Editor's note: After Reuters published its story, a different USDA representative told the publication "there was no data breach related to SolarWinds."
In a statement to Cybersecurity Dive, the USDA said it followed CISA's emergency directive to remove SolarWinds Orion products from its systems in December. "While we continue to look into it, we have no evidence of a data breach of the USDA National Finance Center," the spokesperson said.
Dive Brief:
- Three additional severe bugs related to SolarWinds were uncovered by cybersecurity firm Trustwave on Wednesday. Two vulnerabilities pertained to the Orion platform and one was found in the SolarWinds Serv-U FTP for Windows.
- SolarWinds is aware of the bugs and released patches. Trustwave did not publish its proof of concept to allow time for patching, though it plans on releasing it on Feb. 9. There is currently no evidence to suggest the vulnerabilities were exploited and are unrelated to the recent hack.
- On Tuesday, Reuters reported China-based actors exploited a SolarWinds flaw in 2020, to gain access to federal agencies. The initial Reuters story said the hack breached the National Finance Center (NFC), the federal payroll agency within the U.S. Department of Agriculture, but a subsequent statement said "there was no data breach related to Solar Winds" at the agency.
Dive Insight:
Federal investigators waiting until January to attribute theSolarWinds hack, saying the perpetrators were "likely Russian." The addition of Chinese actors leveraging SolarWinds, in a manner unrelated to the Russian hack, highlights how attractive a target SolarWinds is for adversaries.
SolarWinds is not the only company abused by the foreign actors who targeted SolarWinds. FireEye, Mimecast and Malwarebytes all found evidence of highly sophisticated nation-state activity in their systems. In December, Microsoft estimated 44% of the hack's targets were in the information technology sector. Government agencies accounted for 18% of the targets.
So far security firms have uncovered at least four strains of malware related to the initial SolarWinds hack. The cyber campaign spurred a massive industry wide investigation, leading to further discoveries like Trustwave's.
The CVE-2021-25274 vulnerability in the Orion platform is the most critical, which allows bad actors remote code execution with high privileges, according to Trustwave. In the other Orion vulnerability, CVE-2021-25275, SolarWinds credentials were stored insecurely, which allows any user of any privilege to commandeer the Orion database.
The focus for companies has been on mitigation and patching the early exploits in Orion. The discovery of new flaws could potentially grant bad actors roundabout access, without having to use the original means of entry. "These issues could allow an attacker full remote code execution, access to credentials for recovery, and the ability to read, write to or delete any file on the system," Trustwave said.
In the aftermath of the hack, SolarWinds brought on former Cybersecurity and Infrastructure Security Agency (CISA) director Chris Krebs and Alex Stamos, former Facebook and Yahoo security chief, as independent consultants.
Industry experts expect to find additional companies and supply chains leveraged in relation to the SolarWinds. Federal agencies say the hack is likely part of a cyber espionage campaign, which is historically difficult to detect.
Cyber espionage campaigns move "low and slow" to infiltrate highly protected environments. Compared to average breaches which take minutes to execute, espionage breaches take days to avoid detection.