issued a security advisory providing detailed information on steps customers should take in response to the continuing attack on the company’s widely used Orion IT management system—and confirming that two separate pieces of malware are now corrupting some installations.
The company has previously said that close to 18,000 organizations could have been vulnerable as a result of malware inserted into Orion software updates earlier this year.
As SolarWinds explains in the advisory, issued Thursday, the original cyberattack inserts a vulnerability—now known as Sunburst—into the Orion software. That attack, the company said, “could potentially allow an attacker to compromise the server on which the Orion products run.”
“This attack was a very sophisticated supply chain attack … with a goal of being able to attack subsequent users of the software,” the company said. “In this case, it appears that the code was intended to be used in a targeted way as its exploitation requires manual intervention. We’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker.”
It is widely believe that the attack came from Russian security services.
SolarWinds noted that over the last few days, third parties have discovered another piece of malware, now referred to as Supernova. “Based on our investigation, this malware could be deployed through an exploitation of a vulnerability in the Orion Platform,” the company said. According to news reports, security researchers do not think Supernova is related to the suspected Russian-created Sunburst attack.
Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency noted in an alert this week that the attack has created vulnerabilities not only for U.S. government agencies, but also for state and local governments, as well as “critical infrastructure entities and other private sector organizations.”
The alert warned that “this threat actor has the resources, patience, and expertise to gain access to and privileges over highly sensitive information if left unchecked.” It said organizations should prioritize measures to address the threat.
SolarWinds shares have fallen about 30% since the disclosure of the attack. Near midday on Thursday, the stock was down 1.2%, to $15.82.
Meanwhile, investor are taking profits in shares of the security-breach remediation firm
FireEye itself is a SolarWinds customers, and first disclosed the breach, saying it had suffered a significant cyberattack, The stock initially wavered, but the shares have skyrocketed since, rallying 70% over the last four trading days.
Near midday, the shares were off 7.8%, to $22.16. A week ago, the stock closed at $14.38.
The SolarWinds incident has generated growing investor interest in cybersecurity stocks. The First Trust NASDAQ Cybersecurity exchange-traded fund (CIBR), is up about 16% since the hack was made public two weeks ago.
Write to Eric J. Savitz at firstname.lastname@example.org