Infected SolarWinds Updates Used To Compromise Multiple Organizations: FireEye
Nation-state hackers gained access to government, consulting, technology and telecom firms around the world through trojanized updates to SolarWinds’ Orion network monitoring tool, according to FireEye. A highly sophisticated attack on SolarWinds’ Orion network monitoring product has allowed nation-state hackers to compromise the networks of public and private organizations, FireEye said. FireEye has identified multiple organizations where it sees indications of compromise dating back to spring 2020, and is in the process of notifying those organizations, CEO Kevin Mandia wrote in a blog post Sunday. FireEye said Tuesday that it was also breached in a nation-state attack designed to gain information on some of its government clients but did not say whether it was one of the organizations to have its network compromised by the SolarWinds Orion attack. SolarWinds confirmed in a security advisory issued late Sunday that it experienced a manual supply chain attack on versions of Orion released between March and June of this year. “The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors,” Mandia said. “Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction.”
The victims have included government, consulting, technology, telecom firms in North America, Europe, Asia and the Middle East, FireEye threat researchers wrote in a blog posted Sunday. The researchers said they anticipate there are additional victims in other countries and verticals. SolarWinds said customers should upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure their environment is safe. An additional hotfix release that both replaces the compromised component and provides several additional security enhancements is expected to be made available Tuesday. The company’s managed services tools appear to be uncompromised, as the company said it isn’t aware of any impact to its RMM, N-Central and SolarWinds MSP products. “Security and trust in our software is the foundation of our commitment to our customers,” SolarWinds said in a security advisory issued late Sunday. “We strive to implement and maintain appropriate administrative, physical, and technical safeguards, security process, procedures and standards designed to protect our customers.”
Attacks conducted as part of this campaign share several common elements, according to Mandia. First, Mandia said the attacks insert malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment. In addition, Mandia said the hackers went to significant lengths to observe and blend into normal network activity and maintained a light malware footprint to help avoid detection. Finally, Mandia said the adversaries patiently conducted reconnaissance, consistently covered their tracks, and used difficult-to-attribute tools. FireEye has already updated its products to detect the known altered SolarWinds binaries, Mandia said. The company is also scanning for any traces of activity by this actor and reaching out to both customers and non-customers if potential indicators are spotted, according to Mandia. Hackers gained access to numerous public and private organizations through trojanized updates to SolarWinds’ Orion software, the threat researchers wrote in their blog post. Post compromise activity following the compromise has included lateral movement and data theft, according to the threat researchers. “This campaign may have begun as early as Spring 2020 and is currently ongoing,” FireEye’s threat researchers said. “The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.”
https://www.crn.com/news/security/infected-solarwinds-updates-used-to-compromise-clients-fireeye
8 Big Things To Know About The State-Sponsored FireEye Hack
From who’s suspected to be behind the FireEye hack and how they remained hidden, to what FireEye and intelligence officials are doing to minimize the fallout from the attack, here’s a look at what partners need to know.
https://www.crn.com/slide-shows/security/8-big-things-to-know-about-the-state-sponsored-fireeye-hack