, Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, said in an interview.
The attackers “gained access to their targets in a variety of ways. This adversary has been creative,” said Mr. Wales, whose agency, part of the U.S. Department of Homeland Security, is coordinating the government response. “It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.”
Wales also said some of the victims were compromised even before SolarWinds pushed out the corrupted Orion software to customers.
Microsoft in December said it had identified more than 40 customers hit by the attack, and that number has since increased, reports the Journal, citing an anonymous person familiar with the investigation.
How the attackers gained access to SolarWinds’ systems is a lingering question, but there are apparently some indications that Microsoft’s cloud infrastructure is to blame, as a person familiar with the investigation told the Journal that that possibility is being investigated.
Microsoft in December said the attackers had accessed its corporate network and viewed source code, but said there were no indications of a further compromise leveraging Microsoft tools.
The report also mentions Malwarebytes, an anti-malware company that last month also disclosed that it was a victim of the SolarWinds attack. CEO Marcin Kleczynski said the company has evidence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.
Attackers gained access to a limited subset of internal company emails, but further investigation didn’t turn up evidence of further unauthorized access or compromise in any of the company’s internal on-premises and production environments.
According to the Journal, this massive hacking campaign is threatening to undo our trust in the software providers that organizations rely on every day.
The data breach has also undermined some of the pillars of modern corporate computing, in which companies and government offices entrust myriad software vendors to run programs remotely in the cloud or to access their own networks to provide updates that enhance performance and security.
Now corporations and government agencies are grappling with the question of how much they can truly trust the people who build the software they use.
“Malwarebytes relies on 100 software suppliers,” said Marcin Kleczynski, the security company’s chief executive. “How do I know that Zoom or Slack isn’t next and what do I do? Do we start building software in-house?”
Now, tech professionals and security experts are renewing calls for the industry to work closely together in the event of an attack, which includes better sharing of information. The Linux Foundation last month also proposed several actions that companies and software providers should take to ensure there isn’t malicious code hidden in otherwise legitimate products.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply