Thursday, November 02, 2023

 

CRIMINAL CAPITALI$M

SEC sues SolarWinds, CISO for fraud and security failures

The firm allegedly misled investors about its cybersecurity practices and vulnerabilities

clock• 
SEC sues SolarWinds, CISO for fraud and security failures
Image: 

SEC sues SolarWinds, CISO for fraud and security failures

SolarWinds Corporation, the IT firm at the centre of one of the most significant cyber espionage incidents in history, is now facing legal action from the US Securities and Exchange Commission (SEC).

The agency has filed a lawsuit alleging fraud and a lack of adequate internal controls by SolarWinds leading up to the notorious cyberattack in 2020.

The SEC's lawsuit, filed on Monday, also names the company's Chief Information Security Officer (CISO), Timothy Brown, accusing him of ignoring "repeated red flags about SolarWinds' cyber risks, which were well known throughout the company."

The Sunburst attack, which sent shockwaves through the cybersecurity community in 2020, compromised SolarWinds customers, including several US federal agencies, through a malicious code implanted within an Orion software update.

This breach was first detected by cybersecurity firm FireEye, which was also impacted, alongside other technology companies like Microsoft.

Microsoft attributed the attack to a Russian nation-state group known as Nobelium.

The full extent of the breach, often concealed behind layers of classification, remains unclear.

SolarWinds went public in 2018 and, according to the SEC complaint, the company and its CISO misled investors about the firm's cybersecurity practices, known risks and vulnerabilities, creating a false image of the company's security posture.

The complaint alleges that SolarWinds and Brown were aware of the company's weak cybersecurity practices. The SEC pointed to an internal presentation made by Brown in the same month SolarWinds went public, in which he expressed concerns about the "vulnerable state" of the company's security.

The presentation noted that the company's cybersecurity was "not very secure" and that exploiting the vulnerability could lead to "major reputation and financial loss" for the company.

In June 2020, during an inquiry into a cyberattack targeting a SolarWinds client, Brown wrote that it was "very concerning" that the threat actors might use SolarWinds' Orion software for larger attacks.

Another internal document from September 2020 revealed that the number of security issues had exceeded the engineering team's ability to address them.

The SEC's official charges against SolarWinds include violations of reporting and internal controls provisions of the Exchange Act.

The watchdog has said it is seeking "permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown."

Its complaint points out that threat actors have been increasingly attacking VPNs to gain remote access. The agency mentioned that the attackers behind the Sunburst attack initially accessed SolarWinds' systems through a VPN vulnerability.

It asserts that SolarWinds would have faced charges for its security practices even without the Sunburst breach.

SolarWinds has rejected the SEC's allegations, expressing its intention to fight the charges in court.

A spokesperson for SolarWinds referred to the SEC charges as "unfounded" and expressed concern about the potential implications for national security. The spokesperson emphasised the company's commitment to clarifying the situation in court and continuing to support its customers.

Brown's attorney, Alec Koch, stated, "Mr Brown has worked tirelessly and responsibly to continuously improve the company's cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC's complaint."

No comments: