A piece of malware called Raindrop has been found in some networks compromised by the SolarWinds attackers.
CISA has found several initial access vectors used by the SolarWinds attackers, including abusing legitimate accounts and forging SAML tokens.
The number of SolarWinds Orion servers online is rising in the past week, possibly a result of misconfigurations as customers work to patch after the breach.
The SolarWinds attackers had access to some Microsoft source code repositories, but did not have the ability to change them, the company said.
CISA said the attackers behind the SolarWinds compromise used other infection vectors to access some victims' networks.