The extent and impact of the SolarWinds hack became even more apparent – and terrifying – over the holiday break.
On New Year’s Eve, SolarWinds confirmed that it has identified malware that exploited the flaws introduced to Orion products.
We already knew about “SUNBURST”, the attack that poisoned Orion.
SolarWinds’ pre-party post revealed that “SUPERNOVA” is “malware that is separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product.”
“The SUPERNOVA malware consisted of two components,” says SolarWinds’ advisory. “The first was a malicious, unsigned webshell .dll ‘app_web_logoimagehandler.ashx.b6031896.dll’ specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code. This vulnerability in the Orion Platform has been resolved in the latest updates.”
Kremlin hackers are right now exploiting security hole in VMware software to hijack systems, NSA warns
The company’s FAQ says it is yet to find a link between SUPERNOVA and SUNBURST. The last update to the FAQ was made on December 31st, 2020. Friday January 1st was a Federal holiday in the USA, followed by the weekend.
Microsoft, meanwhile, has offered further details of its brush with the attacks by revealing that it had indeed fallen victim to the hack – but not in a particularly bad way. Redmond’s self-analysis “found no evidence of access to production services or customer data” and “no indications that our systems were used to attack others.”
But Microsoft’s probe did find “unusual activity with a small number of internal accounts and upon review” one of which “had been used to view source code in a number of source code repositories.”
The good news is that the account had look-don’t-touch privileges, so no code was altered, and Microsoft was able to remediate the relevant accounts.
Microsoft’s post also revealed: “our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.”
Hopefully, other users of compromised Orion implementations were similarly cautious, because The New York Times reports that it is now felt that the attackers gained access to “as many as 250 networks”. That estimate handily tops the previous assessment of “a few dozen” compromises.
Between SolarWinds’ ongoing investigations and the unknown extent of the attack’s penetration, this story is far from over. Indeed, December 30th supplemental guidance from the USA’s Cybersecurity and Infrastructure Security Agency (CISA) not only ordered 24-hour upgrades to clean versions of Orion but promised to “follow up with additional supplemental guidance, to include further clarifications and hardening requirements.” ®