Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label SolarWinds. Show all posts
SolarWinds
CISO Cyber Security Cyberattacks CyberCrime Microsoft SEC SolarWinds

SEC's Legal Action Against SolarWinds and CISO Creates Uncertainty in Cybersecurity

 




In the lawsuit, the plaintiffs allege that CISO Timothy Brown, who was in charge of managing the company's software supply chain at the time of the massive cyberattack, has failed to disclose critical information regarding the attack. 

Several government agencies, corporations, and government-related organizations across the world rely on SolarWinds' product solutions. As a result of the complex attack, which is widely attributed to state-sponsored Russian hackers, numerous networks have been compromised. As a result of this breach, a significant amount of attention was paid to cybersecurity, and several hacks, investigations, and regulatory concerns followed. 

The hacker's identity has been confirmed as being a Russian government-linked hacker, and the company has been infiltrated with malicious code through its IT monitoring and management tool Orion, which was reportedly injected by them. 

A hack affecting more than 18,000 organizations worldwide was initially estimated to have occurred in October of last year, including the U.S. Dept of State and Homeland Security Department as well as the National Security Agency, as well as Microsoft Corporation. Nevertheless, SolarWinds later estimated that there were under 100 customers who had been affected by this. 

SolarWinds and Brown are being charged by the SEC for fraud and a failure to comply with internal controls relating to alleged threats and vulnerabilities related to cybersecurity. It is alleged in the complaint that since the date of SolarWinds' first public offering in October 2018, until December 2020, when it announced that it had been hacked, SolarWinds and Brown have been defrauding investors by overstating the company's cybersecurity practices and understating or failing to disclose certain risks that may have affected the company's investors.

It seems that the software maker and its chief information security officer are now facing charges of fraud and internal control failures. In an announcement released by the Securities and Exchange Commission (SEC) on Monday, it was alleged that SolarWinds and Brown misled investors about their cybersecurity practices, known security risks, and weaknesses throughout the company's history. 

Earlier investigations into SolarWinds' hack concluded that attackers were in the company's network for at least two years before they were discovered, indicating the attackers were well embedded in the company's network. It was alleged that Brown helped and abetted SolarWinds' violations of the Exchange Act's reporting and internal control provisions and that he was responsible for helping SolarWinds to breach these provisions. 

There seems to be a lack of transparency in cybersecurity incident reporting, as highlighted by the SEC's recently implemented four-day reporting rule. It is stated in the complaint that the SEC seeks permanent injunctions, disgorgement with prejudgment interest, civil penalties, as well as a bar against Brown as an officer and director of the corporation. In this case, the SEC has brought a lawsuit against a CISO that alleges that he has mismanaged cybersecurity risks in his organization, which is an extremely rare case. 

In the suit, SolarWinds' chief information security officer is accused of knowing about vulnerabilities in the company's systems but failing to disclose them adequately to its investors, resulting in misleading statements in the company's SEC filings which the SEC claimed were fraudulent. According to a variety of industry experts, the SEC's lawsuit has received mixed reviews. 

The fact that CISOs are being held accountable is seen as a necessary step when it comes to holding them accountable for the actions that they take as a result of cyber security concerns. CISOs are argued by some to be the most important individuals in the safeguarding of a company's digital assets, and they must be transparent about potential threats to their organization and the regulators as well. 

The lawsuit has drawn the attention of many people, including SolarWinds itself, which claims it sets a problematic precedent. CISOs fear that sharing information about cyber threats within their organizations might lead to their being liable for legal action, so they are reluctant to do so. As a result, they say, the industry could have difficulties responding effectively to cyberattacks and protecting sensitive data as a result. 

A blog post by Sudhakar Ramakrishna, President of SolarWinds, addressing the SEC's charges, states that the charges threaten a piece of open information sharing across the industry that cybersecurity experts think is necessary for our collective security. 

Further, they might disenfranchise cybersecurity professionals across the country and put them out of action, thereby taking these cyber warriors out of active service. It is likely that, in response to this lawsuit, many CISOs and cybersecurity professionals will examine their responsibilities and roles in a more detailed manner. Legal teams will be consulted by many of these employees for them to be clear about the legal risks associated with their positions.

To strike a balance between the transparency of their disclosure practices and their potential liability, others will surely revise them. As a result of the COVID-19 pandemic and the rapid shift to remote work, companies continue to struggle to secure remote access. However, the Sophos report revealed that the problem persists, even though companies struggle to secure remote access. 

