SolarWinds, the enterprise monitoring software provider which found itself at the epicenter of the most consequential supply chain attacks, said as many as 18,000 of its high-profile customers might have installed a tainted version of its Orion products.
The acknowledgment comes as part of a new filing made by the company to the US Securities and Exchange Commission on Monday.
The Texas-based company serves more than 300,000 customers worldwide, including every branch of the US military and four-fifths of the Fortune 500 companies.
The "incident was likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation state," SolarWinds said in the regulatory disclosure, adding it "currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000."
The company also reiterated in its security advisory that besides 2019.4 HF 5 and 2020.2 versions of SolarWinds Orion Platform, no other versions of the monitoring software or other non-Orion products were impacted by the vulnerability.
Specifics regarding how the hackers penetrated SolarWinds' own network are still fuzzy, but the company noted in its filing that it was alerted to a compromise of its Microsoft Office 365 email and office productivity accounts that it's currently investigating to determine how long it existed and if the weakness was "associated with the attack on its Orion software build system."
Troublingly, according to a report from security researcher Vinoth Kumar, it also appears that a publicly-accessible SolarWinds GitHub repository was leaking FTP credentials of the domain "downloads.solarwinds.com," thus allowing an attacker to potentially upload a malicious executable disguised as Orion software updates to the downloads portal. Even worse, the FTP server was protected by a trivial password.
Following Kumar's responsible disclosure last year, the company addressed the misconfiguration on November 22, 2019.
The development comes a day after cybersecurity firm FireEye said it identified a nine-month-long global intrusion campaign targeting public and private entities that introduce malicious code into legitimate software updates for SolarWinds' Orion software to break into the companies' networks and install a backdoor called SUNBURST ("SolarWinds.Orion.Core.BusinessLayer.dll").
"The malicious DLL calls out to a remote network infrastructure using the domains avsvmcloud.com. to prepare possible second-stage payloads, move laterally in the organization, and compromise or exfiltrate data," Microsoft said in a write-up.
The US Department of Homeland Security was breached, as were the departments of Commerce and Treasury, Reuters reported yesterday. The espionage campaign also included the December 8 cyberattack on FireEye, although it's not immediately clear whether the intrusion and exfiltration was a direct result of a rogue SolarWinds update.
"The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors," said FireEye CEO Kevin Mandia. "These compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction."
While the fallout caused by the hacking campaign is still unknown, fingers have been pointed at APT29, a hacking collective affiliated with the Russian foreign intelligence service. FireEye, which is tracking the campaign as "UNC2452," has not linked the attack to Russia.
For its part, SolarWinds is expected to issue a second hotfix later today that replaces the vulnerable component and adds several extra security enhancements.
"The SUNBURST campaign represents a uniquely distressing intrusion event with implications for multiple industries and network operators," DomainTools' Senior Security Researcher, Joe Slowik, said.
"The ubiquity of SolarWinds in large networks, combined with the potentially long dwell time of intrusions facilitated by this compromise, mean victims of this campaign need not only recover their SolarWinds instance, but may need to perform widespread password resets, device recovery, and similar restoration activity to completely evict an intruder."
"Through continuous monitoring of network traffic and an understanding of what hosts are communicating, defenders can leverage attacker weaknesses and dependencies to overcome these otherwise daunting challenges," he added.