Suspected Chinese hackers exploited separate SolarWinds flaw.
Reuters reports that the FBI’s investigation of the SolarWinds supply chain attack is looking into evidence that Chinese threat actors successfully exploited a vulnerability in the company’s software to compromise the National Finance Center (NFC), a payroll system operated by the US Department of Agriculture. The flaw exploited in this case is different from the one used by suspected Russian actors to compromise SolarWinds' Orion software, although the exploitation took place within the same timeframe and also involved Orion. Reuters cites anonymous sources to the effect that "the attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies."
SolarWinds told Reuters that it was aware of a single case involving a second group of hackers, but that the hackers abused the company's software only after they'd gained access to the network; the company said the attackers had initially gained access "in a way that was unrelated to SolarWinds." Likewise, Reuters' sources said the suspected Chinese hackers used the exploit to move laterally within networks they had already compromised.
Nextgov reports that the US Department of Agriculture is investigating, but has so far found no indication of such a breach. A USDA spokesperson told the publication, "In compliance with CISA’s emergency directive and to protect USDA systems, USDA notified customers in December that it had removed SolarWinds Orion products from its networks due to the SolarWinds compromise. While we continue to look into it, we have no evidence of a data breach of the USDA National Finance Center."
Acting US CISA Director Brandon Wales told a meeting of the National Association of Secretaries of State that the agency has found no evidence that SolarWinds vulnerabilities were exploited against election systems, Reuters' Chris Bing tweeted.
Trustwave has identified three additional vulnerabilities in SolarWinds products, one of which can lead to remote code execution with elevated privileges. Trustwave stated, "To the best of Trustwave’s knowledge, none of the vulnerabilities were exploited during the recent SolarWinds attacks or in any 'in the wild' attacks. However, given the criticality of these issues, we recommend that affected users patch as soon as possible. We have purposely left out specific Proof of Concept (PoC) code in this post in order to give SolarWinds users a longer margin to patch but we will post an update to this blog that includes the PoC code on Feb. 9."