According to the cybersecurity company's mid-year "Active Adversary Report," 95% of the attacks in the first half of 2023 were carried out via remote desktop protocol. As a bonus, attackers are increasingly targeting VPNs as a means of gaining remote access, another area that's been difficult to defend for the last few years. 

Even though attackers exploited a critical flaw that was disclosed in December, malicious activity against Fortinet VPN instances increased in February. According to the report, CISOs, particularly those who oversee public companies, should take an inventory of their security programs and make sure that the information they share with the public is based on fact rather than spin, which is what is causing concerns.” 

The SEC, which has filed this suit against privately held companies, is setting a new standard for security disclosures for those companies. Until further notice, there is no way to predict what will happen about SolarWinds' lawsuit and what implications it will have on the cybersecurity industry in general. It serves as a stark reminder to all CISOs that, regardless of the outcome, they are constantly facing a complex landscape of legal and regulatory challenges, as well as a rapidly evolving role.
Read more »
SolarWinds
APT29 Cyber Security MagicWeb Microsoft SolarWinds

Microsoft Alert: APT29 is Back With its New Tool MagicWeb


Actors responsible for SolarWinds' are back

The attackers behind the Solar Winds supply chain attack APT29 are back and have included a latest weapon to their attack inventory. Known as MagicWeb, a post compromise capability, it is used to keep continuous access to breached environments and moves laterally. 

Experts at Microsoft noticed the Russia-backed Nobelium APT using the backdoor after gaining administrative rights to an Active Directory Federated Services (AD FS) server. 

Use of MagicWeb to get privileged access 

With the help of privileged access, the hackers change a genuine DLL with the malicious MagicWeb DLL, to load the malware with AD FS and make it look legitimate. 

Similar to domain controllers, AD FS servers can verify users. MagicWeb enables this on the behalf of hackers by letting the manipulation of the claims that pass through verification tokens generated by an AD FS server, therefore, they can verify as any user on the system. 

MagicWeb is better than previous versions 

As per Microsoft, MagicWeb is a better version of the earlier used FoggyWeb tool, which also makes a steady foothold inside the target networks. 

Researchers at Microsoft say that MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly. It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML.

In the report, Microsoft mentioned that the hackers are targeting corporate networks with the latest verification technique MagicWeb. It is highly sophisticated and allows hackers to take control of the victim's network even after the defender tries to eject them. 

Stealing data isn't the only aim

We should also note that the hackers are not depending on supply chain attacks, this time, they are exploiting admin credentials to execute MagicWeb. 

The backdoor secretly adds advanced access capability so that the threat actors can execute different exploits other than stealing data. For example, the threat actor can log in to the device's Active Director as any user. 

A lot of cybersecurity agencies have found sophisticated tools, this includes backdoors used by SolarWinds' hackers, among which MagicWeb is the latest one discovered and identified by Microsoft. 

How to protect yourself?

To stay safe from such attacks Microsoft recommends "practicing credential hygiene is critical for protecting and preventing the exposure of highly privileged administrator accounts. This especially applies on more easily compromised systems like workstations with controls like logon restrictions and preventing lateral movement to these systems with controls like the Windows Firewall."

Read more »
Vulnerabilities
CVE CVE vulnerability Cyber Attacks Hacking Internet Data SolarWinds Vulnerabilities

SolarWinds Alerted About Attacks Targeting Web Help Desk Instances

 

SolarWinds alerted customers about attacks on Web Help Desk (WHD) instances that were exposed to the Internet and recommended they remove those from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw). WHD is a helpdesk ticketing and IT inventory management software for businesses that aim to automate ticketing and IT asset management operations. 

SolarWinds stated, "A SolarWinds customer reported an external attempted attack on their instance of Web Help Desk (WHD) 12.7.5. The customer's endpoint detection and response (EDR) system blocked the attack and alerted the customer to the issue. In an abundance of caution, SolarWinds recommends all Web Help Desk customers whose WHD implementation is externally facing to remove it from your public (internet-facing) infrastructure until we know more." 

Customers who are unable to remove WHD instances from servers that are accessible to the Internet should install EDR software and monitor them for attack attempts. SolarWinds hasn't been able to replicate the scenario, the business is working with the customer to analyse the report. 

A SolarWinds spokesperson told BleepingComputer, "We received a report from one customer about an attempted attack that was not successful. While we are investigating this matter, we have also alerted other customers about this potential issue out of an abundance of caution. At this point, we have no reason to believe other customers were impacted." 

