The US Department of Justice has joined the list of federal agencies that have fallen victim to a vulnerability in the SolarWinds Orion network management platform.
“On December 24, 2020, the Office of the Chief Information Officer (OCIO) of the Department of Justice became aware of previously unknown malicious activity related to the global SolarWinds incident, which affected, among others, several federal agencies and technology contractors.” the ministry said in a statement. “This activity provided access to the Department’s Microsoft O365 email environment.
“Upon learning of the malicious activity, OCIO eliminated the identified method by which the attacker gained access to the O365 email environment. At the moment, the number of potentially accessible O365 mailboxes is limited to about three percent, and we have no evidence that any secret systems have been affected.”
According to the federal law for state systems, this is considered a “serious incident,” the statement said.
In addition, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also warned on Wednesday that it is considering the possibility that an attacker linked to recent incidents not only used Orion as an entry point, but also abused Security Claims Markup Language (SAML) tokens. “CISA continues to work to confirm the initial access vectors and identify any changes in tactics, methods and procedures (DTS),” the statement said.
There are cases where initial access was obtained by password guessing, password spraying, and improperly protected administrator credentials accessed through external remote access services.
Since its use in cyberattacks became known in December, investigators have discovered two vulnerabilities in Orion. It is unclear whether the same attacker is responsible for both. Earlier this week, four U.S. law enforcement and intelligence agencies said that an elevated persistent threat (APT) entity, “likely of Russian origin,” is responsible for most or all of the recently discovered and ongoing cyber compromises of both government and non-government networks.
U.S. federal agencies that have publicly acknowledged being exposed to Orion’s vulnerabilities include Treasury, Commerce, Health, Homeland Security, Energy, Cybersecurity and Infrastructure Agency, State Administration, and the National Nuclear Safety Administration. According to ZDNet, the governments of three states were also affected, as well as the city of Austin, Texas, and a number of technology companies, including Microsoft and Cisco Systems.
Log in to JetBrains
An investigation is also underway following several news reports that software from a Czech Republic-based technology company called JetBrains, which makes a widely used software development tool called TeamCity, could have been used to infiltrate SolarWinds ‘ infrastructure or used separately to attack organizations. An article in the New York Times notes that JetBrains has a research laboratory in Russia. One of its clients is SolarWinds.
In a statement, JetBrains CEO Maxim Shafirov said his company “did not participate or participate in this attack in any way. SolarWinds is one of our clients and uses TeamCity, a continuous integration and deployment system used as part of software development. SolarWinds has not contacted us or provided any details regarding the breach, and the only information we have is what has become publicly available. It is important to emphasize that TeamCity is a complex product that requires proper configuration. If TeamCity was somehow used in this process, it may well have been due to a misconfiguration rather than a specific vulnerability.”
He added that JetBrains has not been contacted by any government or security agency about recent cyber attacks.