SolarWinds | Breaking Cybersecurity News | The Hacker News

Microsoft on Thursday said it concluded its probe into the SolarWinds hack, finding that the attackers stole some source code but confirmed there's no evidence that they abused its internal systems to target other companies or gained access to production services or customer data. The disclosure builds upon an  earlier update  on December 31, 2020, that uncovered a compromise of its own network to view source code related to its products and services. "We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories," the Windows maker had previously disclosed. "The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.". Now according to the company, besides viewing few individual files by searching throug

Cybersecurity researchers on Wednesday disclosed three severe security vulnerabilities impacting SolarWinds products, the most severe of which could have been exploited to achieve remote code execution with elevated privileges. Two of the flaws (CVE-2021-25274 and CVE-2021-25275) were identified in the SolarWinds Orion Platform, while a third separate weakness (CVE-2021-25276) was found in the company's Serv-U FTP server for Windows,  said  cybersecurity firm Trustwave in a technical analysis. None of the three vulnerabilities are believed to have been exploited in any "in the wild" attacks or during the unprecedented  supply chain attack  targeting the Orion Platform that came to light last December. The two sets of vulnerabilities in Orion and Serv-U FTP were disclosed to SolarWinds on December 30, 2020, and January 4, 2021, respectively, following which the company resolved the issues on January 22 and January 25. It's highly recommended that users install th

Throughout 2020, businesses, in general, have had their hands full with IT challenges. They had to rush to accommodate a sudden shift to remote work. Then they had to navigate a rapid adoption of automation technologies. And as the year came to a close, more businesses began trying to assemble the safety infrastructure required to return to some semblance of normal in 2021. But at the end of the year,  news of a massive breach  of IT monitoring software vendor SolarWinds introduced a new complication – the possibility of a wave of secondary data breaches and cyber-attacks. And because SolarWinds' products have a presence in so many business networks, the size of the threat is massive. So far, though, most of the attention is getting paid to large enterprises like Microsoft and Cisco (and the US Government), who were the primary target of the SolarWinds breach. What nobody's talking about is the rest of the 18,000 or so SolarWinds clients who may have been affected. For them

There's a natural human desire to avoid threatening scenarios. The irony, of course, is if you hope to attain any semblance of security, you've got to remain prepared to confront those very same threats. As a decision-maker for your organization, you know this well. But no matter how many experts or trusted cybersecurity tools your organization has a standing guard, you're only as secure as your weakest link. There's still one group that can inadvertently open the gates to unwanted threat actors—your own people. Security must be second nature for your first line of defense For your organization to thrive, you need capable employees. After all, they're your source for great ideas, innovation, and ingenuity. However, they're also human. And humans are fallible. Hackers understand no one is perfect, and that's precisely what they seek to exploit. This is why your people must become your first line of defense against cyber threats. But to do so, they need to learn how to defend thems

Microsoft on Wednesday shared more specifics about the tactics, techniques, and procedures (TTPs) adopted by the attackers behind the SolarWinds hack to stay under the radar and avoid detection, as cybersecurity companies work towards getting a "clearer picture" of one of the most sophisticated attacks in recent history. Calling the threat actor "skillful and methodic operators who follow operations security (OpSec) best practices," the company said the attackers went out of their way to ensure that the initial backdoor ( Sunburst  aka Solorigate) and the post-compromise implants ( Teardrop  and  Raindrop ) are separated as much as possible so as to hinder efforts to spot their malicious activity. "The attackers behind Solorigate are skilled campaign operators who carefully planned and executed the attack, remaining elusive while maintaining persistence," researchers from Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC)

Malwarebytes on Tuesday said it was breached by the same group who broke into SolarWinds to access some of its internal emails, making it the fourth major cybersecurity vendor to be targeted after  FireEye ,  Microsoft , and  CrowdStrike . The company said its intrusion was not the result of a SolarWinds compromise, but rather due to a separate initial access vector that works by "abusing applications with privileged access to Microsoft Office 365 and Azure environments." The discovery was made after Microsoft notified Malwarebytes of suspicious activity from a dormant email protection app within its  Office 365 tenant  on December 15, following which it performed a detailed investigation into the incident. "While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor," the company's CEO Marcin Kleczynski  said  in a post. "We found no evidence of unauthorized access or compromise in any of o

Cybersecurity researchers have unearthed a fourth new malware strain—designed to spread the malware onto other computers in victims' networks—which was deployed as part of the  SolarWinds supply chain attack  disclosed late last year. Dubbed "Raindrop" by Broadcom-owned Symantec, the malware joins the likes of other malicious implants such as  Sunspot , Sunburst (or Solorigate), and Teardrop that were stealthily delivered to enterprise networks. The latest finding comes amid a continued probe into the breach, suspected to be of  Russian origin , that has claimed a number of U.S. government agencies and private sector companies. "The discovery of Raindrop is a significant step in our investigation of the SolarWinds attacks as it provides further insights into post-compromise activity at organizations of interest to the attackers," Symantec researchers  said . The cybersecurity firm said it discovered only four samples of Raindrop to date that were used to d

As the investigation into the SolarWinds supply-chain attack continues, cybersecurity researchers have disclosed a third malware strain that was deployed into the build environment to inject the backdoor into the company's Orion network monitoring platform. Called " Sunspot ," the malignant tool adds to a growing list of previously disclosed malicious software such as Sunburst and Teardrop. "This highly sophisticated and novel code was designed to inject the Sunburst malicious code into the SolarWinds Orion Platform without arousing the suspicion of our software development and build teams," SolarWinds' new CEO Sudhakar Ramakrishna  explained . While  preliminary evidence  found that operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor, the latest findings reveal a new timeline that establishes the first brea