Although SolarWinds did not specify what tools or tactics were utilised in the attack, there are at least four security flaws that an attacker may use to target t an unpatched WHD instance: 
• Access Restriction Bypass Via Referrer Spoof - Business Logic Bypass Vulnerability (CVE-2021-32076) - Fixed in WHD 12.7.6 
• Enabled HTTP PUT & DELETE Methods (CVE-2021-35243) - Fixed in WHD 12.7.7 Hotfix 1 
• Hard-coded credentials allowing arbitrary HSQL queries execution (CVE-2021-35232) - Fixed in WHD 12.7.7 Hotfix 1 
• Sensitive Data Disclosure Vulnerability (CVE-2021-35251) - Fixed in WHD 12.7.8 

According to the CVE-2021-35251 advisory, attackers might use unsecured WHD instances to gain access to environmental details about the Web Help Desk installation, making the other three security flaws easier to exploit.
Read more »
Zyxel
Akamai cybercriminals Log4Shell Microsoft Mirai botnet Ransomware Threat Remote Code Execution SolarWinds Vulnerabilities and Exploit Zyxel

Log4j Attack Target SolarWinds and ZyXEL

 

According to reports published by Microsoft and Akamai, cybercriminals are targeting SolarWinds devices with the Log4Shell vulnerability, and ZyXEL is known to use the Log4j library in their software.

Attacks have been reported on SolarWinds and ZyXEL devices using the log4j library, according to Microsoft and Akamai reports. CVE-2021-35247 has been assigned to the vulnerability, which has been paired with a zero-day in the SolarWinds Serv-U file-sharing service.

According to Microsoft's Threat Intelligence Center (MSTIC), the SolarWinds vulnerability, dubbed CVE-2021-35247, is a data validation hole that might allow attackers to compose a query based on some data and send it across the network without sanitizing. 

Jonathan Bar-Or, a Microsoft security researcher, is credited with identifying the flaw, which affects Serv-U versions 15.2.5 and earlier. In Serv-U version 15.3, SolarWinds patched the vulnerability. "A closer look helped discover the feed Serv-U data and it generates an LDAP query using the user unsanitized input!" he claimed. Not only might this be included in log4j attacks but it also is used for LDAP injection. 

SolarWinds claimed in its advisory, the Serv-U online log-in screen for LDAP authentication is  permitting symbols that are not appropriately sanitized and it had modified the input method "to do further validation and sanitization." The attacker cannot log in to Serv-U, according to a SolarWinds official, and the Microsoft researcher is referring to failed attempts because Serv-U doesn't use Log4J code. 

The unverified remote code execution (RCE) vulnerability in Log4j – identified as CVE-2021-44228 – has also been repurposed to infect and assist in the dissemination of malware used for the Mirai botnet by targeting Zyxel networking equipment, according to Akamai researchers. When researchers intended to access the Java payload class, the LDAP server in which the exploit was located was no longer active. It's claimed that Zyxel was particularly singled out since published an article claiming to have been hit by the log4j flaw. 

The scenario surrounding the Log4Shell breach has remained unchanged since last month, and threat actors looking to get access to corporate networks continue to target and exploit the vulnerability. Threat actors including ransomware gangs, nation-state cyber-espionage groups, crypto-mining gangs, initial access brokers, and DDoS botnets have all been reported to have exploited the vulnerability in the past. Although the Apache Software Foundation has issued patches for the Log4j library, threats against applications using it are likely to persist because not all of these apps have published a set of security updates, abandoning many systems vulnerable and creating a breeding soil for exploitation that will last for years.
Read more »
SolarWinds
Cyber Crime Report Data threats. Microsoft New Report Russia Russian Hackers SolarWinds

Microsoft: Russia Behind 58% Detected State-Backed Hacks

 

According to the latest report of Microsoft, Russian-sponsored malicious actors are becoming more successful at breaching targets in the United States and other developed countries. Russia is responsible for most state-sponsored cybercrimes over the past years, Microsoft added. 

Russian hackers were found to be involved in 58% of government-linked cyber crimes including crimes on government agencies and think tanks in the United States, followed by Ukraine, Britain, and European NATO members. 

Furthermore, other countries like China, North Korea, and Iran, have also been highly active in cyber security crimes on the important infrastructure of governments and non-profit organizations, Microsoft said in its second annual Digital Defense Report, which covers July 2020 through June 2021. 

