SolarWinds attack victims: Mimecast, Palo Alto Networks, Qualys and Fidelis Cybersecurity
As expected, the list of companies that have become victims of the SolarWinds attack continues to grow with new names. It turned out that the high-profile attack on the supply chain affected the companies Mimecast, Palo Alto Networks, Qualys and Fidelis Cybersecurity.[dropcap]L[/dropcap]et me remind you that the attack on SolarWinds is attributed to a supposedly Russian-speaking hack group, which information security experts track under the names StellarParticle (CrowdStrike), UNC2452 (FireEye), and Dark Halo (Volexity).
In December 2020, it became known that unknown hackers had attacked SolarWinds and infected its Orion platform with malware.
Of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the infected version of the platform was installed on approximately 18,000 customers’ machines, according to official figures. As a result, the victims included such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the Department of State and the National Nuclear Security Administration.
In mid-January 2021, Mimecast representatives already warned that an unknown hacker had at his disposal one of its digital certificates. An attacker abused it to gain access to some Microsoft 365 customer accounts.
The compromised certificate was used by several of the company’s products (Mimecast Sync and Recover, Continuity Monitor, and IEP) to connect to Microsoft’s infrastructure. At the same time, it is known that about 10% of the company’s customers used the abovementioned products with this certificate, but the attacker abused the certificate in order to gain access to only a few Microsoft 365 accounts. The company argued that the number of affected customers is low and “unambiguous”, and all of them are already notified of the incident.
As it turned out now, the compromise of the certificate was directly related to the SolarWinds hack, since Mimecast was using an infected version of Orion. Accordingly, the same hackers that attacked SolarWinds used the company’s certificate.
Palo alto networks
Representatives of Palo Alto Networks told Forbes journalist that in September and October 2020, the company had two incidents related to SolarWinds software at once.
“Our SOC immediately isolated the [problematic] server, initiated an investigation, and eventually confirmed that our infrastructure was safe”, — the company says.
Palo Alto Networks also said it had investigated these cases as separate, unrelated incidents. As a result, the investigations brought almost no results, and the experts came to the conclusion that “the attack attempt was unsuccessful and no data was compromised.”
The same Forbes article mentions a report by Netresec specialists, published earlier this week. In it, the researchers report that they found 23 new domains that SolarWinds attackers used to deploy second-tier payloads on victim networks.
Two domains were located on corp.qualys.com, which indicated that the giant of information security auditing, Qualys, could also become a victim of cybercriminals.
However, in a conversation with Forbes reporters, Qualys said that the company’s engineers installed the infected version of Orion in a laboratory environment isolated from the main network, solely for the purpose of conducting tests. That is, it is argued that the company has not been compromised.
Fidelis Cybersecurity is another major victim of the SolarWinds hack. The compromise in the blog of the company was announced by its head Chris Kubic.
As it turned out, in May 2020, Fidelis Cybersecurity also installed an infected version of Orion for peer review.
“The installation of this software was traced back to a specific machine, configured as a test system, isolated from our core network and rarely turned on”, — Kubich writes.
Although the attackers tried to expand their access to the company’s internal network, experts believe that the test system was “isolated enough and too rarely turned on for attackers to proceed to the next stage of the attack.”
I also wrote that Malwarebytes suffered from hackers that arranged SolarWinds attack.