www.crn.com
Open in
urlscan Pro
13.33.60.85
Public Scan
URL:
https://www.crn.com/slide-shows/security/10-things-to-know-about-the-solarwinds-breach-and-its-u-s-government-impact
Submission: On April 30 via api from CA — Scanned from CA
Submission: On April 30 via api from CA — Scanned from CA
Form analysis 1 forms found in the DOM
/search
<form action="/search" class="d-flex">
<input class="form-control me-2" type="search" name="query" placeholder="Search" aria-label="Search">
<input class="form-control me-2" name="type" value="article" type="hidden">
<input class="form-control me-2" name="type" value="article" type="hidden">
<input class="form-control me-2" name="type" value="article/slideshow" type="hidden">
<input class="form-control me-2" name="type" value="article/channelcast" type="hidden">
<input class="form-control me-2" name="type" value="article/staff" type="hidden">
<input class="form-control me-2" name="limit" value="15" type="hidden">
<button class="btn btn-outline-success" type="submit">Search</button>
</form>Text Content
* News
* Companies
* Awards & Lists
* Events
* Sponsored
* About
Close
* Sections
* All News
* Channel News
* Cloud
* Components & Peripherals
* Computing
* CRNtv
* Data Center
* Internet of Things
* Managed Services
* Networking
* Running Your Business
* Security
* Software
* Storage
* Virtualization
* Editors
* Kyle Alspach
* Steve Burke
* Rachael Espaillat
* CJ Fairfield
* Jennifer Follett
* Mark Haranas
* David Harris
* O'Ryan Johnson
* Joseph F. Kovar
* Dylan Martin
* Wade Tyler Millward
* Gina Narcisi
* Rick Whiting
* Meet the Editors
* Calendars
* Editorial
* High Tech Events
* TCC Events
* Connect with CRN
* CRN Magazine
* Notify me about CRN Awards
* Subscribe to CRN Magazine
* Subscribe to CRN Newsletter
* Licensing CRN
Close
* A-G
* Accenture
* Amazon Web Services
* AMD
* Apple
* Aruba, a Hewlett Packard Enterprise Company
* AT&T
* Broadcom
* Cisco Systems
* Citrix Systems
* Cognizant Technology Solutions
* Comcast
* CommVault
* ConnectWise
* CrowdStrike
* Datto Inc.
* Dell Technologies
* DXC Technology
* ESET
* Fortinet
* Google
* H-P
* Hewlett-Packard Enterprise (HPE)
* Hitachi Vantara
* HP Inc.
* IBM Corporation
* Ingram Micro Inc.
* Intel Corporation
* Juniper Networks, Inc.
* Kaseya
* Lenovo
* Microsoft Corporation
* NetApp, Inc.
* Nutanix
* NVIDIA
* OpenText
* Oracle Corporation
* Palo Alto Networks Inc
* Pax8
* Pure Storage
* R-Z
* Red Hat
* Salesforce
* Samsung
* ServiceNow
* SonicWALL
* Symantec by Broadcom Software
* TD SYNNEX
* Trellix
* Veeam
* Verizon Business
* VMware, Inc.
