The massive hack by Russian state-sponsored hackers continues to fall out, with additional data points. In a disclosure to the SEC, SolarWinds indicates that they believe fewer than 18,000 customers were impacted and believe that the vulnerability existed between March and June 2020, while additionally being criticized by security researchers for failing to remove the compromised binary from their website nor revoking the signed certificate. Of note, the company has carefully removed a webpage that lists its customers.
Researchers have also revealed details about how the hackers bypassed multi-factor authentication using a clever methodology to escape detection. Details in a link in the show notes.
Researchers are also outlining how the profile of the attack is classic espionage – used in very targeted, stealthy ways to ensure the resources were maximized. The list of federal agencies has expanded, to include Department of Homeland Security, State, and the NIH, and is expected to continue to grow.
Why do we care?
Security researchers are observing that victims are going to need to recover not only their SolarWinds instances, but also password resets, device recoveries and other restoration activities.
Additionally, it highlights monitoring the monitor – watching Orion’s telemetry for new, unusual, or suspicious network communication patterns.
This is going to be critically important to track. As I mentioned yesterday, understanding how the code was put into place will be incredibly important. We still do not fully know the extend of the damage. Other organizations in the supply chain are likely compromised as well.
Beyond that, use this as a case study of the worst-case scenario to mine for as much knowledge as you can. Think it through – the opponent has essentially unlimited resources by being backed by a government agency to take actions against their target… and the target could one day be you.
Source: Bleeping Computer