Security Experts:

VMware, Cisco Reveal Impact of SolarWinds Incident

VMware and Cisco have shared information on the impact of the SolarWinds incident, and VMware has responded to reports that one of its products was exploited in the attack.

An advisory published last week by the NSA warned that malicious actors have been “abusing trust in federated authentication environments to access protected data.” The agency noted that the recent SolarWinds Orion product hack is “one serious example of how on-premises systems can be compromised leading to abuse of federated authentication and malicious cloud access.”

In that advisory, the NSA mentioned another recent advisory, one focusing on Russian state-sponsored hackers exploiting CVE 2020-4006, a recently patched vulnerability affecting the VMware Workspace ONE Access identity management product and some related components.

SolarWinds Hack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also reported last week that it had found evidence that the compromised SolarWinds Orion platform may not have been the only initial access vector. CISA said it had been “investigating incidents in which activity indicating abuse of SAML tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified.”

The NSA advisory on the exploitation of the VMware vulnerability also mentions SAML abuse and security blogger Brian Krebs reported learning from sources that the SolarWinds attackers also exploited the VMware flaw.

The NSA has not confirmed the connection, and VMware said in a statement published on Friday that it has not received any information on CVE 2020-4006 being “exploited in conjunction with the SolarWinds supply chain compromise.”

Continuous Updates: Everything You Need to Know About the SolarWinds Attack

As for the cyber-spies behind the SolarWinds attack targeting its own systems, VMware admitted that it has identified some “limited instances” of the compromised Orion software on its internal networks, but it has found no evidence of exploitation, and claimed that SolarWinds’ own investigation to date has also not found any evidence of exploitation against VMware.

Cisco also confirmed last week that it identified the malicious software on “a small number of lab environments and a limited number of employee endpoints.” The networking giant said it does not use SolarWinds solutions for monitoring or managing its enterprise network, and it had found no evidence that its offers or products were impacted, or that any customer data was exposed as a result of the incident.

Microsoft also confirmed detecting the malicious SolarWinds binaries on its own systems last week, but claimed it found no evidence that its systems were abused to target others. The tech giant reported identifying over 40 customers that were targeted by the threat group.

According to SolarWinds, up to 18,000 of its customers may be impacted and the list of known victims continues to grow.

Researchers reported last week that they had found evidence suggesting that the attackers penetrated SolarWinds systems at least one year before the breach was discovered.

Shortly after the SolarWinds breach came to light, several people said the attack seemed to be the work of Russian cyberspies, which U.S. Secretary of State Mike Pompeo appeared to confirm on Friday. However, President Donald Trump suggested on Saturday that it may have been China, not Russia.

Related: NATO Checking Systems After US Cyberattack

Related: Hacked Networks Will Need to be Burned 'Down to the Ground'

Related: Little-Known SolarWinds Gets Scrutiny Over Hack, Stock Sales

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.