The cybercriminals behind the SolarWinds breach have been actively using the trojanized SolarWinds Orion updates to target significant technology companies. Technology companies targeted thus far include Cisco, Microsoft and FireEye.
The SolarWinds Breach
The still unfolding SolarWinds breach was discovered approximately a month ago and was acknowledged by SolarWinds on 13 December. In the attack, cybercriminals took advantage of a vulnerability in the SolarWinds Orion platform to insert a backdoor trojan into certain updates of the software. Orion is an IT performance monitoring tool, whose trojanized updates include 2019.4 HF 5, 2020.2, 2020.2 HF 1 and 2020.2.1.
Since the breach, the cybercriminals have been targeting significant technology companies with the trojanized Orion updates downloaded by SolarWinds clients. The scale of the attacks by this medium is unprecedent. Furthermore, the level of the attacks’ sophistication suggests that they are being conducted by a nation-state. The culprits named thus far is the Russian cybercriminal group known as CPT42 or Cozy Bear.
Furthermore, evidence provided by FireEye (now known as Mandiant) on 13 December, suggests that the Orion platform was first compromised back in March 2020. Consequently, the number of companies affected could be many more than initially thought. The significant technology companies targeted so far include Cisco, Microsoft and FireEye.
Late last week, approximately 20 computers in a Cisco lab were compromised through the trojanized SolarWinds Orion updates. Cisco’s breach came a day after Microsoft said its systems had been compromised by the same trojanized Orion updates.
Cisco, the world’s biggest maker of networking equipment, doesn’t use the Orion platform for its enterprise network management or monitoring. Thus, it said that only some internal machines used by Cisco researchers were compromised. Cisco provides its own network management and monitoring through its machinery and software. These products monitor traffic moving through a network. If cybercriminals were to gain access to that flow, they could cause extensive harm via various means.
Cisco said that currently there was no evidence to show that customer data had been exposed or exfiltrated due to the compromise. “At this time, there is no known impact to Cisco offers or products,” the company said in a statement. “We continue to investigate all aspects of this evolving situation with the highest priority.”
The trojanized Orion software has also compromised Microsoft Office 365 accounts and Microsoft’s Azure Active Directory (AD). Apparently, the cybercriminals have been monitoring the Microsoft Office 365 emails of some US government agencies for months. One such agency is the Commerce Department’s National Telecommunications and Information Administration (NTIA).
As for Azure, the cybercriminals were able to create a counterfeit token representing a highly privileged account in Azure AD. Such an account could be used to hack into the networks of various organizations. The cybercriminals could also gain Azure AD privileges with stolen compromised credentials. This is especially likely with accounts not protected by two-factor authentication.
Furthermore, Reuters reported last week that Microsoft’s own products were being used to attack other victims. However, Microsoft told CRN that Reuters’s sources were either “misinformed or misinterpreting their information.”
A Microsoft spokesperson stated: “We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.” Nonetheless, Microsoft did acknowledge that it had “detected malicious SolarWinds binaries” in its environment.
Microsoft President, Brad Smith, disclosed that 44% of its customers compromised by the SolarWinds breach are in the IT sector. These customers include software and security firms, as well as IT services and equipment providers.
The SolarWinds breach first came to light when FireEye reported it had been hacked on 8 December. FireEye, one of the US’s major cybersecurity firms was attacked not to exfiltrating its clients’ data. But rather, to steal the company’s cyber security tools, which they call the Red Team tools.
Soon after the attack, FireEye published countermeasures to help its clients and others protect themselves from the company’s stolen tools. FireEye didn’t explicitly state its intrusion had been the result of the SolarWinds breach at the time. However, it confirmed as much to KrebsOnSecurity yesterday.
FireEye was not the first cybersecurity company to have its tools stolen. A similar threat occurred in 2016 when state actors used stolen cybersecurity tools to conduct worldwide destructive attacks against government agencies.