WebProNews

Tag: Orion IT

  • SolarWinds Attack More Widespread, 30% Of Victims Did Not Use Software

    SolarWinds Attack More Widespread, 30% Of Victims Did Not Use Software

    A troubling detail has come to light as part of the SolarWinds investigation, namely that 30% of victims didn’t use the software in question.

    The SolarWinds attack was one of the worst cybersecurity breaches in US history. Hackers compromised SolarWinds’ Orion IT software, injecting a trojan that allowed them to target companies and organizations using the software. The attack was what is known as a supply chain attack, as it compromised legitimate software in the supply chain, before it could be distributed.

    According to new information, however, it appears the hackers behind the attack were not relying solely on SolarWinds software since roughly 30% of victims weren’t using it.

    The hackers “gained access to their targets in a variety of ways. This adversary has been creative,” Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, told The Wall Street Journal. “It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.”

    The revelation casts a new light on the attack, and the ingenuity the hackers demonstrated, as well as the threat they pose.

  • Google Not Impacted by SolarWinds Hack, Despite Using Its Software

    Google Not Impacted by SolarWinds Hack, Despite Using Its Software

    Google has announced it was not impacted by the SolarWinds hack, one of the biggest cybersecurity breaches in US history.

    Corporations and government agencies were compromised by a supply chain attack involving SolarWinds’ Orion IT software. Hackers managed to compromise Orion IT, creating a trojanized version that left organizations using it open to attack.

    Despite using SolarWinds software, Google has announced it is not one of the companies impacted. Phil Venables, CISO, Google Cloud, confirmed the information in a blog post:

    Based on what is known about the attack today, we are confident that no Google systems were affected by the SolarWinds event. We make very limited use of the affected software and services, and our approach to mitigating supply chain security risks meant that any incidental use was limited and contained. These controls were bolstered by sophisticated monitoring of our networks and systems.

    This is good news for Google, as well as its cloud customers.

  • Judiciary Returning to Paper In Wake of SolarWinds Attack

    Judiciary Returning to Paper In Wake of SolarWinds Attack

    The US Judiciary is going decidedly low-tech in an effort to protect important information in the wake of the SolarWinds attack.

    The SolarWinds attack was one of the most devastating hacks the US has experienced. Multiple government agencies were compromised, with the federal Judiciary suspected to be among them.

    The attack was so successful because it was a supply chain attack. Rather than attacking individual target organizations, a supply chain attack relies on compromising a legitimate piece of software up the supply chain, installing a trojan and then gaining access to all the organizations that use the software in question. In this example, the compromised software was SolarWinds’ Orion IT monitoring and management software, used by government agencies and corporations alike.

    In the wake of the attack, access to public documents will not be impacted, but the Judiciary is taking no chances with sensitive documents.

    Under the new procedures announced today, highly sensitive court documents (HSDs) filed with federal courts will be accepted for filing in paper form or via a secure electronic device, such as a thumb drive, and stored in a secure stand-alone computer system. These sealed HSDs will not be uploaded to CM/ECF. This new practice will not change current policies regarding public access to court records, since sealed records are confidential and currently are not available to the public.

    These extraordinary measures are the latest indication of the damage and impact the SolarWinds attack has had on public and private institutions.

  • FBI Investigating If JetBrains Was Compromised by SolarWinds Hackers

    FBI Investigating If JetBrains Was Compromised by SolarWinds Hackers

    The FBI is trying to determine if JetBrains was compromised as part of the SolarWinds attack.

    The SolarWinds attack was one of the largest, most damaging hacks against US government and corporate entities. Some experts have said it will take months, or even years, to understand the extent of the damage.

    What made the SolarWinds attack so successful was that it was a supply chain attack. Rather than trying a brute force attack, or tricking organizations into installing suspect software, hackers compromised SolarWinds’ Orion IT monitoring and management software. Since this legitimate software is in use by countless organizations, by compromising it and installing a trojan directly in it, hackers were able to hack organizations using Orion IT.

    The FBI is now concerned a second application may have been compromised in a similar nature, according to Reuters. JetBrains makes a project management application called TeamCity. Like Orion IT, TeamCity is used by companies around the world, making it extremely important to determine if it was compromised as well.

    “We are not aware of any investigation nor have we been contacted by any agencies,” a JetBrains spokesman said. “We are not aware of any vulnerabilities in the product or breaches that would allow for this, nor that any of our customers were affected.”

  • SolarWinds Hackers Gained Access to Microsoft Source Code

    SolarWinds Hackers Gained Access to Microsoft Source Code

    Microsoft has revealed that hackers viewed some of its source code as part of the SolarWinds attack that government agencies are still investigating.

    The SolarWinds attack is one of the most devastating cyberattacks perpetrated against US companies and government agencies. Believed to be the work of Russian hackers, the attack was a supply chain attack, compromising SolarWind’s Orion IT monitoring and management software.

    As one of the organizations impacted, Microsoft has now revealed the hackers viewed some of its source code, but did not make any modifications.

    We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.

    Microsoft is not concerned about the source code being viewed, since the company’s security protocols assume its source is being viewed by outside elements.

    At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft. This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.

    As with many companies, we plan our security with an “assume breach” philosophy and layer in defense-in-depth protections and controls to stop attackers sooner when they do gain access.

    Although Microsoft seems to be containing any damage adequately, the degree to which the attackers compromised one of the biggest tech companies in the world is further evidence just how successful the SolarWinds attack was.

  • Organizations Compromised in SolarWind Supply Chain Attack

    Organizations Compromised in SolarWind Supply Chain Attack

    FireEye has uncovered a sophisticated intrusion campaign against government and corporate organizations, using a supply chain attack.

    Supply chain attacks are one of the most sophisticated types of hacks in existence. While many hacks rely on convincing a target to download malicious software, a supply chain attack involves inserting malicious code in legitimate software before it’s distributed to customers, hence attacking the software supply chain.

    The attack in question uses a compromised update to SolarWind’s Orion IT monitoring and management software, with FireEye calling the compromised version “SUNBURST.” The trojanized version is incredibly sophisticated, using various methods to avoid detection, all the while communicating with third-party servers.

    “After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services,” writes FireEye’s team. “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

    The trojan has enabled hackers to monitor email communications at the US Treasury and Commerce departments, according to Reuters. FireEye says victims have also “included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East.” Since the attack is actively in progress, FireEye suspects there will be additional victims as well.

    To mitigate the attack, “SolarWinds recommends all customers immediately upgrade to Orion Platform release 2020.2.1 HF 1, which is currently available via the SolarWinds Customer Portal. In addition, SolarWinds has released additional mitigation and hardening instructions here.”

    If an organization is not able to update, FireEye has outlined additional mitigation steps that should be taken.