WebProNews

Tag: SolarWinds

  • SolarWinds Is in Trouble With the SEC Over Supply Chain Attack

    SolarWinds Is in Trouble With the SEC Over Supply Chain Attack

    SolarWinds is facing monetary and enforcement consequences as a result of its supply chain attack in 2020.

    SolarWinds was the victim of a supply chain attack in which attackers compromised one of SolarWinds IT tools that was used by companies and government agencies around the world. As a result, at least 18,000 of SolarWinds customers downloaded the compromised software, with many being directly hacked.

    It appears the company is now facing the consequences, both with shareholders and the SEC. In a filing with the SEC, the company says it has agreed to pay shareholders $26 million.

    SolarWinds entered into a binding settlement term sheet with respect to the previously disclosed consolidated putative class action lawsuit….The settlement, if approved, would require the Company to pay $26 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel and the costs of administering the settlement.

    In addition, the company also revealed that it had been notified of an SEC Wells notice, which could lead to enforcement action.

    Also on October 28, 2022, the enforcement staff of the U.S. Securities and Exchange Commission (the “SEC”) provided the Company with a “Wells Notice” relating to its investigation into the previously disclosed cyberattack on the Company’s Orion Software Platform and internal systems. The Wells Notice states that the SEC staff has made a preliminary determination to recommend that the SEC file an enforcement action against the Company alleging violations of certain provisions of the U.S. federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures.

    It is not surprising the SEC is taking such action. The SolarWinds attack was one of the most devastating cyberattacks in history and had a profound impact on companies and agencies. The US Judiciary even went so far as to return to paper records in the wake of the attack.

  • Microsoft: Russia-Backed SolarWinds Hackers Targeting Cloud Services

    Microsoft: Russia-Backed SolarWinds Hackers Targeting Cloud Services

    Microsoft is warning that Nobelium, the group behind the SolarWinds attack, is active again and targeting cloud services.

    Nobelium is a hacker group that is backed by and part of the Russian intelligence service SVR. The group was responsible for the devastating SolarWinds attack in 2020. The hack hit multiple US government agencies, as well as high-profile corporations, including Microsoft.

    Tom Burt, Microsoft Corporate Vice President, Customer Security & Trust, is warning in a blog post that the group is once again active, and is targeting companies that provide cloud services.

    Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain. This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.

    Burt warns that Nobelium has already been extremely active in 2021,

    These attacks have been a part of a larger wave of Nobelium activities this summer. In fact, between July 1 and October 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits. By comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years.

    The increased rate of attacks seems to indicate that Russia is working to achieve a long-term digital foothold in various cloud infrastructure platforms.

    This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government.

    The revelation is further evidence of the importance of companies and organizations of all sizes having strong, comprehensive security policies in place and building their products with a security-first mindset.

  • President Biden Signs Executive Order on Cybersecurity

    President Biden Signs Executive Order on Cybersecurity

    President Biden has signed an executive order aimed at improving US cybersecurity in the wake of major attacks.

    The last few months have seen multiple high-profile, crippling cybersecurity attacks on US agencies and businesses. SolarWindsimpacted private and public organizations alike, with the full extentstill under investigation. Most recently, Colonial Pipeline was hit with a crippling ransomware attack, severely impacting fuel prices all along the East Coast.

    The threat is exacerbated by hacker groups that are state-sponsored, giving them access to the funds and technology needed to wreak havoc.

    In response, President Biden has issued an executive order aimed at “Improving the Nation’s Cybersecurity.” The order focuses on major changes, rather than incremental improvements, in an effort to keep pace with rapidly-evolving threats.

    Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life. The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid. The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).

  • Microsoft Outlook a Major Security Issue for WFM

    Microsoft Outlook a Major Security Issue for WFM

    Amid an unprecedented transition to work from home (WFM), Microsoft Outlook has come into focus as a security weak point.

