{"id":38681,"date":"2020-12-14T02:10:47","date_gmt":"2020-12-14T02:10:47","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/security-vendor-solarwinds-says-product-updates-were-subverted-by-nation-state-fireye-says-exploit-is-rampant\/"},"modified":"2020-12-14T02:10:47","modified_gmt":"2020-12-14T02:10:47","slug":"security-vendor-solarwinds-says-product-updates-were-subverted-by-nation-state-fireye-says-exploit-is-rampant","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/security-vendor-solarwinds-says-product-updates-were-subverted-by-nation-state-fireye-says-exploit-is-rampant\/","title":{"rendered":"Security vendor SolarWinds says product updates were subverted by nation-state, Fireye says exploit is rampant"},"content":{"rendered":"
<\/div>\n

UPDATE<\/span> Security vendor SolarWinds\u2019 \u201cOrion\u201d IT monitoring platform has been compromised, and speculation is swirling that it was used in attacks on major US government agencies that could also be linked to last week\u2019s revalation<\/a> that security vendor FireEye\u2019s top hacking tools have been accessed.<\/p>\n

A statement from Kevin Thompson, SolarWinds president and CEO says the company is “aware of a potential vulnerability which if present is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products.”<\/p>\n

“We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state. We are acting in close coordination with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters. As such, we are limited as to what we can share at this time.\u201d<\/p>\n

As we report in our update to this story below, FireEye says it found the flaw in a compromised .dll file that was posted to the downloads section of SolarWinds’ site.<\/p>\n

The Register<\/i> has asked SolarWinds for further detail, but evidence of updates in the relevant timeframe is not hard to find: here\u2019s a June 2020<\/a> patch to the company\u2019s remote monitoring agent for Windows.<\/p>\n

\n

If you\u2019re a SolarWinds customer, assume compromise and immediately activate your incident response team.<\/p>\n<\/blockquote>\n

News of the SolarWinds hack was broken by newswire Reuters<\/i>, which also reports that US government agencies, among them Treasury and the Department of Commerce, have been hit with a hack so serious that the National Security Council met to discuss it on Saturday.<\/p>\n

The Washington Post<\/i> has reported<\/a> that the government hacks were made possible by flaws in SolarWinds products and that the attack was perpetrated by Russian hacking group APT29, aka Cozy Bear. US government officials have acknowledged the incidents, but have not offered further details.<\/p>\n

This situation is properly scary because a supply chain attack that poisons product updates issued by a major security vendor suggests that Cozy Bear could be deep inside all sorts of systems and vendors. If that doesn\u2019t scare you, maybe SolarWinds\u2019 customer list<\/a> will, as it mentions the following organisations are users.<\/p>\n