* Connect with CRN
* CRN Magazine
* Notify me about CRN Awards
* Subscribe to CRN Magazine
* Subscribe to CRN Newsletter
* Licensing CRN
Close
* A-H
* All Rankings
* 100 People You Don't Know But Should
* Annual Report Card
* Big Data 100
* CEO Outlook
* Channel Chiefs
* Cloud 100
* Data Center 50
* Edge Computing 100
* Emerging Vendors
* Fast Growth 150
* I-P
* Internet Of Things 50
* IoT Innovators
* Managed Service Provider 500
* Mobile 100
* Next-Gen Solution Provider Leaders
* Partner Program Guide
* Products Of The Year
* R-Z
* Rising Female Stars Of The IT Channel
* Security 100
* Software-Defined Data Center 50
* Solution Provider 500
* Storage 100
* Tech Elite 250
* Tech Innovators
* Triple Crown
* Top 100 Executives
* Women of the Channel
* Apply
* Open Solution Provider Applications
* Open Vendor Applications
* Notify me about CRN Awards
* Connect with CRN
* CRN Magazine
* Subscribe to CRN Magazine
* Subscribe to CRN Newsletter
* Licensing CRN
Close
* Calendars
* Editorial
* High Tech Events
* TCC Events
* Events
* Best of Breed Conference
* MES
* NexGen
* Women of the Channel
* XChange
* Connect with CRN
* CRN Magazine
* Notify me about CRN Awards
* Subscribe to CRN Magazine
* Subscribe to CRN Newsletter
* Licensing CRN
Close
* 360 Industry Outlooks
* Automated IT Operations
* Backup and Disaster Recovery
* Broadband
* Cloud Infrastructure
* Cloud Software
* Data Backup and Protection
* Distributed Workforce
* Email Security
* IT Asset Management
* Lifecycle Management
* CloseUps
* Acronis
* Brother
* CyberPower
* Deepwatch
* HP Active Care
* Intermedia Cloud Communications
* Palo Alto Networks
* VMware
* Vonage
* Wasabi
* Communities
* AMD & Supermicro Performance Intensive Computing
* Dell Enterprise Tech Provider
* Fortinet Secure Network Hub
* Hitachi Hybrid Cloud Solutions
* HPE Zone
* Inclusive Leadership Network
* Lenovo 360
* NetApp Cloud Storage Management
* Women of the Channel Community
* Learning Centers
* BlackBerry CyberSecurity
* Comcast Business
* Eaton
* ESET
* Logitech
* Microsoft Azure
* Schneider Electric (APC)
* Sophos Cybersecurity
* Newsrooms
* Acronis #CyberFit Summit
* CRNtv On Location at XChange
* HP
* Intuit QuickBooks
* Juniper
* Showcases
* CRN Showcase
* 100 People You Should Know
* Annual Report Cards
* Channel Chiefs
* Partner Program Guide
* Channelcasts
* All Channelcasts
* Connect with CRN
* CRN Magazine
* Notify me about CRN Awards
* Subscribe to CRN Magazine
* Subscribe to CRN Newsletter
* Licensing CRN
Close
* CRN
* About CRN
* Contact CRN
* CRN Magazine
* Code of Ethics
* Editorial Calendar
* Notify me about CRN Awards
* Subscribe to CRN Magazine
* Subscribe to CRN Newsletters
* Licensing
* CRNtv
* Media Kit
* Send Us A Tip
* Editors
* Kyle Alspach
* Steve Burke
* Rachael Espaillat
* CJ Fairfield
* Jennifer Follett
* Mark Haranas
* David Harris
* O'Ryan Johnson
* Joseph F. Kovar
* Dylan Martin
* Wade Tyler Millward
* Gina Narcisi
* Rick Whiting
* Meet the Editors
* The Channel Company
* Careers
* Contact Us
* Privacy Policy
* Site Map
* Terms of Service
* CRN Global
* CRN UK
* Computing
* Channel Partner Insight
* CRN Affiliates
* CRN Australia
* CRN France
* CRN India
* CRN Italy
* CRN Poland
* News
* Sections
* All News
* Channel News
* Cloud
* Components & Peripherals
* Computing
* CRNtv
* Data Center
* Internet of Things
* Managed Services
* Networking
* Running Your Business
* Security
* Software
* Storage
* Virtualization
* Editors
* Kyle Alspach
* Steve Burke
* Rachael Espaillat
* CJ Fairfield
* Jennifer Follett
* Mark Haranas
* David Harris
* O'Ryan Johnson
* Joseph F. Kovar
* Dylan Martin
* Wade Tyler Millward
* Gina Narcisi
* Rick Whiting
* Meet the Editors
* Calendars
* Editorial
* High Tech Events
* TCC Events
* Companies
* A-G
* Accenture
* Amazon Web Services
* AMD
* Apple
* Aruba, a Hewlett Packard Enterprise Company
* AT&T
* Broadcom
* Cisco Systems
* Citrix Systems
* Cognizant Technology Solutions
* Comcast
* CommVault
* ConnectWise
* CrowdStrike
* Datto Inc.
* Dell Technologies
* DXC Technology
* ESET
* Fortinet
* Google
* H-P
* Hewlett-Packard Enterprise (HPE)
* Hitachi Vantara
* HP Inc.
* IBM Corporation
* Ingram Micro Inc.
* Intel Corporation
* Juniper Networks, Inc.
* Kaseya
* Lenovo
* Microsoft Corporation
* NetApp, Inc.
