Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security IT

SolarWinds Says 18,000 Customers Were Impacted by Recent Hack (zdnet.com) 23

Posted by msmash from the closer-look dept.
IT software provider SolarWinds downplayed a recent security breach in documents filed with the US Securities and Exchange Commission on Monday. From a report: SolarWinds disclosed on Sunday that a nation-state hacker group breached its network and inserted malware in updates for Orion, a software application for IT inventory management and monitoring. Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were tainted with malware, SolarWinds said in a security advisory. The trojanized Orion update allowed attackers to deploy additional and highly stealthy malware on the networks of SolarWinds customers.

But while initial news reports on Sunday suggested that all of SolarWinds' customers were impacted, in SEC documents filed today, SolarWinds said that of its 300,000 total customers, only 33,000 were using Orion, a software platform for IT inventory management and monitoring, and that fewer than 18,000 are believed to have installed the malware-laced update. The company said it notified all its 33,000 Orion customers on Sunday, even if they didn't install the trojanized Orion update, with information about the hack and mitigation steps they could take.
This discussion has been archived. No new comments can be posted.

SolarWinds Says 18,000 Customers Were Impacted by Recent Hack More

SolarWinds Says 18,000 Customers Were Impacted by Recent Hack

Comments Filter:

  • Pretty lame response (Score:5, Interesting)

    by CaptAubrey ( 6299102 ) on Tuesday December 15, 2020 @02:44PM (#60834144)
    I'm sure the company lawyers are parsing every word that SolarWinds publishes regarding this. I was on the DHS/CISA conf call yesterday, this isn't your everyday vulnerability. It's a mess.

    • I'm not that close to it... thankfully.

      But this does seem like the most serious breach in my lifetime. Amazingly far reaching in impact and scope....

      Sad but interesting times. I'm working hard to keep my network safe.

    • Re: (Score:1)

      by Anonymous Coward

      If the Krebs article is correct, they're already dead. Easily guessed password used to admin their download site and they were notified about it over a year ago.

    • Re: (Score:2)

      by DarkOx ( 621550 )

      I am still trying to reconcile "supply chain issue" and signed binary. "supply chain issues" were/are one of the things code signing was supposed to address.

      Really curious to see more details coming out here.

      • It only mitigates some potential issues, like breach of the suppliers website.

        If the suppliers code pipelines and PKI are owned then all bets are off, you're just getting signed malware at that point.

  • suspicious of the solarwinds ads that popped up here on slashdot. Will slashdot continue peddling vendors with weak supply chains?

  • I spent all day yesterday researching this, and guiding my team as we checked our environment. Then I did more this morning.

  • Fireeye says check these things (Score:5, Informative)

    by Anonymous Coward on Tuesday December 15, 2020 @02:48PM (#60834168)

    https://www.fireeye.com/blog/t... [fireeye.com]

    SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020.

    Immediate Mitigation Recommendations

    SolarWinds recommends all customers immediately upgrade to Orion Platform release 2020.2.1 HF 1, which is currently available via the SolarWinds Customer Portal. In addition, SolarWinds has released additional mitigation and hardening instructions here.

    In the event you are unable to follow SolarWinds’ recommendations, the following are immediate mitigation techniques that could be deployed as first steps to address the risk of trojanized SolarWinds software in an environment. If attacker activity is discovered in an environment, we recommend conducting a comprehensive investigation and designing and executing a remediation strategy driven by the investigative findings and details of the impacted environment.

            Ensure that SolarWinds servers are isolated / contained until a further review and investigation is conducted. This should include blocking all Internet egress from SolarWinds servers.
            If SolarWinds infrastructure is not isolated, consider taking the following steps:
                    Restrict scope of connectivity to endpoints from SolarWinds servers, especially those that would be considered Tier 0 / crown jewel assets
                    Restrict the scope of accounts that have local administrator privileged on SolarWinds servers.
                    Block Internet egress from servers or other endpoints with SolarWinds software.
            Consider (at a minimum) changing passwords for accounts that have access to SolarWinds servers / infrastructure. Based upon further review / investigation, additional remediation measures may be required.
            If SolarWinds is used to managed networking infrastructure, consider conducting a review of network device configurations for unexpected / unauthorized modifications. Note, this is a proactive measure due to the scope of SolarWinds functionality, not based on investigative findings.

