What you ought to know about recent SolarWinds exploit
In basic terms, organizations have a single entry point to easily manage networks and information technology systems, including computers. Consider system updates on your cell phone. Most users simply install these updates when they’re available, because they’re from Apple or Samsung, etc. so they’re trusted.
Imagine if an attacker could impersonate Apple. This person writes a piece of malicious software that does bad things to your phone, but—and this is crucial—they are able to “sign” it with a secret code that is only meant to be known to Apple, in effect identifying it as a legitimate update.
The attacker then loads the malicious software on an update server, and your phone automatically goes off, downloads it, and installs it. There’s usually strict verification in place to check these files and make sure they’re authentic before they’re installed. But remember, the attacker has found a way to impersonate Apple and your phone can’t tell the difference, so it ends up being installed.
To be clear: this is intended to simplify the issue for a layman—it is not an example that actually occurred at Apple.
It happened to a company called SolarWinds. They produce a piece of software used by governments and organizations to identify what is going on inside their networks (including ‘friendly’ hacking tools to test the security). Because it’s compromised, there’s a small possibility that some of their data (and yours by extension) was stolen by third parties.
Once loaded, the software goes through a list of checks to make sure it’s running in an actual enterprise network and not on an end-user’s machine. The software then told the attackers it had infected these networks, and a second phase of the malicious software was activated. This phase allowed the execution of a lengthy list of functions and capabilities, often with high level administrator privileges, thus enabling the attackers to do almost anything within the network.
With this access to all the computers on the network, the software can pull data which could be a major source of intelligence.
In short, it’s bad and we’re not really sure how bad. That said, it’s concerning mostly because the company who makes SolarWinds is an IT security firm, and not usually the target of such an attack. There’s really nothing you as an end-user can do about it.
For more current and detailed information, take a look at Microsoft’s blog.