For several months now, the US has been exposed to an unprecedented level of cyberattack, largely caused by a security breach in SolarWinds’ Orion software. A few days ago, Trustwave announced that it had discovered three more “critical” vulnerabilities in SolarWinds software that were likely not exploited, but highlight the company’s vulnerability.

Three new flaws discovered at SolarWinds

According to the Wall Street Journal, the hackers would have broken into the Orion software in October 2019. The hacking goes back almost a year and a half … While this cyberattack is already widely recognized as the most important one of the 21st century, another cybersecurity company called Trustwave has just made a disturbing discovery. We could guess the vulnerability of SolarWinds’ Orion software, but Trustwave recently pointed out three other important flaws. Even if they were not exploited, such a discovery is currently inconceivable. SolarWinds should have used this time to strengthen its security.

According to Trustwave, SolarWinds has been notified of the vulnerabilities that would most likely have allowed an attacker to compromise the infrastructure of other SolarWinds customers. No evidence was found that these shortcomings were being exploited. However, these results raise new questions about the safety of SolarWinds. The company continues to be the software provider for many government agencies around the world and several large Fortune 500 companies.

Defense system tests must be carried out continuously

According to Trustwave, the potential harm if the shortcomings have been exploited is difficult to quantify. In theory, this could have resulted in millions of consumer data and classified information from large companies and governments being exposed. Ziv Mador, VP at Trustwave and Head of Safety Research, said, “We decided to try it out for ourselves to see how safe SolarWinds products are. In two weeks we found three critical security holes. “

Following these revelations, SolarWinds took the floor. A company spokesperson said: “Following the recent attack on a number of US software vendors, including SolarWinds, we have worked with our industry partners and government agencies to make our goal of making SolarWinds the most secure and reliable software company. We have always been committed to working with our customers and other organizations to responsibly identify and remedy any weaknesses in our product line. “

A moral can be learned from this story: software providers should continuously subject their products to “penetration tests”. The vulnerabilities are too numerous and hackers too well prepared to exploit them. Ziv Mador of Trustwave added, “We find vulnerabilities in almost 100% of the applications we have tested. Some are serious, some are easy, but it’s the reality. “Trustwave will publish the Proof of Concept next week to show how the flaws can be exploited.