The firms SolarWinds and FireEye are likely names you’ve never heard of before but unfortunately for us all, there are companies you might have heard of that do use their services.
We say unfortunately as over the last week and a bit, FireEye and SolarWinds have found themselves in the midst of an ongoing cyberattack. Cyberattacks are common sure, but this time around experts are worried and we are as well.
Let’s breakdown the timeline of events.
On 8th December, cybersecurity firm FireEye revealed that it had been targeted by “a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.”
The firm discovered that its Red Team (a term often used in cybersecurity to describe a team of penetration testers) assessment tools had been taken by the threat actor. These tools don’t contain zero-day exploits according to FireEye.
“Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers. While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly,” chief executive officer at FireEye, Kevin Mandia, wrote last week.
As with all cybersecurity incidents an investigation followed and the results of that investigation were published this week. According to a report by Brian Krebs at Krebs on Security, the attack at FireEye is linked to an attack at another firm, SolarWinds.
So what happened at SolarWinds?
“SolarWinds was the victim of a cyberattack to our systems that inserted a vulnerability (SUNBURST) within our Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run,” the firm wrote.
A fix is available in Orion Platform version 2020.2.1 HF 2 which SolarWinds advises customers upgrade to as soon as possible.
The scope of this supply chain attack is massive as Microsoft president, Brad Smith, explained in an extensive blog.
“The installation of this malware created an opportunity for the attackers to follow up and pick and choose from among these customers the organisations they wanted to further attack, which it appears they did in a narrower and more focused fashion. While investigations (and the attacks themselves) continue, Microsoft has identified and has been working this week to notify more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures,” wrote Smith.
Further analysis by Microsoft reveals that 44 percent of the targets occupy the IT sector, 18 percent government and NGOs, 9 percent were government contractors and 11 percent are simply classified as other.
As the Microsoft president goes on to explain, the sheer scale of this supply chain attack could have dire consequences.
“In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency. While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under,” Smith added.
The threat actor is an unknown at this stage though various sources appear to be pointing at Russia.
This attack is mightily concerning as the SolarWinds client list includes more than 425 Fortune 500 companies and telecom operators.
“The defense of democracy requires that governments and technology companies work together in new and important ways – to share information, strengthen defenses and respond to attacks. As we put 2020 behind us, the new year provides a new opportunity to move forward on all these fronts,” concluded Smith.
[Image – CC 0 Pixabay]