    Microsoft 365 has been an important factor for many organizations, helping their employees stay connected and productive while working remotely. Unfortunately, using Microsoft Outlook is directly linked to a higher incidence of data breaches.

    Software company Egress found “that 85% of organizations using Microsoft 365 have had an email data breach in the last 12 months.” In addition, there was significant disparity between the number of data leaks experienced by companies using Outlook, versus those that weren’t.

    Organizations using Microsoft 365 have seen a 67% increase in data leaks via email since March 2020 – compared to just 32% of the businesses who don’t use it. And these aren’t one-off incidents. We also learned that 15% of Microsoft 365 organizations had been breached over 500 times during that same time period.

    Microsoft is already under scrutiny for its role in the SolarWinds breach. This latest report is sure to be an unwelcome one, and will likely increase scrutiny even more.

    In the meantime, organizations that rely on Microsoft Outlook would do well to read the Egress report in its entirety.

  • SolarWinds Attack More Widespread, 30% Of Victims Did Not Use Software

    SolarWinds Attack More Widespread, 30% Of Victims Did Not Use Software

    A troubling detail has come to light as part of the SolarWinds investigation, namely that 30% of victims didn’t use the software in question.

    The SolarWinds attack was one of the worst cybersecurity breaches in US history. Hackers compromised SolarWinds’ Orion IT software, injecting a trojan that allowed them to target companies and organizations using the software. The attack was what is known as a supply chain attack, as it compromised legitimate software in the supply chain, before it could be distributed.

    According to new information, however, it appears the hackers behind the attack were not relying solely on SolarWinds software since roughly 30% of victims weren’t using it.

    The hackers “gained access to their targets in a variety of ways. This adversary has been creative,” Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, told The Wall Street Journal. “It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.”

    The revelation casts a new light on the attack, and the ingenuity the hackers demonstrated, as well as the threat they pose.

  • SolarWinds Hack Was Supply Chain Attack, Says Datadog CEO

    SolarWinds Hack Was Supply Chain Attack, Says Datadog CEO

    “What’s interesting here about the SolarWinds hack, in particular, is that it’s what’s called a supply chain attack,” says Datadog CEO Olivier Pomel. “This means the attack was made on the code that was shipped to the SolarWinds customer. Then there is this new notion in security called shifting left. By left, it means is closer to the developer and earlier in the development process.”

    Datadog CEO Olivier Pomel discusses how the SolarWinds hack signals an increased focus by hackers to target software earlier in its development:

    The SolarWinds hack was definitely a very big one. It’s not especially surprising to see new important hacks like this one but definitely a very impactful one. What it makes very clear is that there’s going to be even more of an arms race when it comes to security. It’s not surprising companies are transforming. They’re having more and more of their activity that is happening online is happening in software. So there’s much more that can be done by attacking that software.

    What we do is we gather as many signals as possible across observability and monitoring. This is the way we come from and across security. What’s interesting here about the SolarWinds hack, in particular, is that it’s what’s called a supply chain attack. This means the attack was made on the code that was shipped to the SolarWinds customer. Then there is this new notion in security called shifting left. By left, it means is closer to the developer and earlier in the development process.

    There’s something really interesting there when it relates to us (Datadog) in how we can solve the problem for our customers by bringing security earlier into the development process and tied in more to the operations and the development of the application. That’s definitely something that we’re investing in and something that we think is going to be a big area of investment for customers in the future.

    SolarWinds Hack Was Supply Chain Attack, Says Datadog CEO Olivier Pomel
  • Google Not Impacted by SolarWinds Hack, Despite Using Its Software

    Google Not Impacted by SolarWinds Hack, Despite Using Its Software

    Google has announced it was not impacted by the SolarWinds hack, one of the biggest cybersecurity breaches in US history.

    Corporations and government agencies were compromised by a supply chain attack involving SolarWinds’ Orion IT software. Hackers managed to compromise Orion IT, creating a trojanized version that left organizations using it open to attack.