* Nutanix
* NVIDIA
* OpenText
* Oracle Corporation
* Palo Alto Networks Inc
* Pax8
* Pure Storage
* R-Z
* Red Hat
* Salesforce
* Samsung
* ServiceNow
* SonicWALL
* Symantec by Broadcom Software
* TD SYNNEX
* Trellix
* Veeam
* Verizon Business
* VMware, Inc.
* Awards & Lists
* A-H
* All Rankings
* 100 People You Don't Know But Should
* Annual Report Card
* Big Data 100
* CEO Outlook
* Channel Chiefs
* Cloud 100
* Data Center 50
* Edge Computing 100
* Emerging Vendors
* Fast Growth 150
* I-P
* Internet Of Things 50
* IoT Innovators
* Managed Service Provider 500
* Mobile 100
* Next-Gen Solution Provider Leaders
* Partner Program Guide
* Products Of The Year
* R-Z
* Rising Female Stars Of The IT Channel
* Security 100
* Software-Defined Data Center 50
* Solution Provider 500
* Storage 100
* Tech Elite 250
* Tech Innovators
* Triple Crown
* Top 100 Executives
* Women of the Channel
* Apply
* Open Solution Provider Applications
* Open Vendor Applications
* Notify me about CRN Awards
* Events
* Calendars
* Editorial
* High Tech Events
* TCC Events
* Events
* Best of Breed Conference
* MES
* NexGen
* Women of the Channel
* XChange
* Sponsored
* 360 Industry Outlooks
* Automated IT Operations
* Backup and Disaster Recovery
* Broadband
* Cloud Infrastructure
* Cloud Software
* Data Backup and Protection
* Distributed Workforce
* Email Security
* IT Asset Management
* Lifecycle Management
* CloseUps
* Acronis
* Brother
* CyberPower
* Deepwatch
* HP Active Care
* Intermedia Cloud Communications
* Palo Alto Networks
* VMware
* Vonage
* Wasabi
* Communities
* AMD & Supermicro Performance Intensive Computing
* Dell Enterprise Tech Provider
* Fortinet Secure Network Hub
* Hitachi Hybrid Cloud Solutions
* HPE Zone
* Inclusive Leadership Network
* Lenovo 360
* NetApp Cloud Storage Management
* Women of the Channel Community
* Learning Centers
* BlackBerry CyberSecurity
* Comcast Business
* Eaton
* ESET
* Logitech
* Microsoft Azure
* Schneider Electric (APC)
* Sophos Cybersecurity
* Newsrooms
* Acronis #CyberFit Summit
* CRNtv On Location at XChange
* HP
* Intuit QuickBooks
* Juniper
* Showcases
* CRN Showcase
* 100 People You Should Know
* Annual Report Cards
* Channel Chiefs
* Partner Program Guide
* Channelcasts
* All Channelcasts
* About
* CRN
* About CRN
* Contact CRN
* CRN Magazine
* Code of Ethics
* Editorial Calendar
* Notify me about CRN Awards
* Open Solution Provider Applications
* Open Vendor Applications
* Subscribe to CRN Magazine
* Subscribe to CRN Newsletters
* Licensing
* CRNtv
* Media Kit
* Send Us A Tip
* Editors
* Kyle Alspach
* Steve Burke
* Rachael Espaillat
* CJ Fairfield
* Jennifer Follett
* Mark Haranas
* David Harris
* O'Ryan Johnson
* Joseph F. Kovar
* Dylan Martin
* Wade Tyler Millward
* Gina Narcisi
* Rick Whiting
* Meet the Editors
* The Channel Company
* Careers
* Contact Us
* Privacy Policy
* Site Map
* Terms of Service
* CRN Global
* CRN UK
* Computing
* Channel Partner Insight
* CRN Affiliates
* CRN Australia
* CRN France
* CRN India
* CRN Italy
* CRN Poland
Advertisement
* Home ▸ Slide Shows ▸ Security ▸ 10 Things To Know About The SolarWinds Breach
And Its U.S. Government Impact
SECURITY NEWS
10 THINGS TO KNOW ABOUT THE SOLARWINDS BREACH AND ITS U.S. GOVERNMENT IMPACT
MICHAEL NOVINSON
DECEMBER 14, 2020, 12:46 PM EST
From how nation-state hackers evaded detection to why federal agencies were
ordered to immediately power down Orion to its impact on the SolarWinds MSP
business, here are the most important things to know about the SolarWinds
breach.
