The fallout from the SolarWinds Orion hack continues with some shareholders filing a class-action lawsuit against executives alleging they were misled about the security of the company, and a warning that the breach could endanger the cloud applications of Orion users.
The caution to cloud users comes from Tel Aviv-based Ermetic Ltd. The firm argued in a blog post that users who deploy a version of the Orion network management platform with an infected update in the cloud could be at risk because it would have privileged access to certain management functions.
There are three risks: Orion databases may store AWS and Azure API keys, Ermetic said, which if accessed could enable an attacker to take over and compromise these accounts. If deployed on AWS or Azure, Orion may also have root API keys, which could enable an attacker to have full admin privileges to the account that Orion is deployed on. Finally, Orion requires access to an identity and access management (IAM) identity, Ermetic argues, which could be compromised.
To mitigate these risks Ermetic recommends organizations that have deployed infected versions of Orion to treat all stored credentials as compromised and rotate them. Cloud security researcher Rob Fuller has released SolarFlare, an open-source tool for generating a full list of the credentials in an Orion database.
If a cloud-based Orion deployment has asked for root API Keys to the AWS/Azure accounts, then a manual review of each identity and resource to determine the extent of exposure is necessary. And to meet the problem that Orion needs access to an IAM identity, verify it has limited permissions only. If you decide to suspend your use of Orion, says Ermtic, remove that identity altogether or, at the very least, revoke its privileges.
Other risks
Organizations around the world that use Orion are still scouring their environments after the discovery last month that a sophisticated hacker had compromised updates to the platform last spring allowing the installation of a backdoor. Of the estimated 33,000 Orion users, 18,000 downloaded the infected updates.
In addition to that compromise, Palo Alto Networks has identified a second vulnerability in Orion.
Meanwhile, SC Magazine reports that some stockholders who bought shares between February 24 and December 15, 2020, have launched a class-action lawsuit in Texas against SolarWinds and some of its top executives. Class actions have to be certified by a judge before going ahead. The claim alleges that while in public documents company said it has incurred “significant expenses to prevent security breaches,” it knew or should have known its update server had “an easily accessible password of ‘solarwinds123’”, and that since the middle of 2020 Orion had a vulnerability.
The allegations have not been proven in a court of law.