30% of “SolarWinds hack” victims didn’t actually use SolarWinds

By | January 29, 2021
This is an artist's concept of <em>Wind</em>, a NASA <a href="https://solarsystem.nasa.gov/missions/wind/in-depth/">spacecraft</a> which spent twenty years gathering data on the solar wind (no relation). “><figcaption class=
Enlarge / This is an artist’s concept of Wind, a NASA spacecraft which spent twenty years gathering data on the solar wind (no relation).

When security firm Malwarebytes announced last week that it had been targeted by the same attacker that compromised SolarWinds’ Orion software, it noted that the attack did not use SolarWinds itself. According to Malwarebytes, the attacker had used “another intrusion vector” to gain access to a limited subset of company emails.

Brandon Wales, acting director of the US Cybersecurity and Infrastructure Agency (CISA), said nearly a third of the organizations attacked had no direct connection to SolarWinds.

[The attackers] gained access to their targets in a variety of ways. This adversary has been creative… it is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.

Many of the attacks gained initial footholds by password spraying to compromise individual email accounts at targeted organizations. Once the attackers had that initial foothold, they used a variety of complex privilege escalation and authentication attacks to exploit flaws in Microsoft’s cloud services. Another of the Advanced Persistent Threat (APT)’s targets, security firm CrowdStrike, said the attacker tried unsuccessfully to read its email by leveraging a compromised account of a Microsoft reseller the firm had worked with.

According to The Wall Street Journal, SolarWinds is now investigating the possibility that these Microsoft flaws were the APT’s first vector into its own organization. In December, Microsoft said the APT in question had accessed its own corporate network and viewed internal source code—but that it found “no indications that our systems were used to attack others.” At that time, Microsoft had identified more than 40 attacks on its customers, a number that has increased since.

Microsoft Corporate VP of Security, Compliance, and Identity Vasu Jakkal told ZDNet that the “SolarWinds” campaign isn’t an isolated emergency so much as the new normal, saying, “These attacks are going to continue to get more sophisticated. So we should expect that. This is not the first and not the last. This is not an outlier. This is going to be the norm.”