Cybersecurity researchers, for the first time, may have found a potential connection between the backdoor used in  the SolarWinds hack  to a previously known malware strain. In new  research  published by Kaspersky researchers today, the cybersecurity firm said it discovered several features that overlap with another backdoor known as  Kazuar , a .NET-based malware first documented by Palo Alto Networks in 2017. Disclosed early last month, the  espionage campaign  was notable for its scale and stealth, with the attackers leveraging the trust associated with SolarWinds Orion software to infiltrate government agencies and other companies so as to deploy a custom malware codenamed "Sunburst." Shared Features Between Sunburst and Kazuar Attribution for the SolarWinds supply-chain compromise has been difficult in part due to little-to-no clues linking the attack infrastructure to previous campaigns or other well-known threat groups. But Kaspersky's latest analysis of th

The U.S. Department of Justice on Wednesday became the latest government agency in the country to admit its internal network was compromised as part of the SolarWinds supply chain attack. "On December 24, 2020, the Department of Justice's Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others," DoJ spokesperson Marc Raimondi said in a short statement. "This activity involved access to the Department's Microsoft Office 365 email environment." Calling it a "major incident," the DoJ said the threat actors who spied on government networks through SolarWinds software potentially accessed about 3% of the Justice Department's email accounts, but added there's no indication they accessed classified systems. The disclosure comes a day after the Federal Bureau of Investigation (FB

The U.S. government on Tuesday formally pointed fingers at the Russian government for orchestrating the massive  SolarWinds supply chain attack  that came to light early last month. "This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks," the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA)  said  in a joint statement. Russia, however,  denied  any involvement in the operation on December 13, stating it "does not conduct offensive operations in the cyber domain." The FBI, CISA, ODNI, and NSA are members of the Cyber Unified Coordination Group (UCG), a newly-formed task force put in place by the White House National Security Council to investig

An authentication bypass vulnerability in the SolarWinds Orion software may have been leveraged by adversaries as a zero-day to deploy the SUPERNOVA malware in target environments. According to an  advisory  published yesterday by the CERT Coordination Center, the SolarWinds Orion API that's used to interface with all other Orion system monitoring and management products suffers from a security flaw (CVE-2020-10148) that could allow a remote attacker to execute unauthenticated API commands, thus resulting in a compromise of the SolarWinds instance. "The authentication of the API can be bypassed by including specific parameters in the  Request.PathInfo  portion of a URI request to the API, which could allow an attacker to execute unauthenticated API commands," the advisory states. "In particular, if an attacker appends a PathInfo parameter of 'WebResource.adx,' 'ScriptResource.adx,' 'i18n.ashx,' or 'Skipi18n' to a request to a Solar

As the probe into the  SolarWinds supply chain attack  continues, new digital forensic evidence has brought to light that a separate threat actor may have been abusing the IT infrastructure provider's Orion software to drop a similar persistent backdoor on target systems. "The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," Microsoft 365 research team  said  on Friday in a post detailing the Sunburst malware. What makes the newly revealed malware, dubbed "Supernova," different is that unlike the Sunburst DLL,  Supernova  ("app_web_logoimagehandler.ashx.b6031896.dll") is not signed with a legitimate SolarWinds digital certificate, signaling that the compromise may be unrelated to the previously disclosed supply chain attack. In a  standalone write-up ,

The massive state-sponsored  espionage campaign  that compromised software maker SolarWinds also targeted Microsoft, as the unfolding investigation into the hacking spree reveals the incident may have been far more wider in scope, sophistication, and impact than previously thought. News of Microsoft's compromise was first reported by Reuters , which also said the company's own products were then used to strike other victims by leveraging its cloud offerings, citing people familiar with the matter. The Windows maker, however, denied the threat actor had infiltrated its production systems to stage further attacks against its customers. In a statement to The Hacker News via email, the company said — "Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or custom

The investigation into how the attackers managed to compromise SolarWinds' internal network and poison the company's software updates is still underway, but we may be one step closer to understanding what appears to be a very meticulously planned and highly-sophisticated supply chain attack. A new report published by ReversingLabs today and shared in advance with The Hacker News has revealed that the operators behind the  espionage campaign  likely managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the malicious backdoor through its software release process. "The source code of the affected library was directly modified to include malicious backdoor code, which was compiled, signed, and delivered through the existing software patch release management system," ReversingLabs' Tomislav Pericin said. Cybersecurity firm FireEye earlier this week  detailed  how multiple SolarWin

Network monitoring services provider SolarWinds officially released a second hotfix to address a critical vulnerability in its Orion platform that was  exploited to insert malware  and breach public and private entities in a wide-ranging espionage campaign. In a new update posted to its  advisory  page, the company urged its customers to update Orion Platform to version 2020.2.1 HF 2 immediately to secure their environments. The malware, dubbed SUNBURST (aka Solorigate), affects Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020. "Based on our investigation, we are not aware that this vulnerability affects other versions—including future versions—of Orion Platform products," the company said. "We have scanned the code of all our software products for markers similar to those used in the attack on our Orion Platform products identified above, and we have found no evidence that other versions of our Orion Platform products or our ot