Connect with us

Hi, what are you looking for?



VMware, Cisco Reveal Impact of SolarWinds Incident

VMware and Cisco have shared information on the impact of the SolarWinds incident, and VMware has responded to reports that one of its products was exploited in the attack.

VMware and Cisco have shared information on the impact of the SolarWinds incident, and VMware has responded to reports that one of its products was exploited in the attack.

An advisory published last week by the NSA warned that malicious actors have been “abusing trust in federated authentication environments to access protected data.” The agency noted that the recent SolarWinds Orion product hack is “one serious example of how on-premises systems can be compromised leading to abuse of federated authentication and malicious cloud access.”

In that advisory, the NSA mentioned another recent advisory, one focusing on Russian state-sponsored hackers exploiting CVE 2020-4006, a recently patched vulnerability affecting the VMware Workspace ONE Access identity management product and some related components.

SolarWinds Hack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also reported last week that it had found evidence that the compromised SolarWinds Orion platform may not have been the only initial access vector. CISA said it had been “investigating incidents in which activity indicating abuse of SAML tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified.”

The NSA advisory on the exploitation of the VMware vulnerability also mentions SAML abuse and security blogger Brian Krebs reported learning from sources that the SolarWinds attackers also exploited the VMware flaw.

The NSA has not confirmed the connection, and VMware said in a statement published on Friday that it has not received any information on CVE 2020-4006 being “exploited in conjunction with the SolarWinds supply chain compromise.”

Continuous Updates: Everything You Need to Know About the SolarWinds Attack

As for the cyber-spies behind the SolarWinds attack targeting its own systems, VMware admitted that it has identified some “limited instances” of the compromised Orion software on its internal networks, but it has found no evidence of exploitation, and claimed that SolarWinds’ own investigation to date has also not found any evidence of exploitation against VMware.

Advertisement. Scroll to continue reading.

Cisco also confirmed last week that it identified the malicious software on “a small number of lab environments and a limited number of employee endpoints.” The networking giant said it does not use SolarWinds solutions for monitoring or managing its enterprise network, and it had found no evidence that its offers or products were impacted, or that any customer data was exposed as a result of the incident.

Microsoft also confirmed detecting the malicious SolarWinds binaries on its own systems last week, but claimed it found no evidence that its systems were abused to target others. The tech giant reported identifying over 40 customers that were targeted by the threat group.

According to SolarWinds, up to 18,000 of its customers may be impacted and the list of known victims continues to grow.

Researchers reported last week that they had found evidence suggesting that the attackers penetrated SolarWinds systems at least one year before the breach was discovered.

Shortly after the SolarWinds breach came to light, several people said the attack seemed to be the work of Russian cyberspies, which U.S. Secretary of State Mike Pompeo appeared to confirm on Friday. However, President Donald Trump suggested on Saturday that it may have been China, not Russia.

Related: NATO Checking Systems After US Cyberattack

Related: Hacked Networks Will Need to be Burned ‘Down to the Ground’

Related: Little-Known SolarWinds Gets Scrutiny Over Hack, Stock Sales

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.