China Also Linked to Second Wave SolarWinds Attacks

 The news surrounding the SolarWinds attack just keeps on coming in different forms. This time China is linked to a separate attack using SolarWinds vulnerabilities.

What Happened?

As the story unfolds further, Data Breach Today has uncovered additional information linking Chinese hackers to a subsequent attack used in the supply chain hit.

FireEye discovered the original SolarWinds data breach in December 2020. As a victim, FireEye lost penetration testing tools in the attack. As threat assessors uncovered more information, the victim count reached more than 18,000 SolarWinds customers.

The initial attack made news, but then there was talk about a follow-up attack that threat responders nicknamed "Sunburst." This second wave's victims included tech firms like Microsoft and government agencies such as the U.S. government's Commerce, Energy, Homeland Security, Justice, Labor, State, and Treasury departments.

Cybersecurity researchers have speculated that Russian hacker gangs are behind a lot of the attacks. However, last week Reuters reported that they found evidence that Chinese operatives were used to hack government agencies using the SolarWinds backdoor.

Data Breach Today cited Trustwave SpiderLabs security research manager Martin Rakhmanov with discovering three major security flaws in the SolarWinds Orion system. They are:

• " SolarWinds Orion platform vulnerability (CVE-2021-25274): Thanks to the use of the outdated Microsoft Message Queue functionality, unauthenticated users can send messages allowing them to take full control of a system.
• SolarWinds Orion Platform vulnerability (CVE-2021-25275): Due to this database security flaw, Rakhmanov says, "unprivileged users who can log in to the box locally or via remote desktop protocol will be able to run decrypting code and get a cleartext password" for account holders, gain complete control of an Orion database, and add themselves as an admin user.
• SolarWinds Serv-U FTP vulnerability (CVE-2021-25276): Any authenticated Windows user can create an account with unlimited privileges."

Was China Working with Russia?

Data Breach Today explains "Specifically, two unnamed individuals with knowledge of the FBI's investigation have told Reuters that infrastructure and hacking tools previously used by Chinese attackers were used to exploit SolarWinds and penetrate multiple targets, including the U.S. Department of Agriculture's federal payroll agency, the National Finance Center."

They continued with "While that might sound relatively innocuous, the NFC is a U.S. government  shared service center  for the Office of Personnel Management, stating on its website that it 'now services more than 160 diverse agencies, providing payroll services to more than 600,000 federal employees.'"

The concern is that one of these government agencies handles payroll for government employees holding social security numbers, names, addresses, and banking information putting those federal employees at serious risk of fraud or identity theft.

Another reason experts suspect China is that they were responsible for the major data breach and hack of the Office of Personnel Management (OPM) in 2015, affecting millions of government employees. This latest hack would indicate a pattern.

The Second Wave of Attacks

Data Breach Today expands on this thought with "On the SolarWinds front, the U.S. government has been warning since December 2020 that the second group of hackers also appeared to have been exploiting flaws in the Orion software. But this is the first time that China has been named.

Reuters reports that unlike the Russian operation, which involved planting Sunburst in the  SolarWinds software development build pipeline, the allegedly Chinese hackers instead first penetrated victims' networks, and then used an unspecified flaw in SolarWinds software to help them move across the victim's network."

Although SolarWinds has not commented on this latest news, they did issue an urgent warning to all customers to upgrade their software for all SolarWinds Orion devices and have been working closely with cybersecurity experts and law enforcement to find those responsible.

As of now, there are four known vulnerabilities and different incidents that took place as part of the SolarWinds supply chain attack.