SolarWinds: Less Than a Hundred Customers Infected Via Backdoor


Less than a hundred SolarWinds customers have been infected with additional malware through the backdoor in the company's software, the software company said in an update on the supply chain attack to the US stock market watchdog SEC and in a blog post .


SolarWinds announced last December that attackers had undetected access to the company's systems for months. For example, updates for the Orion software could be provided with a backdoor. About 18,000 organizations have downloaded the infected updates. Subsequently, additional malware could be installed through the contaminated updates. This happened with a select group of victims.


According to SolarWinds, there are fewer than 100 of the company's customers, but an exact number is not mentioned. Among the 18,000 customers who downloaded the compromised updates are two large groups that could not be further infected because the backdoor was unable to communicate with the attackers' command and control server.


These are customers who ultimately did not install the downloaded version and customers who installed the update on a server without Internet access. In a third group of customers where infected servers did communicate with the attackers, dns data shows that only a small number of customers used the backdoor for further attacks.


SolarWinds also reports that the attackers have not modified the source code. The backdoor was injected within the "build" environment of the SolarWinds Orion platform. The first test of code injection took place in October 2019. The actual backdoor was first injected in March 2020. It also appears that the attackers have stolen source code from both the Orion platform and other SolarWinds software. Data from the customer portal may also have been stolen.


The attackers also managed to gain access to the email accounts of certain employees. These accounts contain information about former and current employees and customers of the company. How and when the attackers managed to gain access to the SolarWinds environment is still unknown.

Previous Post Next Post