A few days ago, attacks on various US authorities became public. The government-sponsored group, which is also said to be responsible for the successful break-in at the IT security company Fireye, used infected updates for the Orion network management software from SolarWinds as an attack tool. She smuggled this, provided with a valid digital SolarWinds signature, to the company’s update server and from there to the target systems.

This report summarizes new information, including on possible points of attack and protective measures taken. It complements the reporting of the past few days:

Cyber ​​attacks against US ministries – Moscow under suspicion Trojans in SolarWinds updates allow cyber attacks Period of attack and number of potentially affected persons In a so-called “FORM 8-K”, a standardized report, investors and the public about important events informed, SolarWinds has provided information on the period in which manipulated Orion updates were delivered, as well as the number of potentially affected customers. The SolarWinds report cites the period from March to June as the “relevant period” 2020; This largely coincides with the findings from a detailed analysis by FireEye.

According to SolarWinds, products that were downloaded or implemented before or after this period did not contain any malicious code. Observations that security researchers shared via Twitter contradict this representation, however: Shared screenshots and links are intended to document that malware-infected “updates” were still available via the company’s download portal last Monday, i.e. after the incidents became known.

According to SolarWinds, Orion’s software build system – and not the source code of Orion products – has been compromised and tampered with. The company has taken countermeasures and continues to investigate the incidents. There are currently no indications that other products could be affected. During and after the “relevant period” would have approximately 33. 000 Customers using the Orion platform; However, the company assumes that less than 18. 000 customers would have used a manipulated Orion installation.

In the meantime, the company has published two hotfixes for the Orion platform.

Older access data leak as an initial point of attack? How the attackers initially gained access to the SolarWinds network infrastructure and ultimately to the build system is still unclear. SolarWinds is investigating, among other things, whether an undiscovered vulnerability in Orion products could be responsible, according to the report.

Interesting in this context are the observations that security researcher Vinoth Kumar shared via Twitter : He pointed to a public GitHub repository that apparently contained plain text FTP access data for a SolarWinds software update server. Kumar told The Register that SolarWinds was already on 19. November 2019 to have notified the data leak by email. Using the (extremely insecure) password “solarwinds 33” he said that it was vulnerable uploaded a file to the server. In addition, he even warned the company in his email that criminal hackers could use this method to upload a malicious .exe file as a fake update for SolarWinds products. The Register article does not give details on the GitHub repository.

(Image: @vinodsparrow via Twitter)

The company has its E -Mail on 22. November 2019 answered; at the time, the access data had been available for at least two to three weeks. The email that Kumar shared as a screenshot via Twitter states that the repository is no longer publicly accessible. In addition, the leaked credentials were “taken care of”.

It is still unclear whether “take care” is to be equated with “change” or even with “use stronger passwords in the future and avoid leaks” . A statement from SolarWinds on whether there is any connection between the leak from last year and the current incidents is not yet available. In any case, Kumar’s description does not cast a positive light on SolarWind’s previous handling of the topic of network security. And it raises the question of whether the success of the attack, however sophisticated it may actually have been, is not also due to some extent to negligence.

As with the valid digital signature of the manipulated Updates came, is still unclear.

Microsoft takes over C&C domain IT security blogger Brian Krebs has pointed out that the domain avsvmcloud com , which the attackers used to communicate with compromised systems, was apparently taken over by Microsoft. The company has already taken control of malware domains in coordination with (US) security authorities, for example to help break up the Necurs botnet or to attack the infrastructure of the Trickbot gang.

Microsoft only confirmed the domain takeover indirectly: Senior Director Jeff Jones replied to Krebs’ tweet that everyone should do their part in the area of ​​cybersecurity. (ovw)