Four security vendors disclose SolarWinds-related incidents

Mimecast, Palo Alto Networks, Qualys, and Fidelis confirmed this week they were also targeted during the SolarWinds supply chain attack.
Written by Catalin Cimpanu, Contributor
file photo

As most experts predicted last month, the fallout from the SolarWinds supply chain attack is getting bigger as time passes by, and companies had the time to audit internal networks and DNS logs.

This week, four new cyber-security vendors -- Mimecast, Qualys, Palo Alto Networks, and Fidelis -- have added their names to the list of companies that have installed trojanized versions of the SolarWinds Orion app.

Mimecast hack linked to SolarWinds software

The most important of this week's announcements came from Mimecast, a vendor of email security products.

Two weeks ago, the company disclosed a major security breach during which hackers broke into its network and used digital certificates used by one of its security products to access the Microsoft 365 accounts of some of its customers.

In an update on its blog today, Mimecast said it linked this incident to a trojanized SolarWinds Orion app installed on its network.

The company has now confirmed that the SolarWinds hackers are the ones who abused its certificate to go after Mimecast's customers.

Qualys: It was only a test system

A second cyber-security company breached during the SolarWinds supply chain attack also came to light this week in a Forbes article that covered the research work of Erik Hjelmvik, founder of network security company Netresec, who published on Monday a report detailing 23 new domains that were used by the SolarWinds hackers to deploy second-stage payloads into infected networks they deemed as high value.

Two of these 23 new domains were "corp.qualys.com," suggesting that cybersecurity auditing giant Qualys might have been targeted by the attackers.

However, in a statement to Forbes, Qualys said that the intrusion was not as big as it appears, claiming that its engineers installed a trojanized version of the SolarWinds Orion app inside a lab environment for testing purposes, separate from its primary network.

A subsequent investigation did not find any evidence of further malicious activity or data exfiltration, Qualys said.

But despite Qualys' statement, some security researchers are not buying the company's wording, suggesting that the "corp.qualys.com" domain hinted that hackers accessed its primary network and not a laboratory environment, as the company claimed.

Palo Alto Networks discloses Sep & Oct 2020 incidents

Another major security vendor who came forward to disclose a SolarWinds-related incident was Palo Alto Networks, a vendor of cyber-security software and network equipment.

In a blog post, Palo Alto Networks said it detected two security incidents in September and October 2020 that were linked to SolarWinds software installations.

"Our Security Operation Center [...] immediately isolated the server, initiated an investigation, and verified our infrastructure was secure," Palo Alto Networks explained.

However, the company said that at the time it investigated each of the breaches as separate incidents and didn't detect the broader supply chain attack.

Its investigation into last year's September and October intrusions concluded that "the attempted attack was unsuccessful and no data was compromised."

Fidelis also discloses second-stage targeting

The fourth and latest major disclosure came today from Fidelis Cybersecurity in the form of a blog post from the company's CISO, Chris Kubic.

The Fidelis exec said they, too, had installed a trojanized version of the SolarWinds Orion app in May 2020 as part of a "software evaluation."

"The software installation was traced to a machine configured as a test system, isolated from our core network, and infrequently powered on," Kubic said.

Fidelis said that despite efforts from the attacker to escalate their access inside the Fidelis internal network, the company believes that the test system was "sufficiently isolated and powered up too infrequently for the attacker to take it to the next stage of the attack."

This week's disclosures bring the total number of cyber-security vendors targeted by the SolarWinds hackers to eight. Previous disclosures came from FireEye (initial intrusion which uncovered the entire SolarWinds supply chain attack in the first place), Microsoft (intruders accessed some of the company's source code), CrowdStrike (failed intrusion), and Malwarebytes (attackers accessed some of the company's email accounts).

Editorial standards