As most experts predicted last month, the fallout from the SolarWinds supply chain attack is getting bigger as time passes by, and companies had the time to audit internal networks and DNS logs.
This week, four new cyber-security vendors — Mimecast, Palo Alto Networks, Qualys, and Fidelis — have added their names to the list of companies that have installed trojanized versions of the SolarWinds Orion app.
Mimecast hack linked to SolarWinds software
The most important of this week’s announcements came from Mimecast, a vendor of email security products.
Two weeks ago, the company disclosed a major security breach during which hackers broke into its network and used digital certificates used by one of its security products to access the Microsoft 365 accounts of some of its customers.
In an update on its blog today, Mimecast said it linked this incident to a trojanized SolarWinds Orion app installed on its network.
The company has now confirmed that the SolarWinds hackers are the ones who abused its certificate to go after Mimecast’s customers.
Palo Alto Networks discloses Sep & Oct 2020 incidents
Another major security vendor who came forward to disclose a SolarWinds-related incident was Palo Alto Networks, a vendor of cyber-security software and network equipment.
Speaking to Forbes investigative reporter Thomas Brewster this week, Palo Alto Networks said it detected two security incidents in September and October 2020 that were linked to SolarWinds software.
“Our Security Operation Center […] immediately isolated the server, initiated an investigation and verified our infrastructure was secure,” Palo Alto Networks told Forbes on Monday.
However, the company said it investigated the breaches as separate solitary incidents and didn’t detect the broader supply chain attack, which would be spotted only months later when hackers breached fellow security vendor FireEye.
Palo Alto Networks said the investigation into the September and October SolarWinds-linked intrusions didn’t yield much and concluded that “the attempted attack was unsuccessful and no data was compromised.”
Qualys: It was only a test system
But the Forbes report also cited the findings of Erik Hjelmvik, founder of network security company Netresec, who published on Monday a report detailing 23 new domains that were used by the SolarWinds hackers to deploy second-stage payloads into infected networks they deemed as high value.
Two of these 23 new domains were “corp.qualys.com,” suggesting that cybersecurity auditing giant Qualys might have been targeted by the attackers.
However, in a statement to Forbes, Qualys said that the intrusion was not as big as it appears, claiming that its engineers installed a trojanized version of the SolarWinds Orion app inside a lab environment for testing purposes, separate from its primary network.
A subsequent investigation did not find any evidence of further malicious activity or data exfiltration, Qualys said.
However, some security researchers are not buying the company’s statement, suggesting that the “corp.qualys.com” domain suggested that hackers did get access to its primary network and not a laboratory environment, as the company claims.
Fidelis also discloses second-stage targeting
The fourth and latest major disclosure came today from Fidelis Cybersecurity in the form of a blog post from the company’s CISO, Chris Kubic.
The Fidelis exec said they, too, had installed a trojanized version of the SolarWinds Orion app in May 2020 as part of a “software evaluation.”
“The software installation was traced to a machine configured as a test system, isolated from our core network, and infrequently powered on,” Kubic said.
Fidelis said that despite efforts from the attacker to escalate their access inside the Fidelis internal network, the company believes that the test system was “sufficiently isolated and powered up too infrequently for the attacker to take it to the next stage of the attack.”
This week’s disclosures bring the total number of cyber-security vendors targeted by the SolarWinds hackers to eight. Previous disclosures came from FireEye (initial intrusion which uncovered the entire SolarWinds supply chain attack in the first place), Microsoft (intruders accessed some of the company’s source code), CrowdStrike (failed intrusion), and Malwarebytes (attackers accessed some of the company’s email accounts).