Solarwinds - Supply Chain Hack

We use SolarwindsMSP which is like, the cheaper version, and N-Able - not affected as far as I can tell.
 
Mega6 yes, not yet but from what we do know, the facts so far is that, it is a dll, it is only Orion on -prem so far and also what ever comes from their M365 being compromised. Unless they update their hosted cloud platform from the same repo's they use for customers on prem....then cloud should not be affected via this specific method, but we do not know that either.
 
The cloud is as secure as Windows or Linux or your Intel or AMD hardware. The people, processes, and technology around what you do with any of that stuff is what leads to security. No silver bullet exists - i.e. "let's move to the cloud" for security. People move to the cloud so they can have elastic workloads, economies of scale, and because the whole damn country has been in semi-lockdown for 8 months+ and the server monkeys can't go into data centers.
 
Mega6 yes, not yet but from what we do know, the facts so far is that, it is a dll, it is only Orion on -prem so far and also what ever comes from their M365 being compromised. Unless they update their hosted cloud platform from the same repo's they use for customers on prem....then cloud should not be affected via this specific method, but we do not know that either.
Yeah i get it a ddll with a backdoor on orion which is not clould but I also get "we do not know..." - That's my point.
 
that's one portion of solarwinds. it's an on-premises based solution for application and infra monitoring. you clearly have no idea about it. I have first hand experience, over a decade, using the tool.
It looks like like Microsoft uses the tool and they ARE a Cloud provider. We can only assume everything Microsoft has been compromised without any confirmation of the extent of the damage
 
The cloud is as secure as Windows or Linux or your Intel or AMD hardware. The people, processes, and technology around what you do with any of that stuff is what leads to security. No silver bullet exists - i.e. "let's move to the cloud" for security. People move to the cloud so they can have elastic workloads, economies of scale, and because the whole damn country has been in semi-lockdown for 8 months+ and the server monkeys can't go into data centers.
Cloud is just someone else's server. That Cloud provider will still have people going to the data center
 
There is no known extent to the hack. The update portal for Solarwinds has been compromised for the better part of the whole year. This opened the door for any actors to put whatever payloads in any applications, then compromise any system which recieved those payloads on the client end. Their Orion product just happens to be the first shown exploit.
 
It is going to be a fun couple weeks.....

You wonder how many of their customers who have to spend time and resources rebuilding will be sending Solarwinds and big fat bill for them to pay for it..

https://krebsonsecurity.com/2020/12...e-depts-hacked-through-solarwinds-compromise/

View attachment 309099
Oh how convienent, Dominion Software is not listed.

Before the company answered subpoena;
SmartSelect_20201216-092013_Firefox.jpg

And after they removed it before going to testify:

SmartSelect_20201216-092031_Firefox.jpg
Yeah weve been busted so.lets fabricate an extensive "weve been hacked" story. Too bad federal supercomputers data collected everything in advance.
 
Last edited:
I mean they said less ~18k customers downloaded the compromised version.

They’ve only listed the federal agencies that have self reported as downloading the compromised version. So still plenty of enterprises pwned.
 
I mean they said less ~18k customers downloaded the compromised version.

They’ve only listed the federal agencies that have self reported as downloading the compromised version. So still plenty of enterprises pwned.
I personally know of 2 other large companies that were compromised by the hack after speaking with a few industry peers and vendors. However, they haven't gone public about it so I cannot comment. (also, I'm an InfraGard contributor and NITSL/USA member)
 
Can we not take this the conspiracy theory route? Attribution to Russia (as everyone seems to think it is them) is near impossible. So attributing election fraud and all kinds of other things is even more far fetched.

Just know - because of the nature of this compromise the bad actors were able to collect data and likely move laterally - SolarWinds is just the start point. Any conspiracy theory for one side, can easily be used the same way for the other side because whoever did this can use the info to develop influence campaigns in social media, info the media anonymously, etc. etc. - just so many things that can be done.
 
