thehackernews.com Open in urlscan Pro
2606:4700:20::ac43:47a6  Public Scan

Form analysis
2 forms found in the DOM

GET https://www.google.com/cse

<form action="https://www.google.com/cse" id="searchform" method="get"><input autocomplete="off" id="s" name="q" placeholder="Search Here..." type="text">
  <input name="cx" type="hidden" value="partner-pub-7983783048239650:3179771210">
</form>

Name: f1 — POST https://inl02.netline.com/rssnews0001/

<form action="https://inl02.netline.com/rssnews0001/" class="clear cf" id="subform" method="post" name="f1" target="_blank">
  <div class="email-box-h3">Join 100,000+ Professionals</div>
  <p>Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.</p>
  <div class="email-input">
    <input name="_submit" type="hidden" value="0001">
    <input id="brand" name="brand" type="hidden" value="thehackernews">
    <div class="e-book"><input checked="yes" id="opt_001" name="opt_001" type="checkbox" value="Y"><input checked="yes" id="opt_003" name="opt_003" type="checkbox" value="Y"></div><label class="visuallyhidden" for="input-email">Email</label><input
      class="text" id="input-email" name="email" placeholder="Your e-mail address" required="" type="email">
    <button aria-label="Subscribe" id="submitform" type="submit" value="Subscribe"></button>
  </div>
</form>

Text Content

#1 Trusted Cybersecurity News Platform Followed by 3.45+ million  


 Subscribe to Newsletter
 *  Home
 *  Newsletter
 *  Store

 * Home
 * Data Breaches
 * Cyber Attacks
 * Vulnerabilities
 * Webinars
 * Store
 * Contact





Resources
 * THN Store
 * Free eBooks
 * Freebies

About Site
 * About THN
 * Jobs
 * Advertise with us


Contact/Tip Us

Reach out to get featured—contact us to send your exclusive story idea,
research, hacks, or ask us a question or leave a comment/feedback!

Follow Us On Social Media
    
 RSS Feeds  Email Alerts  Telegram Channel



NEARLY 18,000 SOLARWINDS CUSTOMERS INSTALLED BACKDOORED SOFTWARE

Dec 15, 2020Ravie Lakshmanan

SolarWinds, the enterprise monitoring software provider which found itself at
the epicenter of the most consequential supply chain attacks, said as many as
18,000 of its high-profile customers might have installed a tainted version of
its Orion products.

The acknowledgment comes as part of a new filing made by the company to the US
Securities and Exchange Commission on Monday.

The Texas-based company serves more than 300,000 customers worldwide, including
every branch of the US military and four-fifths of the Fortune 500 companies.

The "incident was likely the result of a highly sophisticated, targeted and
manual supply chain attack by an outside nation state," SolarWinds said in the
regulatory disclosure, adding it "currently believes the actual number of
customers that may have had an installation of the Orion products that contained
this vulnerability to be fewer than 18,000."



The company also reiterated in its security advisory that besides 2019.4 HF 5
and 2020.2 versions of SolarWinds Orion Platform, no other versions of the
monitoring software or other non-Orion products were impacted by the
vulnerability.

Specifics regarding how the hackers penetrated SolarWinds' own network are still
fuzzy, but the company noted in its filing that it was alerted to a compromise
of its Microsoft Office 365 email and office productivity accounts that it's
currently investigating to determine how long it existed and if the weakness was
"associated with the attack on its Orion software build system."

Troublingly, according to a report from security researcher Vinoth Kumar, it
also appears that a publicly-accessible SolarWinds GitHub repository was leaking
FTP credentials of the domain "downloads.solarwinds.com," thus allowing an
attacker to potentially upload a malicious executable disguised as Orion
software updates to the downloads portal. Even worse, the FTP server was
protected by a trivial password.

Following Kumar's responsible disclosure last year, the company addressed the
misconfiguration on November 22, 2019.

The development comes a day after cybersecurity firm FireEye said it identified
a nine-month-long global intrusion campaign targeting public and private
entities that introduce malicious code into legitimate software updates for
SolarWinds' Orion software to break into the companies' networks and install a
backdoor called SUNBURST ("SolarWinds.Orion.Core.BusinessLayer.dll").