An unusual hack in early 2020, the SolarWinds hack where hackers gained access to the networks, systems, and data of thousands of SolarWinds customers had also been attributed to Russia. The scope of one of the largest, if not the largest, one of its kind ever recorded has been unknown.  

After the SolarWinds hack incident, the Russian backed-hackers shifted their focus again on their usual victims like government agencies involved in foreign policy, including defense and national security, think tanks, health care, where they targeted the organizations that were developing and testing COVID-19 vaccines and providing treatments in the USA, Canada, Australia, Israel, Japan, and India. 

Meanwhile, China, figured in for 1 in 10 of the state-sponsored cyber attacks; getting a 44% success rate in breaking into victimizing networks, Report discloses. 

On the whole, state-backed cybercrimes have a 10%-20% success rate, said Cristin Goodwin, who heads Microsoft’s Digital Security Unit.

“It’s something that’s really important for us to try to stay ahead of — and keep driving that compromised number down — because the lower it gets, the better we’re doing,” Goodwin added. 

“2021 brought powerful reminders that to protect the future we must understand the threats of the present. This requires that we continually share data and insights in new ways…” 

“…Certain types of attacks have escalated as cybercriminals change tactics, leveraging current events to take advantage of vulnerable targets and advance their activity through new channels”, the report said.
Read more »
United States
Cyber Security Microsoft Nobelium SolarWinds United States

Microsoft said an Attacker had Won Access to its Customer-Service Agents

 

On Friday, Microsoft revealed that an attacker gained access to one of its customer-service agents and then used the data to begin hacking attempts against customers. The company claimed it discovered the breach while responding to hacks by a group it blames for previous significant breaches at SolarWinds and Microsoft. 

Microsoft stated that the impacted consumers had been notified. According to a copy of one warning seen by Reuters, the attacker belonged to the Microsoft-designated Nobelium group and had access in the second half of May. "A sophisticated Nation-State associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions," according to the warning. The US government has officially blamed the Russian government for the earlier assaults, which it denies. 

Microsoft claimed it had discovered a breach of its own agent, who it said had limited powers, after commenting on a larger phishing attack it said had affected a small number of businesses. Among other things, the agent might access billing contact information and the services that consumers pay for. "The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign," Microsoft said.

Microsoft advised concerned consumers to be cautious when communicating with their billing contacts and to consider changing their usernames and email addresses, as well as preventing users from logging in with outdated usernames. Three entities have been compromised in the phishing attempt, according to Microsoft. It was unclear whether any of those whose data was viewed through the support agent were among those whose data was viewed through the broader campaign, or if the agent had been duped by the broader campaign. 

Nobelium's recent breach, according to a spokeswoman, was not part of the threat actor's prior successful attempt on Microsoft, in which it stole some source code. In the SolarWinds hack, the organization changed code at the company to get access to SolarWinds clients, which included nine federal agencies in the United States. 

According to the Department of Homeland Security, the attackers took advantage of flaws in the way Microsoft programmes were configured at SolarWinds customers and others. Microsoft eventually revealed that the hackers had hacked into its own employee accounts and taken software instructions that regulate how the company verifies user identities.
Read more »
USA
Cyber Attacks Microsoft Nobelium SolarWinds USA

Russian Hacking Group Nobelium Attacks 150 Organizations, Hacks Mails

Nobelium, a Russian hacking group that was responsible for the 2020 SolarWinds cyberattacks, is back in the game, however, now, they've used Constant Contact, a cloud marketing service in a phishing attack that resulted in a hack of 3,000 email accounts throughout 150 organizations. Microsoft disclosed the latest attack in a blog post titled "Another Nobelium Cyberattack" which alarmed that the group aims to hack into trusted technology providers and attack their customers. 

This time, Nobelium didn't use the SolarWinds network monitoring tool for the attack but gained access to the Constant Contact Account of USAID (United States Agency for International Development). Tom Burt, Microsoft’s corporate vice president of customer security and trust, “using the legitimate mass mailing service Constant Contact, Nobelium attempted to target around 3,000 individual accounts across more than 150 organizations. Due to the high-volume campaign, automated systems blocked most of the emails and marked them as spam. However, automated systems might have successfully delivered some of the earlier emails to recipients.” 

