Hackers believed to be operating on behalf of a foreign government have breached software provider SolarWinds and then deployed a malware-laced update for its Orion software to infect the networks of multiple US companies and government networks, US security firm FireEye said today.

ZDNet Recommends

The best VPNs in 2020
VPNs aren’t essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe online. Here are your top choices for best VPNs in 2020 and how to get set up.
Read More

FireEye’s report comes after Reuters, the Washington Post, and Wall Street Journal reported on Sunday intrusions at the US Treasury Department and the US Department of Commerce’s National Telecommunications and Information Administration (NTIA).
The SolarWinds supply chain attack is also how hackers gained access to FireEye’s own network, which the company disclosed earlier this week.
The Washington Post cited sources claiming that multiple other government agencies were also impacted.
Reuters reported that the incident was considered so serious that it led to a rare meeting of the US National Security Council at the White House, a day earlier, on Saturday.
Sources speaking with the Washington Post linked the intrusion to APT29, a codename used by the cyber-security industry to describe hackers associated with the Russian Foreign Intelligence Service (SVR).
FireEye wouldn’t confirm the APT29 attribution and gave the group a neutral codename of UNC2452, although several sources in the cyber-security community told ZDNet the APT29 attribution, done by the US government, is most likely correct, based on current evidence.

In security alerts sent to its customers in private on Sunday, Microsoft also confirmed the SolarWinds compromise and provided countermeasures to customers that may have been affected.
Hackers deployed SUNBURST malware via Orion update
SolarWinds published a press release late on Sunday admitting to the breach of Orion, a software platform for centralized monitoring and management, usually employed in large networks to keep track of all IT resources, such as servers, workstations, mobiles, and IoT devices.
The software firm said that Orion update versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, have been tainted with malware.
FireEye named this malware SUNBURST and published a technical report earlier today, along with detection rules on GitHub.
Microsoft named the malware Solorigate and added detection rules to its Defender antivirus.
Image: Microsoft
The number of victims was not disclosed.
Despite initial reports on Sunday and the hacking campaign doesn’t appear to have been targeted at the US, specifically.
“The campaign is widespread, affecting public and private organizations around the world,” FireEye said.
“The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals,” FireEye added.
SolarWinds said it plans to release a new update (2020.2.1 HF 2) on Tuesday, December 15, that “replaces the compromised component and provides several additional security enhancements.”
The US Cybersecurity and Infrastructure Agency (CISA) has also issued an emergency directive with instructions on how government agencies can detect and analyze systems compromised with the SUNBURST malware.
Update 23:45 ET to add the information about the Microsoft and CISA security alerts. More

Matthias Balk/picture alliance via Getty Images Follow ZDNET: Add us as a preferred source<!–> on Google. ZDNET’s key takeaways Local job listings are returning to Facebook. You’ll find openings through a dedicated tab in Marketplace. Job seekers can filter and sort listings to narrow their search. If you’re looking for a job, you probably find yourself getting […] More

Businesses in China should brace themselves for a potential spike in smishing attacks and identity theft, following reports that the personal data of 1 billion residents in the country has been put up for sale online. If legitimate, the massive data breach can result in phone swapping or other identity fraud activities, which can impact a Chinese user’s social credit scoring.Hackers claiming to have access to databases containing the data had offered the information for sale on an online forum, which specialised in the trading of stolen databases. Priced at 10 Bitcoins ($197,376) for 24TB worth of data, the personal details included date and place of birth, national identification number, residential address, and mobile number. The hackers claimed the data came from the Shanghai National Police and offered a sample dump. A report from Wall Street Journal said the details of at least nine residents from this sample were confirmed to be legitimate. According to data security vendor Acronis, the data sample contained three categories of information comprising the resident’s personal data file, phone location data or address and phone number, and police incident or criminal case registry. For the latter, information such as location of the crime and brief incident description appeared to be leaked, Acronis’ co-founder and technology president Stas Protassov told ZDNet. Most of the criminal case information involved minor incidents and descriptions of the scene, including “a fight” at a specific location in Zhujing Town and minor road incidents.Protassov noted that these police records referred to people involved in the incidents, which could be damaging to them. He added that the compromised data could be used to personalise future attacks, such as spear phishing, or to commit fraud using the identity of the victims. He urged organisations and individuals to be on the lookout for fraudulent activities and malicious email or text messages.Asked if the data breach could have greater impact in China, where the use of some services required registration based on personal information, Protassov said it was unlikely the compromised data on its own could result in hackers taking over such services. However, he warned that it could lead to phone swapping or other identity theft activities that could negatively impact a Chinese user’s scoring on social media platforms. Operators of apps that provide news, instant messaging, and other related services in China must require their users to register based on their mobile and identification card numbers. Users who refuse to do so or who use fraudulent identification data cannot be permitted to use the app. China operates a social credit system that aims to track and assess the trustworthiness of a person, company, and government agency. Each is tagged with a social credit score that is evaluated against various data sources, such as financial, government, and criminal records. The system is undergoing further refinement by the government. Protassov said while news of data leaks were common, this breach was unique due to its volume. According to Check Point Software Technologies’ threat intelligence group manager Sergey Shykevich, the significant size of the compromised data indicated a high likelihood cybercriminals might use the information to launch phishing and spear-phishing attacks. With the leaked data encompassing mobile numbers, Shykevich said businesses in China should be prepared for a potential wave of smishing or SMS phishing attacks. He added that the online forum touting the sale of the data also peddled other databases from China, including a courier database with 66 million user records that were allegedly stolen from ShunFeng Express in 2020, and data from driving schools in the country.A tweet from Binance CEO Changpeng Zhao suggested the latest data breach was the result of a government employee posting a tech blog on Chinese Software Developer Network that accidentally included user credentials. Without access to the log files, Protassov said it was impossible to confirm the attack vector. Based on the ID format, he surmised it was likely an Elasticsearch dump, but it was unclear whether the breach was due to leaked credentials or poorly configured systems. “Such data leaks most commonly happen when someone leaves unauthenticated Elastic instance available on the internet,” he added.RELATED COVERAGE More

Anadolu/Getty Images Your Android device retains your Google searches, enabling various sites and services to use that data to personalize ads and other types of recommendations.  For some of us, that level of personalization makes using the platform easier. But in this modern era, with companies leveraging such information to capture a very particular picture […] More

Annoying the neighbors? Can a robot bring you peace of mind? Special Feature This has, for some time, been a conundrum that’s wafted around my inner workings. If robots are so clever — and some surely are — they can protect us from all sorts of nefarious threats and intrusions. From other robots, for example. […] More