IT management software giant Solarwinds were the victims of what is believed to be one of the largest cyber attacks yet late last year, sending shivers down the spine of much of the tech world. The attack breached SolarWinds monitoring tool Orion, which allowed the hackers to deliver malicious updates to unsuspecting users of the tool for several months.
Now, two months after the breach was discovered, an alarming number of SolarWinds customers still have vulnerable Orion servers exposed to the internet.
Risk assessment company RiskRecon reported that on December 13th 2020, just after the breach was divulged to the public, they observed over 1700 organisations with public-facing Orion servers, which could be vulnerable to hacking. At the start of this month (February 2021), RiskRecon said that that number had come down to 1330 exposed Orion servers – however, just 8% of those appeared to have applied the updates that would protect them from being exploited by hackers.
Some of those Orion instances were so out-of-date that they were also vulnerable to two older exploits, named Sunburst and Supernova. RiskRecon reportedly found government agencies, universities and Fortune 500 companies among the list of organisations playing with fire by not updating Orion.
The largest and most sophisticated cyber attack to date?
The breach invariably caught the attention of Microsoft, who analysed the hack and determined that over 1000 developers were likely involved in the attack, and blamed Russia (who denied that they had any involvement).
Microsoft president Brad Smith said their analysis lead them to believe that the SolarWinds breach was “the largest and most sophisticated attack the world has ever seen”.
“When we analysed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000.” He added that over 500 Microsoft engineers had been involved in investigating the breach.
The extreme importance of applying updates
The breach shows just how dangerous so-called zero-day attacks can be – where cyber criminals target vulnerabilities that have not yet been discovered and remediated by developers. It also highlights the importance of keeping servers and software up-to-date with the latest security patches and updates, in order to protect against these vulnerabilities as they are discovered.
While 400 less Orion servers are exposed to the internet, a reduction of about 25%, that means 75% are still public-facing and most are vulnerable to one or more known exploits.
SolarWinds have seen customers fleeing their services and have suffered huge reputational damage on the back of the whole debacle. Other organisations would do well to learn the lessons of the past and ensure that an unpatched Orion server doesn’t lead them to become the next big data breach headline.