The cyber-attack that hit several US government agencies this week could be much more widespread than previously thought.
SolarWinds, the company whose network monitoring software was compromised to launch the attack, has issued a security advisory for all of its users of its Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1.
“SolarWinds has been made aware of a cyberattack to our systems that inserted a vulnerability within our SolarWinds Orion Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run.
“We have been advised that this incident was likely the result of a highly sophisticated, targeted, and manual supply chain attack by an outside nation state, but we have not independently verified the identity of the attacker.”
The company has ensure that the affected software builds are no longer available for download.
It suggest the customers with the affected versions of the software immediately upgrade their systems or apply the hotfix.
“Based on our investigation, we are not aware that this vulnerability affects other versions – including future versions – of Orion Platform products,” the company states. “We have scanned the code of all our software products for markers similar to those used in the attack on our Orion Platform products identified above, and we have found no evidence that other versions of our Orion Platform products or our other products or agents contain those markers.
“As such, we are not aware that other versions of Orion Platform products have been impacted by this security vulnerability. Other non-Orion Platform products are also not known by us to be impacted by this security vulnerability.”
Meanwhile, Microsoft has moved quickly to neutralise the threat. On Sunday, the day news of the hack broke, Microsoft removed the digital certificates used by the compromised files, so all Windows systems immediately stopped trusting those files. It also updated Microsoft Windows Defender to detect and alert the affected files.
Next, the company “sinkholed” one of the domains used by the malware for command and control, effectively severing the hacker’s control of the malware.
The final step was the change Windows Windows Defender’s default action for the compromised files to “Quarantine”, effectively killing off the malware when it is detected on Windows-based systems.
The attack, which is believed to be the work of Russian hackers, is known to have hit the US State Department, the Department of Homeland Security and parts of the Pentagon – although all organisations that downloaded the affected software between March and June 2020 could have been affected.
The company estimates that around 16 000 users may have downloaded the compromised update.