Press "Enter" to skip to content

Continued updates on the SolarWinds hack

The SolarWinds hack story rolls on, and as I think the what happens here matters, I’ll keep pulling updates.  

Microsoft has reported its own systems had the compromised code, but reported no access to production services or customer data.    Microsoft President Brad Smith offered insights that of the 18,000 organizations that downloaded the compromised software, possibly as few as .2 percent had the second-stage payload installed, and of the 40 chosen, 80% were in the US, including a heat map showing the customers impacted.

Additionally, the Washington Post has outlined the failures of Einstein, the US Government’s detection system, which focuses on finding new uses of known malware and also detecting connections to the parts of the internet used in previous hacks.  The oversight?  It was not equipped to find novel malware or connections, despite a 2018 suggestion that building that capability would be useful.

Beyond that, the Post is also reporting there is other malware in circulation as well per the CISA, including one leveraging Microsoft’s Exchange Control Panel and Austin’s city network was breached in a seemingly separate Russian hack.  Bleeping Computer is reporting on ongoing investigations of other lines of attack, including that leverage of Exchange Server.

SolarWinds MSP is revoking its digital certificates for tools, and issuing new ones as precautionary measure and best practice, indicating they have found no evidence their products have been compromised.

Why do we care?

The supply chain question is what is interests me, as well as to note SolarWinds, while a key component to this, is certainly not the only vulnerability nor entry point in this chain of events.

I’m tracking some buzz in some communities about exactly this – the need to be more skeptical of vendors and the software they supply, and leverage systems like FedRAMP to ensure a higher standard of software.  

That will be one of the lessons for big companies coming out of this that smaller ones will need to embrace – blind trust of the vendor is going to get you into trouble.