Andrew Morris, the founder of Grey Noise Intelligence, said in a tweet that he had just downloaded "the infected installer from the SolarWinds website and extracted the installer/various CABs and found that the backdoor'd DLL is definitely still contained in the installer on the website literally right now".
Morris is the second person to note that SolarWinds has not removed the malicious DLL from its site.
Hmm not to be a wet blanket or anything but I literally just downloaded the infected installer from the Solarwinds website and extracted the installer/various CABs and found that the backdoor'd DLL is definitely still contained in the installer on the website literally right now pic.twitter.com/4ijMJr54WK— Andrew Morris (@Andrew___Morris) December 14, 2020
Earlier, Kyle Hanslovan, the chief executive of Huntress Labs, another security firm, tweeted that SolarWinds had yet to revoke the digital certificate it had used to sign the backdoored DLL.
This contained a backdoor that communicated with third-party servers using HTTP.
On Monday AEDT, security firm FireEye, which last week said it had suffered a breach and lost its attack tools, said it had identified a global campaign to compromise public and private sector bodies through corruption of software supply chains, using software that runs on Windows.
Chief executive Kevin Mandia said the compromise was executed through the Orion network monitoring product sold by SolarWinds.
Hanslovan wrote: "The full compromised package is still being hosted online as well", and highlighted the compromised binary.
The full compromised package is still being hosted online as well ? hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp pic.twitter.com/E1lWZKvk05— Kyle Hanslovan (@KyleHanslovan) December 14, 2020
Vinoth Kumar, who describes himself as a part-time bounty hunter who had pointed to another security lapse linked to SolarWinds, retweeted Hanslovan's tweet, adding, "And they still had the malicious binaries on the download portal until today."
The malicious binary which was available for download well after the global intrusions using it were publicised by FireEye. Courtesy Kyle Hanslovan