In December, the disclosure of the supply chain attack against SolarWinds sent shockwaves throughout federal agencies responsible for the security of US information assets. The ripple effect hit the IT community as well. Those ripples have continued into 2021, as what was already seen as a sophisticated attack on the IT supply chain has taken additional twists. New evidence points to attackers using well-established methods to gain initial access the old-fashioned way, through on-premises Active Directory (AD).
Compromising the SolarWinds build environment and sending Trojanized versions of updates for the Orion Platform is the best-known tactic believed to have been used by the threat group behind the attacks. According to the Cybersecurity and Infrastructure Security Agency (CISA), the threat actor was observed compromising or bypassing federated identity solutions and leveraging forged authentication tokens to move laterally to Microsoft cloud environments. From there, the threat
“The patches for the three severe vulnerabilities that Trustwave discovered were issued in January,” said senior security research manager with Trustwave SpiderLabs, Karl Sigler.
“This latest development re-emphasizes the need for thorough security testing for complex software platforms and shows what could have happened if Trustwave had not discovered the three identified severe vulnerabilities before the bad actors did.”
The first Orion vulnerability, tracked as CVE-2021-25275, can be exploited by hackers to either steal information from a corporate network or add admin-level users to be used within the security platform.
The flaw centres on the insecure manner by which credentials are stored - and could allow any local users to take complete control over the SolarWinds Orion database, regardless of privilege level.
SolarWinds patches two critical CVEs in Orion platform
New vulnerabilities disclosed as SolarWinds reels from December 2020 Solorigate/Sunburst attack – but do not appear to have been exploited yet
Share this item with your network: By Published: 03 Feb 2021 11:00
Users of SolarWinds’ Orion networking platform – the service at the centre of the high-profile Solorigate/Sunburst attack – are once again being advised to patch their systems urgently following the disclosure of two unrelated critical vulnerabilities.
Discovered by researchers at Trustwave’s SpiderLabs unit, and assigned CVEs 2021-25274 and 2021-25275, the bugs were disclosed to SolarWinds on 30 December 2020 and confirmed in early January 2021. A patch has been available since 25 January, and proof-of-concept code is also available, although it is being held back for a bit longer to give end-user administrators more time to rectify the issues.
The by-now infamous company has issued patches for three security vulnerabilities in total.
Three serious vulnerabilities have been found in SolarWinds products: Two in the Orion User Device Tracker and one in the Serv-U FTP for Windows product. The most severe of these could allow trivial remote code execution with high privileges.
The SolarWinds Orion platform is the network management tool at the heart of the recent espionage attack against several U.S. government agencies, tech companies and other high-profile targets. It allows users to manage devices, software and firmware versioning, applications and so on, and has full visibility into enterprise customer networks.
On December 13, 2020,
Reuters reported that hackers suspected to be connected to the Russian government have monitored electronic communications at certain U.S. government offices. The hackers are believed to have accessed these systems and others through updates released by SolarWinds. The next day, SolarWinds reported that a cyberattack on its systems inserted a vulnerability in updates to its Orion Platform products delivered between March 2020 and June 2020. The Company later corrected that timing, stating that hackers were accessing its systems since at least early September 2019 and the malicious code was added starting Feb. 20, 2020.
SolarWinds had been warned by a security researcher last year that anyone could access the Company s update server by using the simple password solarwinds123. In addition, a former security adviser at SolarWinds said that in 2017 he warned management of cybersecurity risks which were ultimately ignored making a major security breach ine