#Cisa solarwinds update#
The agency is investigating incidents in which victims report similar attack methods that don’t leverage SolarWinds Orion or where the software was present but not actively exploited.ĬISA’s update comes after cybersecurity firm Volexity said earlier this week that it has observed a compromise of a U.S.-based think tank using a Duo multi-factor authentication bypass in Outlook Web App as an initial intrusion vector. Read Next: What We Know About The Massive Hack of SolarWinds’ IT Management Platform “The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged,” the alert said. Thursday’s alert cited four versions of the SolarWinds Orion Platform, but clearly noted that the attackers are using other unidentified initial infection vectors.
#Cyber #Cybersecurity #Infosec /QnntuVhUXb Review new Alert on the #APT campaign against federal agencies & critical infrastructure, providing updated affected product versions, IOCs, ATT&CK® techniques, and mitigation steps. Those events prompted CISA to issue an emergency directive to mitigate the attacks, calling on all federal civilian agencies to review networks for indications of a compromise and disconnect or power down the Orion platform immediately. Commerce and Treasury departments and other U.S. Targets included cybersecurity firm FireEye, the U.S. These attacks began as early as March, according to CISA.
#Cisa solarwinds code#
On Sunday, SolarWinds disclosed that its Orion platform was compromised with malicious code via an update that essentially allowed attackers believed to be backed by a foreign government – purportedly Russia – to gain access to victim networks. In an alert issued Thursday, the agency said it “has evidence of additional initial access vectors, other than the SolarWinds Orion platform however these are still being investigated.” CISA will update the alert once new information becomes available. Cybersecurity and Infrastructure Agency (CISA) is aware of other attack methods on the IT supply chain in addition to known malware that infected SolarWinds’ Orion IT management platform. In a report published on December 28, Microsoft said the threat actor's primary goal was to gain access to cloud-hosted infrastructure, which in many cases was the company's own Azure and Microsoft 365 environments.The U.S. Once threat actors gained access to internal networks or cloud infrastructure, CISA said the hackers, believed to be Russian in origin, escalated access to gain administrator rights and then moved to forge authentication tokens (OAuth) that allowed them to access other local or cloud-hosted resources inside a company's network, without needing to provide valid credentials or solve multi-factor authentication challenges.
#Cisa solarwinds password#
"CISA incident response investigations have identified that initial access in some cases was obtained by password guessing, password spraying, and inappropriately secured administrative credentials accessible via external remote access services ," the agency said on Wednesday. While no details were provided at the time, in an update to its original advisory posted this week, CISA said it finally confirmed that the SolarWinds hackers also relied on password guessing and password spraying as initial access vectors. The new developments come as CISA said last month in its initial advisory on the SolarWinds incident that it was investigating cases where the SolarWinds hackers breached targets that didn't run the SolarWinds Orion software.
The US Cybersecurity and Infrastructure Security Agency (CISA) said today that the threat actor behind the SolarWinds hack also used password guessing and password spraying attacks to breach targets as part of its recent hacking campaign and didn't always rely on trojanized updates as its initial access vector.