"The malicious DLL calls out to a remote network infrastructure using the
domains avsvmcloud.com. to prepare possible second-stage payloads, move
laterally in the organization, and compromise or exfiltrate data," Microsoft
said in a write-up.

UPCOMING WEBINAR
Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with
real-time MFA and service account protection.

Save My Seat!

The US Department of Homeland Security was breached, as were the departments of
Commerce and Treasury, Reuters reported yesterday. The espionage campaign also
included the December 8 cyberattack on FireEye, although it's not immediately
clear whether the intrusion and exfiltration was a direct result of a rogue
SolarWinds update.

"The campaign demonstrates top-tier operational tradecraft and resourcing
consistent with state-sponsored threat actors," said FireEye CEO Kevin Mandia.
"These compromises are not self-propagating; each of the attacks require
meticulous planning and manual interaction."

While the fallout caused by the hacking campaign is still unknown, fingers have
been pointed at APT29, a hacking collective affiliated with the Russian foreign
intelligence service. FireEye, which is tracking the campaign as "UNC2452," has
not linked the attack to Russia.

For its part, SolarWinds is expected to issue a second hotfix later today that
replaces the vulnerable component and adds several extra security enhancements.

"The SUNBURST campaign represents a uniquely distressing intrusion event with
implications for multiple industries and network operators," DomainTools' Senior
Security Researcher, Joe Slowik, said.



"The ubiquity of SolarWinds in large networks, combined with the potentially
long dwell time of intrusions facilitated by this compromise, mean victims of
this campaign need not only recover their SolarWinds instance, but may need to
perform widespread password resets, device recovery, and similar restoration
activity to completely evict an intruder."

"Through continuous monitoring of network traffic and an understanding of what
hosts are communicating, defenders can leverage attacker weaknesses and
dependencies to overcome these otherwise daunting challenges," he added.



Found this article interesting? Follow us on Twitter  and LinkedIn to read more
exclusive content we post.

SHARE     
Tweet
Share
Share
Share
 Share on Facebook Share on Twitter Share on Linkedin Share on Reddit
Share on Hacker News Share on Email Share on WhatsApp Share on Facebook
Messenger Share on Telegram
Comments
SHARE 
Cyber Attack, Malware, Software, Software backdoor, SolarWinds, supply chain
attack
Trending News Stories
New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets
Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD Attack
New All-in-One "EvilExtractor" Stealer for Windows Systems Surfaces on the Dark
Web
RTM Locker's First Linux Ransomware Strain Targeting NAS and ESXi Hosts
Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress
Sites
New SLP Vulnerability Could Let Attackers Launch 2200x Powerful DDoS Attacks
Cybersecurity Resources
ExeonTrace: Visualize, Monitor, and Thwart Cyberattacks in Seconds!
XDR: The Key to Faster, More Efficient DFIR - Discover How!
Learn How Third-Party Apps Could Be Putting Your Data at Risk!

Comments



Breaking News

Cybersecurity Resources
Save Time on Network Security With This Guide
See how Perimeter 81's network security platform makes an IT Manager's workday
more efficient.
Webinar: Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Deception can detect advanced threats, stop lateral movement, and
enhance your Zero Trust strategy.
Get Training Top 2023 Cybersecurity Certifications for Only $99
Become a Cybersecurity Pro with most demanded 2023 top certifications training
courses.
A to Z Cybersecurity Certification Courses
Master cybersecurity from A to Z with expert-led cybersecurity and IT
certification training.

Join 100,000+ Professionals

Sign up for free and start receiving your daily dose of cybersecurity news,
insights and tips.


Email

Connect with us!

892,500 Followers

1,950,000 Followers

445,500 Followers

20,800 Subscribers

142,000 Followers

110,000 Subscribers
Company
 * About THN
 * Advertise with us
 * Contact

Pages
 * Deals Store
 * Privacy Policy
 * Jobs

Deals
 * Hacking
 * Development
 * Android

 RSS Feeds
 Contact Us
© The Hacker News, 2023. All Rights Reserved.