In case you missed the kickoff this week, it’s been discovered that 30% of those breached did not run SolarWinds products.
Trustwave researchers have found three new exploits in the Orion codebase. This look was prompted by the hack. All have been patched.
The company has also revealed that there is evidence that the hackers were in their Office 365 accounts for months, accessing at least one in December of 2019. They used that to get to other email accounts. One theory – and still theory – is that accounts were compromised even earlier and were the initial point of entry.
Israeli cybersecurity firm Silverfort says attackers may have used SolarWinds’ service account to do their lateral moves.
Anonymous sources are saying another, different actor managed to exploit SolarWinds to get into the National Finance Center, the payroll group of USDA, per Reuters. This actor is a suspected Chinese group, separate from the one the US accused Russian government operatives of using. SolarWinds patched this vulnerability in November.
To clarify on attribution, the US government has stated that the attack is “likely Russian in origin”. This was echoed by Secretary of State Mike Pompeo in December, and the Washington Post in their reporting in December.
Department of Homeland Security’s Einstein system, designed as the intrusion detection system is getting further scrutiny. It failed to detect the breach, and appears not capable of doing so – and would be too costly to overhaul… and too costly to throw out.
Finally, I’m including a good “long read” – in Fortune, a piece called “After SolarWinds, the U.S. can trust no one”, focused on zero-trust in the supply chain. The Council for Foreign Affairs also weighed in – it wasn’t tools, but good old fashioned detective work that found the breaches.
Why do we care?
Now we have multiple actors using multiple vectors. So far, we actually don’t know how hackers got into SolarWinds. There are theories, but we don’t know how they were breached. We also know they weren’t the only breach.
I noted that service account vector today. How many tools in a provider’s arsenal have absolute administrative access to everything? I bet it’s a LOT more than you would like it to be. That whole “don’t trust a vendor” starts getting really scary when you realize how much access they have.
Keep learning. This is a story with lessons each time.