  • Like
Reactions: erek
like this
It seems the attackers weren't that sophisticated after all.


https://savebreach.com/solarwinds-credentials-exposure-led-to-us-government-fireye-breach/

So they just walked in through the front door. That level of capability is not limited to APTs.
[FYI - be careful on the sources that you trust and be sure to read into what they're saying - they use words like "possible" and source random twitter users. I have not seen this validated yet but any security researchers...that said it could easily be true and does not make this hack any more simple - this is just the breach component]

Getting in is often the easiest part thanks to simple shit like lack of patching or social engineering. The persistence is the challenge and these guys exfil'd data (and more) for 8 months before discovery...and it is highly unlikely it was just data.

Internet Pearl Harbor shit right here. Not a good look for the current admin.
 
Last edited:
It seems the attackers weren't that sophisticated after all.


https://savebreach.com/solarwinds-credentials-exposure-led-to-us-government-fireye-breach/

So they just walked in through the front door. That level of capability is not limited to APTs.


OMG. Their password was solarwinds123

How does this happen? How utterly incompetent can an enterprise network solutions provider be?

If they can't even get this right, they deserve every bit of business loss they get out of this thing.
 
  • Like
Reactions: erek
like this
OMG. Their password was solarwinds123

How does this happen? How utterly incompetent can an enterprise network solutions provider be?

If they can't even get this right, they deserve every bit of business loss they get out of this thing.
You wouldn't believe some of the passwords major cyber security vendors use. It isn't just SolarWinds. I see it first hand when I have to work with some of them.. some of the passwords are even hard coded into an executable with dependencies, so you have to recompile programs or modify database server backends to change passwords. It's a leftover from their legacy implementations 15+ years ago that never have updated the core underlying source code. I've seen some that even use 3 and 4 digit numerical passcodes instead of actual passwords.
 
I worked at a telecom. They left the web certs password as default. Hacked of course.
 
You wouldn't believe some of the passwords major cyber security vendors use. It isn't just SolarWinds. I see it first hand when I have to work with some of them.. some of the passwords are even hard coded into an executable with dependencies, so you have to recompile programs or modify database server backends to change passwords. It's a leftover from their legacy implementations 15+ years ago that never have updated the core underlying source code. I've seen some that even use 3 and 4 digit numerical passcodes instead of actual passwords.

Jesus Christ.

At the very least the people who have to use those passwords on a semi-regular basis should be aware this isn't good, and report it up the chain until it gets fixed.

It's one thing if you are logging into some stupid shit like Animal Crossing or something like that. It's something different all together if your software is deeply integrated with large companies around the world, and if it gets pwned, they might get pwned too.

I still say this is inexcusable.

If anything, this is a motivation to go all open source, and ditch all the "appliances in a box". I haveno idea hwy IT departments keep buying that garbage. It is always slower, more expensive and less secure to - say - get a Sonicwall box, than it is to just run a pfSense box. IMHO, whenhever possible, always pass on specialized "solution in a box, with hardware", and use your own server instead.
 
Jesus Christ.

At the very least the people who have to use those passwords on a semi-regular basis should be aware this isn't good, and report it up the chain until it gets fixed.

It's one thing if you are logging into some stupid shit like Animal Crossing or something like that. It's something different all together if your software is deeply integrated with large companies around the world, and if it gets pwned, they might get pwned too.

I still say this is inexcusable.

If anything, this is a motivation to go all open source, and ditch all the "appliances in a box". I haveno idea hwy IT departments keep buying that garbage. It is always slower, more expensive and less secure to - say - get a Sonicwall box, than it is to just run a pfSense box. IMHO, whenhever possible, always pass on specialized "solution in a box, with hardware", and use your own server instead.
I've submitted CR fixes and bug reports for years to the vendors.. they just get closed saying they'll fix it in the next major product version, which it never does.
 