Shares
Share
Share
Tweet
Email
Share
SOLARWINDS UNDER SIEGE
SolarWinds disclosed Sunday that it experienced a highly sophisticated, manual
supply chain attack on versions of its Orion network monitoring product released
between March and June of this year. The company said it’s been told the attack
was likely conducted by an outside nation state and intended to be a narrow,
extremely targeted, and manually executed attack, though no specific country was
named.
A FireEye blog post states that hackers gained access to numerous public and
private organizations through trojanized updates to SolarWinds’ Orion software,
but didn’t disclose the identity of any of the victims. Media reports have
attributed attacks on the U.S. Treasury and Commerce Departments as well as
FireEye to a vulnerability in the Orion products, but SolarWinds said Monday
it’s still investigating.
The colossal SolarWinds breach is sending shockwaves through Capitol Hill and
Fortune 500 corner offices alike given the high-profile nature of the reported
victims and the presumed involvement of Russian intelligence services. From how
the hackers evaded detection to why federal agencies must power down Orion to
its impact on the SolarWinds MSP business, here are the big things to know about
the SolarWinds hack.
10. HACK COMES MONTHS AFTER ZERO-DAY EXPLOIT OF RMM TOOL
This isn’t the first time that SolarWinds’ technology has been open to
exploitation. A zero-day vulnerability in SolarWinds MSP’s remote monitoring and
management (RMM) tool n-Central announced in January 2020 allowed security
researchers to steal the administrative credentials of an account holder,
security vendor Huntress said at the time.
The flaw was reported in October 2019 and remained open for more than three
months, according to Huntress. SolarWinds said at the time that the exploit was
never used by malicious actors to compromise any partner accounts, and deployed
hotfixes for the flaw in January 2020. It also released a mitigation tool that
could be used in the event the hotfix couldn’t be applied.
Advertisement
SolarWinds told CRN at the time that the researcher reported the flaw to the
company in October but there was no proof of concept. Following its internal
protocol, the company monitored the findings and began working on a patch in
late January when a proof of concept was disclosed.
9. SOLARWINDS BREACH DOESN’T IMPACT COMPANY’S MSP BUSINESS
While hackers over the past two years have taken advantage of the tools MSPs
rely on to manage customer IT systems, the tools utilized in this breach do not
appear to be linked to SolarWinds’ MSP business. The Orion platform supports
SolarWinds’ longtime IT infrastructure management business and doesn’t appear to
be connected to the SolarWinds MSP business built via acquisitions in recent
years.
SolarWinds MSP said it isn’t aware of any impact to its remote monitoring and
management (RMM), N-Central and associated products from the attack on Orion,
President John Pagliuca said in a security advisory posted Sunday evening.
Pagliuca would take over as SolarWinds MSP CEO if the proposed spin-off of the
business into a standalone company that has been under consideration for months
happens.
Just four days before news of this colossal hack went public, SolarWinds named
Pulse Secure’s Sudhakar Ramakrishna as its next CEO. During his five years
leading Pulse Secure, Ramakrishna had to deal with hackers exploiting a widely
known flaw in the company’s VPN appliance to carry out ransomware attacks many
months after a patch had already been rolled out.
8. RUSSIAN INTELLIGENCE SERVICE ACCUSED OF ORCHESTRATING CAMPAIGN
The Washington Post reported Sunday that the hackers with the Russian
intelligence service—known as APT29—who attacked FireEye also compromised the
Treasury and Commerce departments as well as other U.S. government agencies. The
breaches have been taking place for months and may amount to an operation as
significant as the State Department and White House hacks during the Obama
years.
The hack was considered so serious it led to a National Security Council meeting
at the White House on Saturday, according to Reuters. APT29 also compromised the
Democratic National Committee servers in 2015 but didn’t end up leaking the
hacked DNC material. Instead, the Russian military spy agency GRU separately
hacked the DNC and leaked its emails to WikiLeaks in 2016, the The Post said.
The Washington Post said that APT29 hacks for traditional espionage purposes,
stealing secrets that can be useful for the Kremlin to understand the plans and
motives of politicians and policymakers. Group members have stolen industrial
secrets, hacked foreign ministries and, more recently, have attempted to steal
coronavirus vaccine research, according to The Post.