After hacking the Constant Contact Account email service via a USAID account, Nobelium distributed authentic-looking phishing emails containing a link, which upon opening, attached a malicious file "NativeZone" which is used to distribute backdoor. The backdoor could allow multiple activities like data stealing and corrupting other computer networks. Constant Contact Account said that it was aware of an account breach of one of its customers. It was an isolated incident, and the agency has deactivated all the affected accounts while working with law enforcement agencies. It says that most of the attacks targetting the customers were blocked automatically by Windows Defender, which also blocked the malware used in the attack. 

"We detected this attack and identified victims through the ongoing work of the Microsoft Threat Intelligence Center (MSTIC). team in tracking nation-state actors. We have no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services. At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work," said Burt.

Read more »
US Spy Agencies
Cyber Security Russia SolarWinds supply chain security US Spy Agencies

SolarWinds Hack Alarms US Spy Agencies to Inspect Software Suppliers' Ties with Russia

 

US intelligence agencies have started to study supply chain threats from Russia, a top official within the Justice Department confirmed on Thursday 6th of May, in the wake of the far-reaching hacker operations that used software developed by SolarWinds as well as other suppliers. 

SolarWinds Inc. is an American multinational that creates software to help companies manage their IT infrastructure, systems, and networks. It is based in Austin, Texas, and has distribution and product development branches at several US locations and other countries.

According to John Demers, Assistant Attorney General for National Security, the examination will concentrate on any supply chain vulnerabilities arising from Russian businesses—or US businesses operating in Russia. 

“If there’s a back-end software design and coding being done in a country where we know that they’ve used sophisticated cyber means to do intrusions into U.S. companies, then maybe … U.S. companies shouldn’t be doing work with those companies from Russia or other untrusted countries,” Demers stated during a Justice Department-hosted cybersecurity conference. 

Demers stated that any information gathered from the Commerce Department would be passed on to the FBI and the other intelligence officials to determine whether more actions are required to remove suppliers from the U.S. supply chains or not. 

The White House accused the Russian SRV foreign intelligence agency of the spying operation which used the software of SolarWinds and penetrated at least nine U.S. federal agencies. Russian technology firms have also been endorsed by the management of Biden to finance the cyber operations of Russian intelligence agencies. Though the allegations were rejected by Moscow. 

However, the United States intelligence analysis reveals that the Biden administration is also looking into how potential spying operations will mimic whatever the SVR is supposed to use weak points in US tech companies' networks. 

An extensive range of US government and businesses were exposed to infiltration by allegedly Russian hacking. Initially, SolarWinds, stated that the malicious code had been downloaded by 18,000 customers. However, the original target list of spies was made up of 100 corporations and, as per the White House, at least nine federal agencies. 

Concerns of American officials regarding exposures to the supply chain have indeed increased in recent weeks as certain hacks arose. 

Whereas a 2019 executive order signed by then-President Donald Trump appears to approve the supply chain inspection, that forbids US telecommunications companies from using hardware that constitutes a national security risk. 

Although the executive order was widely seen as an effort to further limit the Chinese telecommunications company Huawei's access to US markets, it can also be applied to various other technologies from other countries. U.S. intelligence officers are tasked with constantly reviewing international supply chain threats and providing for additional "rules and regulations" to recognize innovations or nations that may pose a danger. 

In the supply chain screening, the US intelligence officials have long expressed fears that Moscow could use the Russian suppliers' technology to spy on America.
Read more »
Vulnerability and Exploits
Backdoor Microsoft SolarWinds Vulnerability and Exploits

Backdoor Affects 20,000 U.S Agencies Via Microsoft Vulnerability

A backdoor breached more than 20,000 US enterprises, it was installed through Microsoft Corp's recently patched flaws in the email software, said an individual aware of the U.S government's response. The hacks have already reached beyond areas than the malicious downloaded codes of Solarwinds Corp, an organization that suffered the most from the recent cyberattack in December. The recent cyberattack has left channels open that can be remotely accessed. These are spread across small businesses, city governments, and credit unions say reports from U.S investigations. 

Besides this, the records also reveal that tens of thousands of enterprises in Europe and Asia were also affected by the hack. The hacks are still present even though Microsoft issued security patches earlier this week. Earlier, Microsoft said that the hacks had "limited and targeted attacks," but now denies to comment on the current state of the problems. However, it said the company is currently working with the government authorities and security firms to deal with the issue. Reuters says, "more attacks are expected from other hackers as the code used to take control of the mail servers spreads." 

A scan revealed that, out of the connected vulnerable devices, a mere 10% of users have installed the security patches, but the numbers are going up. As the patch is not helpful to fix the backdoors, the US government is currently trying to figure out how to assist the victims and help them with the issue. The devices compromised seem to run the web version of the email client Outlook, hosting them on their devices, not using cloud providers. Experts say this might've saved many big agencies and government authorities from the attack.  

