Cisco hacked through SolarWinds as tech casualties mount
Internal machines used by Cisco researchers were targeted via SolarWinds as the impact of the colossal hacking campaign on the tech sector becomes apparent, Bloomberg reported.
Roughly two dozen computers in a Cisco lab were compromised through malicious updates to SolarWinds’ Orion network monitoring platform, Bloomberg reported, citing a person familiar with the incident. The San Jose, Calif.-based networking giant told CRN its security team moved quickly to address the issue, and that there isn’t currently any known impact to Cisco offers or products.
“While Cisco does not use SolarWinds Orion for its enterprise network management or monitoring, we have identified and mitigated affected software in a small number of lab environments and a limited number of employee endpoints,” Cisco said in a statement. “We continue to investigate all aspects of this evolving situation with the highest priority.”
Network management and monitoring are key parts of Cisco’s machinery and software, which Bloomberg said directly look at data traffic moving through a network. Access to that flow could provide a malicious actor with multiple avenues to cause harm, according to Bloomberg. Cisco told CRN there’s no evidence at this time to indicate customer data has been exposed as a result of the compromise.
The company didn’t respond to CRN questions about the number of machines affected as well as who in the organization was using the compromised machines. Cisco is the third tech vendor to get publicly ensnared in the fallout from the SolarWinds hack in the past 24 hours, following in the footsteps of Microsoft and VMware.
Reuters reported late Thursday that Microsoft was compromised via SolarWinds, with suspected Russian hackers then using Microsoft’s own products to further the attacks on other victims. Microsoft told CRN Thursday that sources for the Reuters report are “misinformed or misinterpreting their information,“ but acknowledged the software giant had ”detected malicious SolarWinds binaries” in its environment.”
Then Friday afternoon, KrebsOnSecurity reported that a VMware vulnerability allowing federated authentication abuse and access to protected data was used by the SolarWinds hackers to attack high-value targets. VMware told CRN Friday that it had received no notification or indication that this vulnerability “was used in conjunction with the SolarWinds supply chain compromise.”
FireEye put the state-sponsored hacking campaign in the public consciousness Dec. 8 when the company disclosed that it was breached in an attack designed to gain information on some of the company’s government customers. The attacker was able to access some of FireEye’s internal systems but apparently didn’t exfiltrate data from the company’s primary systems that store customer information.
After FireEye, the next several organizations to be publicly identified as victims of the SolarWinds hack were all federal agencies, including the U.S. Departments of Defense, State, Treasury, Homeland Security and Commerce, according to reports from Reuters and others.
Contrary to public perception at the time, Microsoft President Brad Smith disclosed Thursday that a decisive plurality – 44 percent – of the company’s customers compromised through SolarWinds are actually in the IT sector, and includes software and security firms as well as IT services and equipment providers.
Some 18 percent of the compromised Microsoft customers are government agencies, another 18 percent are think tanks or non-governmental organizations (NGOs), and 9 percent are government contractors, according to Smith. He said that more than 40 Microsoft customers were precisely targeted and compromised through SolarWinds Orion, roughly 80 percent whom are located in the United States.