7. RUSSIA DENIES THAT IT’S BEHIND THE HACKS
In a statement posted to Facebook late Sunday, the Russian foreign ministry
described the allegations as another unfounded attempt by the U.S. media to
blame Russia for cyberattacks against U.S. agencies.
“Malicious activities in the information space contradicts the principles of the
Russian foreign policy, national interests and our understanding of interstate
relations,” the Russian embassy to the U.S. wrote on Facebook. “Russia does not
conduct offensive operations in the cyber domain.”
Russia claims that it promotes bilateral and multilateral cyber security
agreements, pointing to the Sept. 25 initiative put forward by President
Vladimir Putin that aims to restore Russian-U.S. cooperation in the field of
international information security. Russia said it’s received no reply from
Washington to its Sept. 25 proposal, and that many other suggestions to start
dialogue with the U.S. remain unanswered.
6. SOLARWINDS’ TENTACLES REACH DEEP INTO THE U.S. GOVERNMENT
The diversity of SolarWinds’ customer base has sparked concern within the U.S.
intelligence community that other government agencies could be at risk, Reuters
reported Sunday. SolarWinds’ stock plunged $3.48 (14.77 percent) in trading
Monday morning to $20.08 per share, which is the lowest the company’s stock has
traded since Oct. 2.
SolarWinds said on its website that its technology is used by the Pentagon, all
five branches of the U.S. military, the State Department, NASA, the NSA, the
Postal Service, the National Oceanic Atmospheric Administration, the Department
of Justice, and the Office of the President of the United States. SolarWinds
said its technology is also used by hundreds of colleges and universities
worldwide.
In the private sector, SolarWinds counts all five of the top U.S. accounting
firms, all 10 of the top 10 U.S. telecommunications companies, and more than 425
of the U.S. Fortune 500 among its base of clients. All told, SolarWinds said its
products and services are used by more than 300,000 customers worldwide.
5. HACKERS EXPLOITED LEGITIMATE SOFTWARE UPDATES FOR REMOTE ACCESS
Attacks conducted as part of the campaign exploiting SolarWinds’ Orion network
monitoring product share several common elements, according to FireEye CEO Kevin
Mandia. First, Mandia said the attacks insert malicious code into legitimate
software updates for the Orion software that allow an attacker remote access
into the victim’s environment.
In addition, Mandia said the hackers went to significant lengths to observe and
blend into normal network activity and maintained a light malware footprint to
help avoid detection. Finally, Mandia said the adversaries patiently conducted
reconnaissance, consistently covered their tracks, and used
difficult-to-attribute tools.
Nation-state hackers gained access to government, consulting, technology and
telecom firms around the world through trojanized updates to Orion, FireEye
threat researchers wrote in a blog post. Post compromise activity following the
compromise has included lateral movement and data theft, according to the threat
researchers.
4. HACKERS WENT OUT OF WAY TO DISGUISE OPS, REMAIN HIDDEN
The malware inserted into SolarWinds Orion masquerades its network traffic and
stores reconnaissance results within legitimate plugin configuration files,
allowing it to blend in with legitimate SolarWinds activity, according to
FireEye threat researchers. The backdoor uses multiple obfuscated blocklists to
identify forensic and anti-virus tools running as processes, services, and
drivers, they said.
Hostnames were set by the hackers on their command and control infrastructure to
match a legitimate hostname found within the victim’s environment, allowing the
adversary to blend into the environment, avoid suspicion, and evade detection,
FireEye said. The attacker’s choice of IP addresses was also optimized to evade
detection, using only IP addresses originating from the same country as the
victim.
Once the attacker gained access to the network with compromised credentials,
they moved laterally using credentials that were always different from those
used for remote access, the threat researchers said. And once legitimate remote
access was achieved, FireEye found that the hackers routinely removed their
tools, including removing backdoors.
3. HACKERS FORGED TOKENS TO IMPERSONATE PRIVILEGED ACCOUNTS
The hackers used administrative permissions acquired through on-premises
compromise of SolarWinds Orion to access a victim’s trusted SAML token-signing
certificate, said John Lambert, distinguished engineer in Microsoft’s Threat
Intelligence Center. This enables them to forge SAML tokens that impersonate any
of the organization’s existing users and accounts, including highly privileged
accounts.
