News Insights: Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency – sources

News Insights:

Rosa Smothers, a former CIA cyber threat analyst and technical intelligence officer, now an SVP at KnowBe4, said, “It’s not surprising to see China — or any adversary with strong forensic and coding capabilities — working to discover and exploit flaws in any software that touches sensitive information such as payroll. SolarWinds released a patch in December to repair this vulnerability, which reinforces what we’ve said all along: patch your systems early and often.”

Tim Erlin, VP, product management and strategy at Tripwire, said, “This attack seems to be an example of more traditional vulnerability exploitation. The attackers discovered a vulnerability in the software an organization was running and exploited it. Their attack didn’t involve compromising the supply chain. While we’re all focused on the complexity of protecting against supply-chain attacks, it’s important to remember that there are still other software vulnerabilities out there that attackers might exploit. Unfortunately, we can’t shift our focus to the supply chain, we can only add it to the threat model as another avenue for attack to worry about.”