Tag Archive for: SolarWinds

VMware Flaw a Vector in SolarWinds Breach? — Krebs on Security

/in


U.S. government cybersecurity agencies warned this week that the attackers behind the widespread hacking spree stemming from the compromise at network software firm SolarWinds used weaknesses in other, non-SolarWinds products to attack high-value targets. According to sources, among those was a flaw in software virtualization platform VMware, which the U.S. National Security Agency (NSA) warned on Dec. 7 was being used by Russian hackers to impersonate authorized users on victim networks.

On Dec. 7, 2020, the NSA said “Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors access to protected data and abusing federated authentication.”

VMware released a software update to plug the security hole (CVE-2020-4006) on Dec. 3, and said it learned about the flaw from the NSA.

The NSA advisory (PDF) came less than 24 hours before cyber incident response firm FireEye said it discovered attackers had broken into its networks and stolen more than 300 proprietary software tools the company developed to help customers secure their networks.

On Dec. 13, FireEye disclosed that the incident was the result of the SolarWinds compromise, which involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for users of its Orion network management software as far back as March 2020.

In its advisory on the VMware vulnerability, the NSA urged patching it “as soon as possible,” specifically encouraging the National Security System, Department of Defense, and defense contractors to make doing so a high priority.

The NSA said that in order to exploit this particular flaw, hackers would already need to have access to a vulnerable VMware device’s management interface — i.e., they would need to be on the target’s internal network (provided the vulnerable VMware interface was not accessible from the Internet). However, the SolarWinds compromise would have provided that internal access nicely.

In response to questions from KrebsOnSecurity, VMware said it has “received no notification or indication that the CVE 2020-4006 was used in conjunction with the…

Source…

Donald Trump Is Talking About Everything but the Alleged Russian SolarWinds Hack

/in

As authorities probe a suspected Russia-led hack of government networks, President Donald Trump has been publicly silent on the matter.

Even as a slew of federal agencies acknowledged their computer systems appeared to have been affected by malware spread via Texas-based software company SolarWinds, Trump continued to tweet about a presidential election he had already lost.

With roughly a month left of his first and presumably only term in the White House, Trump claimed on Thursday, without evidence, that the outcome of the November vote was “rigged,” and suggested that the Democratic Party had somehow stolen the election.

The same day, a warning emerged from the Cybersecurity and Infrastructure Security Agency (CISA), saying that the SolarWinds hack posed a “grave risk” to all levels of the U.S. government, alongside critical infrastructure entities and businesses.

CISA, which operates under Homeland Security, said evidence suggested agencies had been compromised by an advanced persistent threat (APT) actor—another term given to a nation state-level cybersecurity adversary—since at least March 2020.

Trump remained silent as multiple administration officials alluded to the evidence that pointed in the direction of Russia. Secretary of State Mike Pompeo noted there had been a “consistent effort of the Russians to try and get into American servers.”

Trump remained publicly silent as the Department of Energy, which includes a division overseeing the nuclear weapons stockpile, confirmed it found malware linked to the hackers on its business networks as part of a probe happening in real-time.

And Trump did not respond publicly as his former homeland security adviser Thomas P. Bossert said the “magnitude of this ongoing attack is hard to overstate” and noted that Trump was “on the verge of leaving behind a federal government, and perhaps a large number of major industries, compromised by the Russian government.”

On December 13, then…

Source…

US establishes Cyber Unified Coordination Group to respond to SolarWinds compromise. Report on Chinese influence ops delayed.

/in


The US Government and a large number of private organizations continue to assess the extent of the SolarWinds incident. The scope and extent of the damage are known to be large, but just how large, and who specifically was affected, remains under investigation. An op-ed by former US Homeland Security Advisor Bossert probably has it right in saying that the breach is “hard to overestimate.”

A joint statement yesterday from the US FBI, CISA, and ODNI says that the Government has invoked Presidential Policy Directive (PPD) 41 to establish a Cyber Unified Coordination Group to coordinate a whole-of-Government response to the Russian cyber operation that exploited SolarWinds’ Orion platform.

According to KrebsOnSecurity, FireEye, Microsoft, and GoDaddy cooperated on a response to the SolarWinds compromise by establishing a killswitch to disable Sunburst backdoor instances still beaconing to their original domain. As FireEye said in widely quoted statement, “this actor moved quickly to establish additional persistent mechanisms to access to [sic] victim networks beyond the SUNBURST backdoor,” so the killswitch is far from representing a thorough remediation. BleepingComputer has a summary of what’s publicly available so far.

Bloomberg reports that the US Director of National Intelligence said yesterday that the Intelligence Community will not meet tomorrow’s deadline to report to Congress about Chinese influence operations in the 2020 election season. That there were attempts seems clear enough, but how extensive they were, and how much prominence they should be given, remains a matter of disagreement among the agencies in the Intelligence Community.

Source…

FireEye, SolarWinds Breaches: Implications and Protections

/in


Five days after FireEye detailed the theft of about 300 of its proprietary cybersecurity tools, SolarWinds announced that its Orion IT monitoring platform had also been compromised by hackers believed to be sponsored by the Russian government. Together, the attacks turned over critical cybersecurity infrastructure to the malicious actors, along with access to thousands of global entities’ sensitive information. As the cybersecurity world wraps its head around how two top vendors were breached, we examine the organizations involved, details of the attack, and implications for the industry and its customers.

The players

While FireEye and SolarWinds are familiar to IT professionals, this week’s news brought their brands to the dinner table. Before jumping into the attacks and implications, here is a quick look at the two key organizations getting the most attention.

FireEye

Since 2004, FireEye has made a name for itself by offering next-generation threat protection and specializing in detection, prevention, and cyberattack analysis. In 2015, Deloitte called the vendor the fastest-growing cybersecurity firm, and today it stands out as a leading identifier of global threats and actors. Earlier this year, Reuters reported on FireEye’s research into APT41, a Chinese-linked cyberespionage actor. FireEye’s security services are used by government agencies and top public and private companies internationally.

SolarWinds

SolarWinds, operating out of Austin, Texas, since 2005, offers a suite of IT products from network, systems, and database management to managed security services. In April, Gartner recognized SolarWinds in its Magic Quadrant for Application Performance Monitoring (APM). As evidence of its reputation, SolarWinds global customers include about 80 percent of the Fortune 500 companies, all five branches of the U.S. military, and a swath of high-level government agencies.

Also read: Top Endpoint Detection and Response (EDR) Security Solutions

The attacks

Earlier this month, the U.S. National Security Agency warned that federal agencies were actively being exploited by “Russian state-sponsored actors.” A week later, FireEye’s prized Red Team hacking tools were…

Source…