Network monitoring service provider SolarWinds officially released a second hotfix to address critical vulnerabilities in its exploited Orion platform to install malicious software and break public and private entities into a widespread espionage campaign.
In a new update posted on its advisory page, the company urged its customers to immediately update Orion Platform to HF 2 version 2020.2.1 to secure their environments.
The malicious software, dubbed SUNBURST (aka Solorigate), affects Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020.
“Based on our investigation, we are not aware that this vulnerability affects other versions – including future versions – of Orion Platform products,” the company said.
“We have scanned the code of all our software products for markers similar to those used in the attack on our Orion Platform products identified above, and have found no evidence of other versions of our Orion Platform products or our products or other agents include those markers. “
He also reiterated that none of his equipment or other free agents, such as RMM and N-central, were affected by the lack of security.
Microsoft Captures Domain Used in SolarWinds Hack
While details on how the SolarWinds infrastructure was broken are still awaited, Microsoft took the step of taking control of one of GoDaddy’s main domains – avsvmcloud[.]com – that was used by the hackers to communicate with the threatened systems.
The Windows maker also said it plans to begin blocking known SolarWinds malicious triggers starting today at 8:00 AM PST.
Meanwhile, security researcher Mubix “Rob” Fuller has released a verification audit tool called SolarFlare that can be run on Orion machines to help identify potentially compromised accounts during the breach.
“This attack was very complex and sophisticated,” SolarWinds noted in a new FAQ why it could not capture this issue in advance. “The vulnerability was crafted to avoid detection and running only when detection was unlikely.”
Up to 18,000 businesses hit in a SolarWinds attack
SolarWinds estimates that as many as 18,000 of its customers could be affected by a supply chain attack. But the indications are that the campaign operators have leveraged this deficit to reach only select high profile targets.
Cybersecurity company Symantec said it had identified more than 2,000 computers in over 100 customers who received the repaired software updates but added that it no longer saw any malicious impact on those machines.
Just as the outcome of the breach is being assessed, SolarWinds security has attracted more scrutiny.
Not only does the company’s software download website appear to be protected by a simple password (“solarwinds123”) published in the clarity on SolarWinds code repository in Github; several cybercriminals tried to sell access to his computers on underground forums, according to Reuters.
As a result of the incident, SolarWinds has taken the unusual step of removing the customer list from its website.