Many companies still expose SolarWinds Orion to the internet and have failed to take action following the disclosure of the massive SolarWinds breach, according to RiskRecon, a Mastercard company that specializes in risk assessment.
Threat actors believed to be backed by Russia breached Texas-based IT management firm SolarWinds and used that access to deliver a piece of malware named Sunburst to roughly 18,000 customers who had been using the company’s Orion monitoring product. A few hundred victims that presented an interest to the hackers received other payloads that provided deeper access into their environments.
A second, apparently unrelated threat group believed to be operating out of China also targeted SolarWinds, delivering a piece of malware named Supernova. The delivery of Supernova required access to the targeted network and involved exploitation of a zero-day vulnerability in Orion, which SolarWinds patched shortly after its existence came to light.
RiskRecon on Friday said it observed 1,785 organizations exposing Orion to the internet on December 13, 2020, shortly after the breach came to light, and the number dropped to 1,330 by February 1, 2021. However, only 8% of these companies have applied the Orion update (2020.2.4) released by SolarWinds in response to the breach.
Even more concerning is that 4% of the companies that expose Orion still use a version containing the Sunburst code. Moreover, roughly one-third of these organizations still haven’t patched the vulnerability exploited by Supernova.
RiskRecon says the list of organizations running vulnerable Orion instances includes state and local government agencies, universities, hosting providers, and Fortune 500 firms.
Microsoft Believes 1,000 Hackers Involved in SolarWinds Attack
An article published by the New York Times in January said some intelligence officials had concluded that “more than a thousand Russian software engineers” were most likely involved in the attack. Some cybersecurity professionals questioned the claims at the time.
However, Brad Smith, president and legal chief at Microsoft, reiterated the belief over the weekend in an interview on the CBS program 60 Minutes.
“When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000,” Smith said, adding that Microsoft tasked 500 engineers with investigating the attack.
Smith also said the attackers had written roughly 4,000 lines of code that were then delivered to customers of SolarWinds’ Orion product.
“I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen,” Smith said.