Tag Archive for: SolarWinds

Russia’s SolarWinds Hack Is a Historic Mess

/in


Normally we use this space to round up the biggest stories from all reaches of the cybersecurity world. This week, we’re making an exception, because there’s really only one story: how Russia pulled off the biggest espionage hack on record.

Russia’s hack of IT management company SolarWinds began as far back as March, and it only came to light when the perpetrators used that access to break into the cybersecurity firm FireEye, which first disclosed a breach on December 9. Since then, a cascading number of victims have been identified, including the US Departments of State, Homeland Security, Commerce, and the Treasury, as well as the National Institutes of Health. The nature of the attack—and the tremendous care taken by the hackers—means it could be months or longer before the extent of the damage is known. The impact is already devastating, though, and it underscores just how ill-prepared the US was to defend against a known threat—and to respond. It’s also ongoing. 

And there’s so much more. Below we’ve rounded up the most important SolarWinds stories so far from around the internet. Click on the headlines to read them, and stay safe out there.

Reuters has broken multiple stories about the SolarWinds hack and its fallout, but this piece takes a step back to look at the company at the heart of it. The IT management firm has hundreds of thousands of customers—including 18,000 who were vulnerable to Russia’s attack—who rely on it for network monitoring and other services. Its security practices appear to have been lacking on a few fronts, including the use of the password “solarwinds123” for its update server. (That’s not suspected of being tied to the current attack, but … still.)

The Wall Street Journal this week shared new details about what happened inside FireEye earlier this month as it discovered and responded to its own compromise. The tip-off: An employee received an alert that someone had logged into the company’s VPN using their credentials from a new device. Over 100 FireEye employees engaged in the response, which included combing through 50,000 lines of code to suss out any abnormalities.

Over the past several years, the US has invested billions of dollars…

Source…

SolarWinds releases updated advisory for new SUPERNOVA malware

/in


SolarWinds

SolarWinds has released an updated advisory for the additional SuperNova malware discovered to have been distributed through the company’s network management platform.

Earlier this month, it was revealed that SolarWinds suffered a cyberattack that allowed threat actors to modify a legitimate SolarWinds Orion SolarWinds.Orion.Core.BusinessLayer.dll DLL file to include the malicious SUNBURST backdoor malware. This file was then distributed to SolarWinds customers via an automatic update feature in a supply chain attack.

After analyzing the SolarWinds breach, both Palo Alto Unit 42 and Microsoft reported on an additional malware named SuperNova distributed using the App_Web_logoimagehandler.ashx.b6031896.dll DLL file. This malware allowed the hackers to remotely send C# code to be compiled by the malware and executed on the victim’s machine.

SuperNova code to compile executable
SuperNova code to compile executable
Source: Palo Alto Unit 42

Both Microsoft and Palo Alto believe that this additional malware is not associated with the group that deployed the SUNBURST trojan as part of the SolarWinds initial supply chain attack.

SolarWinds releases updated advisory

On Thursday, SolarWinds released an updated advisory to include information about the SUPERNOVA malware and how their SolarWinds Orion network management platform distributed it.

“The SUPERNOVA malware consisted of two components. The first was a malicious, unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896.dll” specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code. The vulnerability in the Orion Platform has been resolved in the latest updates,” explains SolarWinds updated advisory.

SolarWinds advises all Orion Platform customers to upgrade to the latest versions to be protected from not only the SUNBURST vulnerability but the SUPERNOVA malware as well.

The updates currently being offered for the Orion Platform include the following versions and patches:

  • 2019.4 HF 6 (released December 14, 2020)
  • 2020.2.1 HF 2 (released December 15, 2020)
  • 2019.2 SUPERNOVA Patch (released December 23, 2020)
  • 2018.4 SUPERNOVA…

Source…

Solarwinds hack victims: From tech companies to a hospital and university

/in


Fox Business Flash top headlines are here. Check out what’s clicking on FoxBusiness.com.