    • "Ensure that SolarWinds servers are isolated / contained until a further review and investigation is conducted."

      SolarWinds is Network Management software. This renders the software entirely useless!

      Sorry for the plug, but you could always contact CirrusPoint Solutions https://cirruspoint.com if you would like to use REAL Network Management software that doesn't have 'Improvement' software built in that sends your 'usage data' back to the mother ship allowing hackers a vehicle to hide their malware, and doe

  • Always thought of update servers as the best target for the black hat hackers. As far back as Windows 95? Was that when Microsoft created the idea of more easily installed security problems?

    Anyway, so long ago that I can't remember the math when I calculated the number of machines that could be infected in one day via that path. I do remember concluding with the hope that Microsoft was guarding that basket extremely carefully...

    But I bet that SolarWinds is using a license agreement patterned after Microsoft

    • Well no one can "sue" open-source so that's kind of a meaningless distinction. A far more productive discussion would be what can ANYONE that relies on servers they don't control* can do to ensure it doesn't affect theirs? Install the bad software on a sacrificial setup, and see what it affects?**

      *Which pretty much is every software delivered digitally.
      **Kind of like, plug in that USB key from the parking lot and see what it does to this sacrificial centrifuge.

      • Re: (Score:2)

        by DarkOx ( 621550 )

        That remains one of my big questions here. What i have read and see screenshots of so far seems to indicate the affected software is code signed. So even if the hackers got the update server how did the sign the code? If the updates and binaries are NOT actually signed; why the hell are they not signed! If they are signed but the hacked copies are not or the signatures are not valid why are the signatures being checked by the updater?

        This weak password on the update server does not seem like it can be the

        • Re: (Score:2)

          by clovis ( 4684 )

          The signing of the code was my question too. They had to be deeper into SolarWinds than just the update server in order to do that and keep it hidden. It makes me wonder if whoever broke into SolarWinds may well still be there.
          Then there's the possibility of an insider assisting with the hack.

          • Re: (Score:2)

            by shanen ( 462549 )

            Well, there are several ways it could have been done, but one report I've read indicated they may have subverted the DNS. However my point was that any subversion of an upgrade server is potentially disastrous.

            So why did Ostracus change the Subject in that way? Now I'm wondering if he's claiming to be a black hat hacker but at the same time he's confessing that he doesn't understand the utility of attacking upgrade servers? Or maybe saying that he thinks there is some better "holy grail" for black hack hack

    • Re: (Score:2)

      by Monoman ( 8745 )

      I would say monitoring systems are the holy grail. These systems typically have access to all everything else and often with some elevated privilege.

      • Re: (Score:2)

        by shanen ( 462549 )

        Ah, so that is why the other fellow changed the Subject? However I'm not sure I'm persuaded because there are lots of nice juicy target systems that aren't monitored. Or are you suggesting that the black hats are too chivalrous to go after children and helpless old folks who have computers?

  • These schemes remind me of a mountain of gold bricks in a Walmart parking lot guarded by an unarmed Walmart greeter.

  • Should have added more Procedures, Layers of Management and Oversight and more bullet proof certifications like ISO, CMMI, NIST, etc.. More paper work will crush virus before they pop up.

    • Had Solarwinds complied with ANY standard, this hack would have been stopped TWICE.

      First, they wouldn't have "protected" their update server with q password that was easily guessed. Secondly, they would have taken appropriate action when they were notified about that problem.

  • That's "only" 18000 organizations, like including hundreds of big ones. Not exactly reassuring...

  • And yet another major story where the target OS is not prominently mentioned. For Slashdotters that matters not but for public awareness it should.

Slashdot Top Deals

"Engineering without management is art." -- Jeff Johnson

Close