Thousands of SolarWinds Orion implementations remain exposed to dangerous cyberattacks

Despite the disastrous consequences of the SolarWinds supply chain attack, thousands of organizations around the world still operate with their SolarWinds Orion implementations exposed on the Internet, setting aside any mechanism to prevent such a new attack from occurring, a report by RiskRecon risk analysts firm states.

As you may remember, a few months ago a group of threat actors allegedly sponsored by the Russian government compromised SolarWinds systems, using illegitimate access to distribute a malicious update loaded with Sunburst malware, which was received by at least 18,000 organizations using the SolarWinds Orion monitoring solution.

As if that were not enough, a second cybercriminal group allegedly related to the Chinese government managed to access SolarWinds’ computer networks to deliver a malware variant identified as Supernova. This attack required privileged access to the networks, in addition to requiring the exploitation of a zero-day failure in Orion, which has already been corrected.

At the time of publication of the report, RiskRecon experts had detected at least 1,330 organizations using an Orion implementation exposed on the Internet. Considering that the figures at the time of the attack were 1,780 implementations exposed, specialists believe that much remains to be done to mitigate possible subsequent incidents.

RiskRecon’s analysis also mentions that about 4% of these organizations still use Versions of Orion with Sunburst code snippets, not to mention that they also do not have the patches needed to prevent Supernova from exploiting. This condition affects all kinds of organizations, including government agencies, academic institutions, web hosting providers and even some Fortune 500 companies.

Moreover, a Microsoft report signed by its legal director Brad Smith confirms the statements of a U.S. intelligence agent, who claimed that more than a thousand Russian hackers participated at some point in this attack: “When analyzing the problem we wondered how many software engineers might have worked on this project. We believe that more than a thousand hackers must have worked; for our part we are working with a group of 500 engineers fully dedicated to analyzing supply chain compromise.”

Microsoft official concludes by mentioning that threat actors created about 4,000 lines of code that were eventually delivered to SolarWinds Orion customers: “It’s no exaggeration to mention that this could be the most ambitious cyberattack ever identified,” Smith concludes.