The suspected Russian hackers behind breaches at U.S. government agencies also gained access to major U.S. technology and accounting companies, at least one hospital and a university, a Wall Street Journal analysis of internet records found.

The Journal identified infected computers at two dozen organizations that installed tainted network monitoring software called SolarWinds Orion that allowed the hackers in via a covertly inserted backdoor. It gave them potential access to scores of sensitive corporate and personal data.

SUSPECTED RUSSIAN HACK AGAINST US IS ‘GRAVE’ THREAT, CYBERSECURITY AGENCY SAYS

Ticker Security Last Change Change %
SWI SOLARWINDS CORPORATION 15.75 -0.26 -1.62%

Among them: technology giant Cisco Systems Inc., chip makers Intel Corp. and Nvidia Corp., accounting firm Deloitte LLP, cloud-computing software maker VMware Inc. and Belkin International Inc., which sells home and office Wi-Fi routers and networking gear under the LinkSys and Belkin brands. The attackers also had access to the California Department of State Hospitals and Kent State University.

The victims offer a small window into the sweeping scope of the hack, which could have ensnared as many as 18,000 of Austin-based SolarWinds Corp.’s customers, the company said, after hackers laced a routine software update with malicious code.

SolarWinds said that it traced activity from the hackers back to at least October 2019 and that it is now working with security companies, law enforcement and intelligence agencies to investigate the attack.

Cisco confirmed in a statement that it found the malicious software on some employee systems and a small number of laboratory systems. The company is still investigating. “At this time, there is no known impact to Cisco offers or products,” a company spokesman said.

CLICK HERE TO READ MORE ON FOX BUSINESS

Intel downloaded and ran the malicious software, the Journal’s analysis found. The company is investigating the incident and has found no evidence the hackers used the backdoor to access the company’s network, a spokesman said.

Deloitte, infected in late June according to the Journal’s analysis,…

Source…

CrowdStrike Fends Off Attack Attempted By SolarWinds Hackers

/in


The suspected Russian hackers behind the massive SolarWinds attack attempted to hack CrowdStrike through a Microsoft reseller’s Azure account but were ultimately unsuccessful, CrowdStrike said.

The Sunnyvale, Calif.-based endpoint security giant said it was contacted on Dec. 15 by Microsoft’s Threat Intelligence Center, which had identified a reseller’s Microsoft Azure account making abnormal calls to Microsoft cloud APIs during a 17-hour period several months ago, CrowdStrike Chief Technology Officer Michael Sentonas wrote in a blog post Wednesday.

The reseller’s Azure account was used for managing CrowdStrike’s Microsoft Office licenses, and Sentonas said the hackers attempted to read the company’s email. That attempt was unsuccessful, Sentonas said, adding that CrowdStrike’s findings were confirmed by Microsoft. As part of CrowdStrike’s secure IT architecture, Sentonas said the company doesn’t use Office 365 email.

[Related: SolarWinds Deploys CrowdStrike To Secure Systems After Hack]

“CrowdStrike conducted a thorough review into not only our Azure environment, but all of our infrastructure for the indicators shared by Microsoft,” Sentonas wrote in the blog post. “The information shared by Microsoft reinforced our conclusion that CrowdStrike suffered no impact.”

CrowdStrike’s review in the wake of the SolarWinds hack was “extensive” and included both the company’s production and internal environments, according to Sentonas. The firm’s stock is up $45.23 (25.7 percent) to $221.12 per share since news of Russian foreign intelligence service hackers injecting malware into updates of SolarWinds’ Orion network monitoring platform went public on Dec. 13.

The reseller was not identified in CrowdStrike’s blog post, and the company declined further comment on the attempted attack.

Microsoft told CRN that if a customer buys a cloud service from a reseller and allows the reseller to retain administrative access, then a compromise of reseller credentials would grant access to the customer’s tenant. This abuse of access would not be a compromise of Microsoft’s services themselves, according to the company.

Customers do not have to…

Source…