Understanding the SolarWinds Hack:  Echoes of NotPetya

Last week we heard of software companies around the world being breached due to a compromised software update process in SolarWinds Orion software.  This tactic, which leverages the trust relationship many organizations shared with SolarWinds – a reputable software provider – echoes one of the attack vectors from the 2017 NotPetya attack

Understanding the SolarWinds Hack Echoes of NotPetya

 

In 2017, the Ukrainian accounting software M.E.Doc was compromised in a similar fashion – and like SolarWinds - the downstream customers suffered the effects of a compromised software update process. 

These are notoriously difficult for the clients of such companies to protect against, as the flaws reside on infrastructure owned by the vendor, not the enterprise.  However, the attackers originally compromised M.E.Doc through a known vulnerability on their external infrastructure.  At the time of this writing, we do not yet know how SolarWinds was originally compromised. 

That said, we do know about several software vulnerabilities related to the attack: 

VMWare CVE-2020-4006 is known to be used by the attackers to elevate privileges after compromising systems through the SolarWinds update process.  CYR3CON had predicted exploitation of this vulnerability in November with a CyRating over 14 (14 times more likely to be exploited than an average CVE). 


FireEye released a list of sixteen vulnerabilities used in their penetration testing tools.  CYR3CON has previously provided predictions about all of them – you can see our coverage in last week’s blog.