Subj : US government sues SolarWinds for security failings To : All From : TechnologyDaily Date : Tue Oct 31 2023 15:15:05 US government sues SolarWinds for security failings Date: Tue, 31 Oct 2023 15:03:48 +0000 Description: The SEC claims SolarWinds knew it was vulnerable months before being targeted by hackers. FULL STORY ====================================================================== Three years after the major cyber-incident at SolarWinds, the US Securities and Exchange Commission (SEC) is suing the firm. In the lawsuit, the government agency alleges that the company and its executive staff knew their systems security was an utter disaster for months, if not years before the data breach incident. However, instead of notifying investors and users, they kept the information for themselves and even tried to convince everyone the firms assets were secure. Worries over Orion "We allege that, for years, SolarWinds and Brown (SolarWinds CISO Timothy G. Brown), ignored repeated red flags about SolarWinds' cyber risks, which were well known throughout the company and led one of Brown's subordinates to conclude: 'We're so far from being a security minded company,'" said Gurbir S. Grewal, the head of SEC's Division of Enforcement. "Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company's cyber controls environment, thereby depriving investors of accurate material information." Brown also worried that someone could use Orion in future attacks, because the organizations backend systems werent resilient, the SEC claims. In an ironic twist of fate, it was exactly Orion that was used to deliver highly destructive malware to numerous organizations around the world. Back in 2020, a Russian hacking organization known as APT29 breached SolarWinds, discovered a patch for Orion that was in the works, and compromised it with malicious code. Once SolarWinds pushed the update to its clients, most of them were infected. According to a BleepingComputer report, APT29 is linked to the Russian Foreign Intelligence Service (SVR) hacking division. Commenting on the news, the companys President and CEO, Sudhakar Ramakrishna, said the lawsuit is alarming, and that the SECs behavior is misguided and an improper enforcement action. "We made a deliberate choice to speakcandidly and frequentlywith the goal of sharing what we learned to help others become more secure. We partnered closely with the government and encouraged other companies to be more open about security by sharing information and best practices, he was cited as saying. "Unfounded" accusations "The SEC's charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security." A subsequent company statement added that the charges are unfounded and that theyll put American national security at risk. The SECs determination to manufacture a claim against us and our CISO is another example of the agencys overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments. More from TechRadar Pro US government, thousands of businesses now thought to have been affected by SolarWinds security attack Here's a list of the best firewalls today These are the best malware removal tools around ====================================================================== Link to news story: https://www.techradar.com/pro/security/us-government-sues-solarwinds-for-secur ity-failings --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .