Making this my lead because of the importance.
The Wall Street Journal is reporting on updates from investigators in regard to the SolarWinds breach. Turns out, 30% of those breached… didn’t run SolarWinds. Per DHS… “It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign”.
Malwarebytes also agrees. A number of its Microsoft Office 365 accounts were compromised using another vector entirely.
Why do we care?
It’s a larger campaign than was initially thought. I was struck by a question on a forum this weekend, when someone asked “Does anyone still trust SolarWinds?”. A savvy researcher responded, “Why do you trust any vendor?”
Two things we care about today. First, it’s not the SolarWinds hack, it’s larger than that. Just like the “UK variant” or “south African variant” of coronavirus is an unfortunate label, this is that too, and anyone in security is going to need to be careful with verbiage here.
Second, if your instincts are to blame the vendor, find another approach. A vendor is going to be breached, and you have to be designing with that in mind. If you don’t know how… well, you’re not alone, and we’re all learning a lot here.