I've submitted CR fixes and bug reports for years to the vendors.. they just get closed saying they'll fix it in the next major product version, which it never does.

ugh. There's a "You had one job" joke in here somewhere....
 
The thing about passwords is users have to remember them. Complex password requirements with double-digit characters seem great to people trying to prevent brute force password hacks. Telling people not to reuse passwords sounds good. In reality they fail because the user has to, you know, USE the system and needs to remember that password plus 8 others for work, plus 30 others for daily life (one for every streaming service, shopping website, bank account, credit card, gaming service, utility bill, mortgage/rent, ad nauseum). I'd like to think I'm pretty smart and can remember a lot of stuff, but that's fucking impossible.

The organization I work for adopted the NIST password requirements of 15+ characters, at least 1 capital letter, 1 lower case letter, 1 number, and 1 special character. Then NIST realized "You know what? That's fucking ridiculous and unusable" and dropped their password recommendations. I still have to remember 15 character passwords.
 
The thing about passwords is users have to remember them. Complex password requirements with double-digit characters seem great to people trying to prevent brute force password hacks. Telling people not to reuse passwords sounds good. In reality they fail because the user has to, you know, USE the system and needs to remember that password plus 8 others for work, plus 30 others for daily life (one for every streaming service, shopping website, bank account, credit card, gaming service, utility bill, mortgage/rent, ad nauseum). I'd like to think I'm pretty smart and can remember a lot of stuff, but that's fucking impossible.

The organization I work for adopted the NIST password requirements of 15+ characters, at least 1 capital letter, 1 lower case letter, 1 number, and 1 special character. Then NIST realized "You know what? That's fucking ridiculous and unusable" and dropped their password recommendations. I still have to remember 15 character passwords.

It is easy to use complex passwords if you manage it properly, either through the use of an encrypted password vault, or through synchronizing password requirements and expiration dates accross all systems a user needs to use.

Where it becomes impossible to keep track of is when you have 16 different systems, some of which you only have to use once every couple of months, all of which have different requirements for password length, upper lower case, numbers, and special characters, and they all expire after different intervals. A password manager helps here, but even with one, it becomes difficult.

It's 2020. In our connected age you can't just ignore password best practices just because it is hard. Having strong passwords is the bare minimum.

It's also difficult to design a boat that can stay afloat and not sink. That doesn't mean we just don't do it and let the boat sink to the bottom.

There are some things you just can't ignore no matter how difficult they are because they take you down if you don't. Password strengths and data security are increasingly one of those.

We need to get to the point where as an economy people who can't keep track of strong passwords or avoid phishing attacks need to be fired and relegated to flipping burgers or something. These things are too important to have them screw it up. We need to get to the point where we have weekly pentests and if you wind up being that weakest link that fails, you pack your bags, you are out of here. I don't care if you are the CEO or some executive.
 
Last edited:
As if there is any good reason to use SolarWinds in 2020, this is just the icing on the cake.

Started the new gig 6 months ago and the first project was ripping Orion out.

Good riddance.
 
what does this have to do with the cloud specifically?
I mean the very first paragraph in Solarwinds security advisory...
SolarWinds has been made aware of a cyberattack to our systems that inserted a vulnerability within our SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run.
Now I don't have a decades worth of firsthand experience, but I don't think the hackers are coming to the premises to pick up a print-out of the compromised info.
 
This company and board are toast.

"The Washington Post reported Tuesday that top investors in SolarWinds sold millions of dollars in stock in the days before the intrusion was revealed. SolarWinds’s stock price has fallen more than 20 percent in the past few days. The Post cited former enforcement officials at the U.S. Securities and Exchange Commission (SEC) saying the sales were likely to prompt an insider trading investigation."
 
Yeah, the sheer scale and breadth of the attack will make a lot of powerful people/entities want justice. You don't piss off the people with the money and the power. If it was one of us - yeah, slap on the wrist if they stole from us or leaked our data (hello: Equifax).
 
Back
Top