SolarWinds Hack New Evidence Suggests Potential Links to Chinese Hackers
A malicious web shell deployed on Windows systems by leveraging a previously undisclosed zero-day in SolarWinds Orion network monitoring software may have been the work of a possible Chinese threat group.
In a report published by Secureworks on Monday, the cybersecurity firm attributed the intrusions to a threat actor it calls Spiral.
Back on December 22, 2020, Microsoft disclosed that a second espionage group may have been abusing the IT infrastructure provider s Orion software to drop a persistent backdoor called Supernova on target systems.
The findings were also corroborated by cybersecurity firms Palo Alto Networks Unit 42 threat intelligence team and GuidePoint Security, both of whom described Supernova as a .NET web shell implemented by modifying an app web logoimagehandler.ashx.b6031896.dll module of the SolarWinds Orion application.
To embed, copy and paste the code into your website or blog:
If you don’t know about SolarWinds, then you haven’t been reading the news for the past six months. Last October 2020, it was reported that a widely-used networking tool that helps companies in the public and private sectors manage their Information Technology (IT) portfolios – SolarWinds Orion product had been compromised. Publicly, it has been reported that about 18,000 private and government users downloaded the tainted software update, and it provided Russian hackers access to their systems. The hack hit Federal agencies, including the Departments of Treasury, Commerce, and State, the Department of Homeland Security (DHS), National Security Agency, and parts of the Pentagon, as well as public and private sector companies. The breadth and depth of this hack are still being assessed.
Recent Events Reiterate the Importance of Sophisticated Cybersecurity
- FinancialBuzz.com News Commentary
NEW YORK, Feb. 5, 2021 /PRNewswire/ The recent surge of data breaches, business and agency hacks are just some of the reminders of how fragile our information infrastructure is. According to a report by NPR from December, hackers attached their malware to a software update from SolarWinds, a company based in Austin, Texas. Many federal agencies and thousands of companies worldwide used SolarWinds Orion software to monitor their computer networks. Now, the cybersecurity company Trustwave informed SolarWinds that it has identified three new critical flaws in software produced by SolarWinds. According to a report by NBC News, SolarWinds has released a patch to fix the security flaws, and neither company found evidence that hackers had exploited the vulnerabilities. Yet, the findings raise new questions about security at SolarWinds, which provides information technology softwa
In December, the disclosure of the supply chain attack against SolarWinds sent shockwaves throughout federal agencies responsible for the security of US information assets. The ripple effect hit the IT community as well. Those ripples have continued into 2021, as what was already seen as a sophisticated attack on the IT supply chain has taken additional twists. New evidence points to attackers using well-established methods to gain initial access the old-fashioned way, through on-premises Active Directory (AD).
Compromising the SolarWinds build environment and sending Trojanized versions of updates for the Orion Platform is the best-known tactic believed to have been used by the threat group behind the attacks. According to the Cybersecurity and Infrastructure Security Agency (CISA), the threat actor was observed compromising or bypassing federated identity solutions and leveraging forged authentication tokens to move laterally to Microsoft cloud environments. From there, the threat
“The patches for the three severe vulnerabilities that Trustwave discovered were issued in January,” said senior security research manager with Trustwave SpiderLabs, Karl Sigler.
“This latest development re-emphasizes the need for thorough security testing for complex software platforms and shows what could have happened if Trustwave had not discovered the three identified severe vulnerabilities before the bad actors did.”
The first Orion vulnerability, tracked as CVE-2021-25275, can be exploited by hackers to either steal information from a corporate network or add admin-level users to be used within the security platform.
The flaw centres on the insecure manner by which credentials are stored - and could allow any local users to take complete control over the SolarWinds Orion database, regardless of privilege level.