[German]The Solarigate story continues. Now four other security vendors have disclosed “incidents” related to the supply chain attacks via SolarWinds Orion products.
A few days ago, in the blog post Malwarebytes also successfully hacked by the SolarWinds attackers, I had mentioned that security vendor Malwarebytes was a victim of the Solarigate attacks. However, the first security vendor successfully hacked was FireEye, see FireEye hacked, Red Team tools stolen. The list of companies that have been victims of the supply chain attack via the backdoor in SolarWind’s Orion products unfortunately needs to be expanded to include four security vendor names. I stumbled across the following information on Twitter last night from Catalin Cimpanu, who put it all together in an article on ZDNet.com.
Cybersecurity vendors Mimecast, Palo Alto Networks, Qualys and Fidelis have announced that they are victims of the Solarigate attacks by the SolarWinds hacker group.
Mimecast Limited is a UK-headquartered company based in the Channel Island of Jersey (tax haven) that specializes in cloud-based email management for Microsoft Exchange and Microsoft Office 365. That also includes security, archiving and continuity services to protect business email. On Jan. 12, 2021, Mimecast admitted in an alert to its customers that hackers had tapped and misused one of its digital certificates to gain access to some of its customers’ Microsoft 365 accounts.
Products that used that certificate include Mimecast Sync and Recover, Continuity Monitor and IEP products, the company said in a published message (I had caught this but didn’t pick it up on the blog due to lack of time). Mimecast said that about 10% of all customers used the affected products with that particular certificate. The threat actor had misused the stolen certificate to gain access to just a handful of those customers’ Microsoft 365 accounts. Now, Mimecast confirmed the attack in this updated post as part of the SolarWinds attacks.
Palo Alto Networks security incident
Palo Alto Networks, Inc. is an American multinational IT security company headquartered in Santa Clara, California. Its core products are a platform that includes advanced firewalls and cloud-based offerings that add other security aspects to those firewalls. Palo Alto Networks probably informed Forbes investigative reporter Thomas Brewster that it discovered two security incidents in September and October 2020.
At the time, it didn’t occur to anyone that it could be a supply chain attack that FireEye also fell victim to. It was only after the information about the SolarWinds attacks became public that the link between the two incidents could be made to the attack via the SolarWinds software. Palo Alto Networks states that the investigation into the incidents did not reveal much. It has been concluded that the attempted attack was not successful and no data was compromised.”
QUALYS also potentially affected
Qualys, Inc. provides cloud security, compliance and related services and is based in Foster City, Calif. According to the Forbes article cited above, Erik Hjelmvik, founder of network security firm Netresec, listed 23 new domains that were used by the SolarWinds hackers to inject second-level payloads into infected networks that they deemed most valuable.
Two of those 23 new domains were “corp.qualys.com,” suggesting that cybersecurity auditing giant Qualys may have been the attackers’ target. However, Qualys told Forbes that its technicians had installed a Trojanized version of the SolarWinds Orion app in a lab environment for testing purposes that was disconnected from the primary network. A subsequent investigation found no evidence of further malicious activity or data exfiltration, it said.
However, some security researchers do not give credence to the company’s statement. They suspect that the domain “corp.qualys.com” indicates that the hackers gained access to the company’s primary network, not a lab environment as the company claims. The case remains mysterious.
Fidelis confirms attack
Fidelis is also a cybersecurity company that aims to improve enterprise security. In a blog post, a Fidelis executive discloses that in May 2020, they installed a Trojanized version of the SolarWinds Orion app as part of a “software evaluation.” “The software installation was performed on a machine configured as a test system, isolated from our core network and rarely powered on,” said Chris Kubic, the Fidelis manager. Fidelis states that despite the attacker’s efforts to escalate access within Fidelis’ internal network, the company believes the test system was “sufficiently isolated and too infrequently powered on for the attacker to have taken it to the next level of attack.”
Since December 2020, a large-scale hacking campaign has shaken the IT world, specifically of the U.S. but also of other countries. Suspected state hackers had managed to inject a backdoor into SolarWinds Orion software. This SolarBurst backdoor was then delivered to 18,000 customers with a regular SolarWinds Orion software update. Orion software is used by many government agencies and businesses.
It is now known that the actors hacked more than 100 U.S. government agencies and companies via this backdoor, as well as other malware, in order to obtain information from them. The hackers were able to move undetected in the victims’ networks for months. The case came to light because the hackers pilfered security vendor FireEye’s so-called Red Team tools during a hack, and the attack caught the eye of a company employee. The articles linked below contain more information.
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a ‘Kill Switch’ and EINSTEIN’s fail
SUNBURST malware was injected into SolarWind’s source code base
SUNBURST: US nuclear weapons agency also hacked, new findings
SolarWinds hack: Microsoft and others also affected?
SUNBURST hack: Microsoft’s analysis and news
2nd backdoor found on infected SolarWinds systems
SolarWinds hackers had access to Microsoft source code
SolarWinds hack: Hacker goals; outsourcing are under investigation?
News from the SolarWinds hack; JetBrains software as a gateway?
Kaspersky: SolarWinds Sunburst backdoor resembles Russian ATP malware
SolarLeaks allegedly offers source code from Cisco, Microsoft and SolarWinds
Malwarebytes also successfully hacked by the SolarWinds attackers
Cookies helps to fund this blog: Cookie settings