SolarWinds Orion exploited by another group of state-sponsored hackers

Another group of state-sponsored hackers has exploited the ubiquity of SolarWinds software to target US government agencies, Reuters reported on Tuesday.

State-sponsored hackers have a taste for SolarWinds?

Unlike the alleged Russian attackers who inserted malware directly into the company’s Orion network monitoring platform by compromising its build environment, another group has simply found and exploited a vulnerability in the software.

According to Reuters’ sources, among their targets was the National Finance Center (NFC), a federal agency that’s part of the the U.S. Department of Agriculture (USDA) and handles payroll for a number of U.S. federal agencies, including the DHS, the FBI and the State Department. But, according to a USDA spokesman, the NFC has ultimately not been hacked.

SolarWinds confirmed that one unnamed customer was compromised by a second group of attackers, but that the vulnerability in its Orion platform was only exploited once the attackers already gained access to that customer’s network by other means. They’ve also said that they patched this specific vulnerability in December 2020.

One of the interviewed sources said that the hackers behind this attack used computer infrastructure and hacking tools previously leveraged by state-backed Chinese hackers.

Additional flaws in SolarWinds products discovered, patched

In the wake of this recent revelation comes the disclosure of three vulnerability found by Trustwave security research manager Martin Rakhmanov in several SolarWinds products:

• CVE-2021-25274, affecting SolarWinds Orion, can be exploited by unprivileged users to achieve remote code execution
• CVE-2021-25275, affecting SolarWinds Orion, can be exploited by unprivileged users who can log in to the box locally or via RDP to discover the credentials needed to access the backend database
• CVE-2021-25276, affecting SolarWinds Serv-U FTP for Windows, can be exploited by authenticated users to add an admin account and use it to read, write to or delete any file on the system

Trustwave reported all three findings to SolarWinds, and the last of the patches were released on January 25. Administrators are advised to apply them before February 9, when Trustwave plans to release PoC code for the flaws.

Additional technical information about the vulnerabilities can be found in this blog post and several linked advisories.

“To the best of Trustwave’s knowledge, none of the vulnerabilities were exploited during the recent SolarWinds attacks or in any ‘in the wild’ attacks,” Rakhmanov noted.