A compromised token-signing certificate can be used against any on-premises
resources (regardless of identity system or vendor) as well as against any cloud
environment (regardless of vendor) because they have been configured to trust
the certificate, Lambert wrote in a blog posted Sunday. Because the SAML tokens
are signed with their own trusted certificate, the anomalies might be missed by
the victim.
Using highly privileged accounts acquired through this technique, Lambert said
attackers may add their own credentials to existing application service
principals, enabling them to call APIs with the permission assigned to that
application.
2. ORION VULNERABILITY MIGHT AFFECT NEARLY 18K CUSTOMERS
SolarWinds communicated Sunday with the approximately 33,000 Orion product
customers that were active maintenance customers since March, and believes the
actual number of customers that may have had an installation of the Orion
products that contained this vulnerability to be fewer than 18,000, according to
a filing with the U.S. Securities and Exchange Commission (SEC) Monday morning.
For the nine months ended September 30, 2020, total revenue from the Orion
products across all customers, including those with a vulnerability, was
approximately $343 million, or approximately 45% of total revenue. SolarWinds is
still investigating whether, and to what extent, a vulnerability in the Orion
products was successfully exploited in the reported attacks against U.S.
government agencies.
SolarWinds is aware of an attack vector that was used to compromise the
company’s Microsoft Office 365 emails that may have provided access to other
data contained in the company’s office productivity tools. SolarWinds said it’s
investigating with Microsoft if any customer, personnel or other data was
exfiltrated as a result of this compromise, but hasn’t uncovered any evidence at
this time of exfiltration.
1. US CALLS ON FEDERAL AGENCIES TO POWER DOWN SOLARWINDS ORION
The U.S. government late Sunday night called on all federal civilian agencies to
power down SolarWinds Orion products immediately because they are being used as
part of an active security exploit. The directive instructs the all agencies
operating SolarWinds products to report that they have completed the shutdown by
12 p.m. ET Monday.
The directive from the Cybersecurity and Infrastructure Security Agency (CISA)
comes “in response to a known compromise involving SolarWinds Orion products
that are currently being exploited by malicious actors.” Specifically, the
directive “calls on all federal civilian agencies to review their networks for
indicators of compromise and disconnect or power down SolarWinds Orion products
immediately.”
“The compromise of SolarWinds’ Orion Network Management Products poses
unacceptable risks to the security of federal networks,” said CISA Acting
Director Brandon Wales in the directive. “Tonight’s directive is intended to
mitigate potential compromises within federal civilian networks, and we urge all
our partners—in the public and private sectors—to assess their exposure to this
compromise and to secure their networks against any exploitation.”
Learn More: Current Threats | Threat Management
MICHAEL NOVINSON
RELATED CONTENT
TO TOP
Advertisement
TRENDING STORIES
10 Cool New Cybersecurity Tools Announced At RSAC 2023 | CRN
20 Hottest Cybersecurity Products At RSAC 2023 | CRN
Gartner: Top 5 Cloud SaaS, IaaS And Services In $600B Market | CRN
10 Hot Generative AI Products And Companies At RSAC 2023 | CRN
Red Hat Layoffs: Cuts, ‘Cultural Change’, CEO Decision -- 5 Key Things To Know |
CRN
Advertisement
SPONSORED RESOURCES
* Channel Chief Advertorial 2023
* Enhancing Customer Experience Checklist
* Deepwatch MDR Enterprise Datasheet
* Masergy Secure Network Edge
* Whitepaper - Rethinking Backups
CRN AWARDS
Sign up to be notified about CRN awards
2023 MES MIDMARKET 100 - APPLY NOW
2023 INCLUSIVE CHANNEL LEADERS - APPLY NOW
Sponsored Post
CRN MAGAZINE
BROWSE
SUBSCRIBE
LATEST ISSUE
Advertisement
NEWSLETTER
GET THE IT CHANNEL NEWS YOU NEED, RIGHT TO YOUR INBOX.
SUBSCRIBE
© 2023 The Channel Company. All rights reserved.
Subscribe
About CRN
Contact CRN
Ethics Policy
The Channel Company
Terms & Conditions | Privacy Policy | Cookie Policy | Site Map
SEARCH
Search
Close
Advertisement