    Despite using SolarWinds software, Google has announced it is not one of the companies impacted. Phil Venables, CISO, Google Cloud, confirmed the information in a blog post:

    Based on what is known about the attack today, we are confident that no Google systems were affected by the SolarWinds event. We make very limited use of the affected software and services, and our approach to mitigating supply chain security risks meant that any incidental use was limited and contained. These controls were bolstered by sophisticated monitoring of our networks and systems.

    This is good news for Google, as well as its cloud customers.

  • Judiciary Returning to Paper In Wake of SolarWinds Attack

    Judiciary Returning to Paper In Wake of SolarWinds Attack

    The US Judiciary is going decidedly low-tech in an effort to protect important information in the wake of the SolarWinds attack.

    The SolarWinds attack was one of the most devastating hacks the US has experienced. Multiple government agencies were compromised, with the federal Judiciary suspected to be among them.

    The attack was so successful because it was a supply chain attack. Rather than attacking individual target organizations, a supply chain attack relies on compromising a legitimate piece of software up the supply chain, installing a trojan and then gaining access to all the organizations that use the software in question. In this example, the compromised software was SolarWinds’ Orion IT monitoring and management software, used by government agencies and corporations alike.

    In the wake of the attack, access to public documents will not be impacted, but the Judiciary is taking no chances with sensitive documents.

    Under the new procedures announced today, highly sensitive court documents (HSDs) filed with federal courts will be accepted for filing in paper form or via a secure electronic device, such as a thumb drive, and stored in a secure stand-alone computer system. These sealed HSDs will not be uploaded to CM/ECF. This new practice will not change current policies regarding public access to court records, since sealed records are confidential and currently are not available to the public.

    These extraordinary measures are the latest indication of the damage and impact the SolarWinds attack has had on public and private institutions.

  • FBI Investigating If JetBrains Was Compromised by SolarWinds Hackers

    FBI Investigating If JetBrains Was Compromised by SolarWinds Hackers

    The FBI is trying to determine if JetBrains was compromised as part of the SolarWinds attack.

    The SolarWinds attack was one of the largest, most damaging hacks against US government and corporate entities. Some experts have said it will take months, or even years, to understand the extent of the damage.

    What made the SolarWinds attack so successful was that it was a supply chain attack. Rather than trying a brute force attack, or tricking organizations into installing suspect software, hackers compromised SolarWinds’ Orion IT monitoring and management software. Since this legitimate software is in use by countless organizations, by compromising it and installing a trojan directly in it, hackers were able to hack organizations using Orion IT.

    The FBI is now concerned a second application may have been compromised in a similar nature, according to Reuters. JetBrains makes a project management application called TeamCity. Like Orion IT, TeamCity is used by companies around the world, making it extremely important to determine if it was compromised as well.

    “We are not aware of any investigation nor have we been contacted by any agencies,” a JetBrains spokesman said. “We are not aware of any vulnerabilities in the product or breaches that would allow for this, nor that any of our customers were affected.”

  • SolarWinds Hackers Gained Access to Microsoft Source Code

    SolarWinds Hackers Gained Access to Microsoft Source Code

    Microsoft has revealed that hackers viewed some of its source code as part of the SolarWinds attack that government agencies are still investigating.

    The SolarWinds attack is one of the most devastating cyberattacks perpetrated against US companies and government agencies. Believed to be the work of Russian hackers, the attack was a supply chain attack, compromising SolarWind’s Orion IT monitoring and management software.

    As one of the organizations impacted, Microsoft has now revealed the hackers viewed some of its source code, but did not make any modifications.

    We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.

    Microsoft is not concerned about the source code being viewed, since the company’s security protocols assume its source is being viewed by outside elements.

    At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft. This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.

    As with many companies, we plan our security with an “assume breach” philosophy and layer in defense-in-depth protections and controls to stop attackers sooner when they do gain access.

    Although Microsoft seems to be containing any damage adequately, the degree to which the attackers compromised one of the biggest tech companies in the world is further evidence just how successful the SolarWinds attack was.