It wasn’t that long, the Solarwinds cyberattack was all over the news, and now there are new vulnerabilities that are being exploited. Researchers from Trustwave have identified three new critical flaws. The vulnerabilities has been addressed to potentially provide access to an attacker leading to compromise the network infrastructure, causing distress to its consumers. Solarwinds had confirmed that the exploits were patched and security has been tightened but doesn’t seem to have done its work. Though no potential data has been attacked so far, the company has confirmed that the software patches has addressed the possible exploits
NBC news did happen to get a statement from Solarwinds confirming that “Vulnerabilities of varying degrees are common in all software products, but we understand that there is heightened scrutiny on Solarwinds right now” Trustwave first approached Solarwinds about the flaws in late December, Mador said, and gave it time to release the patch. Trustwave will wait one more week to release the “proof of concept,” showing exactly how the flaws could be exploited, he said. Another report from Reuters suggested that Chinese hackers exploited a Solarwinds defect to access the Agriculture Department. Solarwinds said in an articulation that the hackers initial broke into the Agriculture Department organization after which they added pernicious code to Solarwinds Orion programming on the client’s infrastructure. [Reference]
The latest security issues discovered by Trustwave include two in the Solarwinds Orion Platform and one in Solarwinds Serv-U FTP for Windows. All three were resolved prior to public disclosure. The three vulnerabilities were all flagged as ‘severe’ according to Trustwave, with the most critical bug allowing remote code execution with high privileges. It was concluded by the researchers that a separate vulnerability could allow any local user, despite privileges, to take complete control over the SOLARWINDS_ORION database which could enable an adversary to not only steal any valuable information but also add new administrative privileges so that the control radius could be still kept intact.
All these issues could result in a possible ‘full server takeover’, which was highlighted by Trustwave in addition to the seriousness and the potential damage these vulnerabilities could cause. The attack has been suspected to be executed by a small group associated to the Russian intelligence agencies. APT29 also known as cozy bear is the suspected group behind this attack, resulting in the compromise of the update mechanism of Orion. The network attacks have influenced various US government associations just as technological firms including Microsoft and FireEye before it was found last December. A definitive objective of the attacks, which forensics work dates as starting as right on time as March 2020, was likely cyber espionage. [Reference]. For the full article and details around these vulnerabilities check the Trustwave blog here