White House press secretary Jen Psaki earlier this week informed media that the vulnerabilities revealed in Microsoft's popular exchange servers are big and can have a deep impact, there is a concern that the victims may be more. "Microsoft and the person working with the U.S. response blamed the initial wave of attacks on a Chinese government-backed actor. A Chinese government spokesman said the country was not behind the intrusions," reports Reuters. 
Read more »
SolarWinds
CodeQL Cyber Security Microsoft SolarWinds

Microsoft made CodeQL Queries Public for SolarWinds Attack Detection

 


Microsoft has won acclaim from security researchers by making its CodeQL queries public so any association could utilize the open-source tools to analyze if they encountered any vulnerabilities from the SolarWinds hack or similar supply chain attacks. "There is no guarantee that the malicious actor is constrained to the same functionality or coding style in other operations, so these queries may not detect other implants that deviate significantly from the tactics seen in the Solorigate implant," Microsoft says. "These should be considered as just a part in a mosaic of techniques to audit for compromise." 

CodeQL queries code as though it were information, which allows developers to compose a query that discovers all the variations of a vulnerability, and afterward share it with others. CodeQL is an open-source semantic code analysis engine that works in two stages. First, as a feature of the compilation of source code into binaries, CodeQL fabricates a database that catches the model of the compiling code.

"For interpreted languages, it parses the source and builds its own abstract syntax tree model, as there is no compiler. Second, once constructed, this database can be queried repeatedly like any other database. The CodeQL language is purpose-built to enable the easy selection of complex code conditions from the database," Microsoft notes. 

In a blog post that details how it utilized the CodeQL technique, Microsoft alluded to the SolarWinds assault as Solorigate. For this situation, the attacker got into the remote management software servers of numerous organizations and infused a backdoor into the SolarWinds Orion software update. The attacker modified the binaries in Orion and dispersed them via previously legitimate update channels. This let the assailant remotely perform vindictive activities, such as credential theft, privilege escalation, and lateral movement to steal sensitive information. 

Microsoft said the SolarWinds incident has reminded associations to reflect not just on their readiness to respond to sophisticated attacks, but also the strength of their own codebases. In the blog, Microsoft clarifies its utilization of CodeQL queries to examine its source code at scale and preclude the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate.
Read more »
Vulnerabilities and Exploits
Office 365 Orion Development Program SolarWinds Vulnerabilities and Exploits

SolarWinds CEO: “SolarWinds Orion Development Program was Exploited by the Hackers”

 

Sudhakar Ramakrishna, CEO of SolarWinds confirmed that ‘suspicious activity’ was spotted in its Office 365 environment which permitted threat actors to secure access and exploit the SolarWinds Orion development program. Threat actors secured access into the SolarWinds’s environment via flawed credentials and a third-party application that a zero-day susceptibility.

Threat actors secured access to the SolarWinds email account to programmatically access accounts of targeted SolarWinds employees in business and technical roles. 
Threat actors used the compromised credential of SolarWinds personnel as a doorway for securing access and exploit the development environment for the SolarWinds Orion network monitoring platform. Initially, Microsoft alerted SolarWinds regarding a breach into its Office 365 environment on December 13 – the same day news of the data breach went public.

Ramakrishna wrote in a blog post that “we’ve confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles. By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment.”

“While it’s widely understood any one company could not protect itself against a sustained and unprecedented nation-state attack of this kind, we see an opportunity to lead an industry-wide effort that makes SolarWinds a model for secure software environments, development processes, and products”, he further added.

Investigators of SolarWinds have not spotted a specific flaw in Office 365 that would have permitted the threat actors to enter the firm’s environment via Office 365. Ramakrishna believes that the Russian foreign intelligence service has played a significant role in the SolarWinds’s hack. SolarWinds is analyzing the data from various systems and logs, including from its Office 365 and Azure tenants.

Brandon Wales, acting director of the Cybersecurity and infrastructure Security agency told The Wall Street that SolarWinds has no direct link to the 30 percent of the private sectors and government victims of the massive hacking campaign but investigators failed to identify another company whose products were widely compromised. SolarWinds’s investigation will be continued for at least one month due to the flawless campaign by the threat actors to remove evidence of their actions.
Read more »
Subscribe to: Posts (Atom)