The investigation by SolarWinds into the recent attacks that leveraged its products to threaten government and private sector organizations revealed that 18,000 clients might have used the compromised products the company said in a Monday filing with the Securities and Exchange Commission (SEC).
The provider of IT management and monitoring solutions has confirmed reports that the software development system for its Orion monitoring platform has been breached by threat actors and leveraged access to provide Trojanized updates to customers between March and June 2020. In order to compromise the server running the Orion product, the vendor claims the attacker should have exploited the introduced vulnerability.
“On December 13, 2020, SolarWinds delivered a communication to approximately 33,000 Orion product customers that were active maintenance customers during and after the Relevant Period. SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000.” reads the SEC filing.
Updates published by IT company SolarWinds, which provides its products to government agencies, military, and intelligence offices, have been amended by the cyber espionage group, two people familiar with the matter told the Reuters agency.
It also noted that it detected an attack targeting its email and productivity systems in Microsoft Office 365, but the company is still trying to ascertain if this incident is linked to the Orion breach, and claims that it has not found any proof that information has been exfiltrated.
A report published by the Washington Post, citing unnamed sources, attributes the attacks to APT29 or Cozy Bear, the Russia-linked APT that’s believed to have recently compromised the top cybersecurity firm FireEye. Including the US Treasury, the National Telecommunications and Information Administration of the Commerce Department (NTIA). (NTIA). The hack allowed the actors of the threat to spy on the internal email traffic.
A hotfix has been released by SolarWinds and it plans to release another update by December 15 (today) that will replace the compromised component and provide additional security upgrades. The company pointed out that there was no evidence that other products were affected and noted that the vulnerability was only contained in products downloaded, introduced or updated between March and September. Apparently, the source code archive of the Orion products was not compromised.
FireEye, one of the companies apparently targeted in the SolarWinds exploit campaign, reported numerous victims were identified, including government, technology, consulting, extractive, and telecom organizations in North America, Europe, the Middle East, and Asia.
However, in its SEC filing, SolarWinds noted that it “is still investigating whether, and to what extent, a vulnerability in the Orion products was successfully exploited in any of the” attacks reported by the media.
SolarWinds has more than 300,000 global customers, including over 425 from the U.S., according to its website. Fortune 500 firms, all the major U.S. telecoms companies, the U.S. The military, the Department of State, the Pentagon, the NSA, and the Justice Department.
On Sunday, the DHS released an emergency directive instructing federal agencies to look immediately for signs of a violation, gather forensic evidence for an investigation, and take measures to lock the attackers out.
FireEye, which monitors the attacker as UNC2452, said that the hackers used the trojanized software SolarWinds to deliver a backdoor called SUNBURST and deliver other previously unknown payloads in at least some cases.