SolarWinds says hackers used a zero-day flaw for ‘targeted attacks’ in a new breach
The federal contractor at the heart of a cyber-espionage campaign that caused months of consternation throughout the U.S. government says hackers have struck again.
SolarWinds says an attacker leveraged a software vulnerability in a company product to carry out “limited, targeted attacks.” The unknown hacker used a zero-day flaw in SolarWinds’ Serv-U Managed File Transfer and Serv-U Secure FTP, which are used to transmit data, to target an unknown number of the firm’s customers. Such access would have allowed hackers to install programs; view, manipulate or delete data; or run their own software on an affected system, SolarWinds said in an advisory.
“Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,” the company statement added. “SolarWinds is unaware of the identity of the potentially affected customers.”
The breach appears to be unrelated to the data breach at SolarWinds uncovered last year, in which suspected state-sponsored Russian hackers exploited SolarWinds’ technology to gain access to an array of victims. By leveraging a seemingly legitimate software update the hacking group known as Cozy Bear allegedly accessed data from the U.S. departments of Treasury, Homeland Security, Justice and six others.
The U.S. Securities and Exchange Commission reportedly is investigating whether American companies also affected by that hack failed to report their vulnerability.
In the months since the security vendor FireEye revealed the breach, SolarWinds’ CEO has testified in front of Congress and made a number of public appearances explaining the circumstances. While security personnel initially suggested that attackers first breached SolarWinds in September or October 2019, the firm “recently” learned that intruders may have had access to SolarWinds systems dating back to January 2019, said CEO Sudhakar Ramakrishna.
In its most recent disclosure, SolarWinds says it and Microsoft addressed the matter quickly, adding that it will release more details are victims are notified.