Solarwinds - Supply Chain Hack

Joined
Apr 29, 2002
Messages
2,463
"SolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020. We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack. We recommend taking the following steps related to your use of the SolarWinds Orion Platform."


https://www.solarwinds.com/securityadvisory
 

carlbme

[H]ard|Gawd
Joined
Aug 17, 2001
Messages
1,230
Yup, been a shitty day at work. But I guess I'm happy I don't work at more of the higher profile places.
 

Insomniator

Limp Gawd
Joined
Dec 3, 2010
Messages
228
Yeah, we upgraded our version today, and will apply the second patch ASAP after its available.

Rebuilding or blocking traffic to all hosts is not a realistic option for many operations.
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,548
What does SolarWinds do? I tried googling, but all I found was some high level description of monitoring. Nothing detailed enough to make sense of it.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
19,783
It is going to be a fun couple weeks.....

You wonder how many of their customers who have to spend time and resources rebuilding will be sending Solarwinds and big fat bill for them to pay for it..

https://krebsonsecurity.com/2020/12...e-depts-hacked-through-solarwinds-compromise/

1607978470315.png


In response to the intrusions at Treasury and Commerce, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) took the unusual step of issuing an emergency directive ordering all federal agencies to immediately disconnect the affected Orion products from their networks.

“Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed,” CISA advised.

A blog post by Microsoft says the attackers were able to add malicious code to software updates provided by SolarWinds for Orion users. “This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials,” Microsoft wrote.

From there, the attackers would be able to forge single sign-on tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts on the network.

“Using highly privileged accounts acquired through the technique above or other means, attackers may add their own credentials to existing application service principals, enabling them to call APIs with the permission assigned to that application,” Microsoft explained.

Malicious code added to an Orion software update may have gone undetected by antivirus software and other security tools on host systems thanks in part to guidance from SolarWinds itself. In this support advisory, SolarWinds says its products may not work properly unless their file directories are exempted from antivirus scans and group policy object restrictions.
 

sk3tch

[H]ard|Gawd
Joined
Sep 5, 2008
Messages
1,613
What does SolarWinds do? I tried googling, but all I found was some high level description of monitoring. Nothing detailed enough to make sense of it.
Device Health and Performance Management (DHPM) - think things like SNMP, ICMP checks - "host up/down?" at a basic level - but they get down to CPU utilization, memory utilization, disk space, etc. (SNMP or agent-based) - so you can get ahead of issues before they become issues.
 

Raekwon

2[H]4U
Joined
Nov 29, 2001
Messages
2,051
Yeah this was not fun to hear about last night. Thankfully we are behind on patching. Going to catch up this week though. Just had to wait for for the non-Trojanized hotfix.
 

carlbme

[H]ard|Gawd
Joined
Aug 17, 2001
Messages
1,230
Yeah, first calls were last night. Patch immediately. Scan for signs of intrusion. End of day today the leadership came down and said they no longer have faith in the patching. So nuke everything and rebuild with the version that is said to be good. It's going to be a long few days.
 

jfreund

[H]ard|Gawd
Joined
Sep 3, 2006
Messages
1,150
Is this related to the Intel hack a few months ago that leaked a bunch of their IME code?
 
Joined
Apr 11, 2017
Messages
818
no. compromised DLL in Solarwinds update back in March. Probably the most massive cyber attack in history.
Yep, Lots of HIGH profile companies apparently use SolarWinds, and I think SolarWinds is primarily like a device performance monitor but on a massive scale, they probably have other RMM tools too.
Anything that can get that kind of sensitive/important info needs to be super secured.
Hackers with that info can now make even more targeted attacks now that they know every detail about every server in each companies environment...
If Hackers indeed have this info, expect lots of hacks in the very near future, like this week....
 

4saken

[H]F Junkie
Joined
Sep 14, 2004
Messages
11,406
Yep, Lots of HIGH profile companies apparently use SolarWinds, and I think SolarWinds is primarily like a device performance monitor but on a massive scale, they probably have other RMM tools too.
Anything that can get that kind of sensitive/important info needs to be super secured.
Hackers with that info can now make even more targeted attacks now that they know every detail about every server in each companies environment...
If Hackers indeed have this info, expect lots of hacks in the very near future, like this week....
Indeed, and even mid size enterprises and lower. I know lot's of folks here probably never heard of solarwinds before this week, but I can throw a stone in any direction and hit a company that has Solarwinds running to monitor their apps and infra. Insane how big this is.
 
Joined
Apr 22, 2011
Messages
639

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
19,783
Stryker7314 yup, but this is going to carry into 2021 for sure.

sk3tch it is more or less, but to empirically prove it is state sponsored and be able to go to war back... 10+ years ago i recall a show i was watching talking about how insecure the U.S's infrastructure was and how it would be an easy target if someone wanted to attack the U.S..... All of these cyber attacks over the last 2-3 years that you can read about every day was just the build up and testing the perimeter so to speak....this was a major attack...
 

erek

Supreme [H]ardness
Joined
Dec 19, 2005
Messages
7,720
Stryker7314 yup, but this is going to carry into 2021 for sure.

sk3tch it is more or less, but to empirically prove it is state sponsored and be able to go to war back... 10+ years ago i recall a show i was watching talking about how insecure the U.S's infrastructure was and how it would be an easy target if someone wanted to attack the U.S..... All of these cyber attacks over the last 2-3 years that you can read about every day was just the build up and testing the perimeter so to speak....this was a major attack...
(sorry if double post :( )

Microsoft and Industry Partners Seize Key Domain Used In SolarWinds Hack

 

sk3tch

[H]ard|Gawd
Joined
Sep 5, 2008
Messages
1,613
Stryker7314 yup, but this is going to carry into 2021 for sure.

sk3tch it is more or less, but to empirically prove it is state sponsored and be able to go to war back... 10+ years ago i recall a show i was watching talking about how insecure the U.S's infrastructure was and how it would be an easy target if someone wanted to attack the U.S..... All of these cyber attacks over the last 2-3 years that you can read about every day was just the build up and testing the perimeter so to speak....this was a major attack...
I don't think attribution is needed to call it a WW3 moment. The collateral damage is going to take place for months and years to come. It is just an absolute wreck of damage. Any cyber attack is not going to lead to physical warfare directly, but it will lead up to other elements (economic devastation, state secrets theft, blackmail, etc.) that will change the course of the world.


I mean, essentially U.S. gov't email was likely being read for most of 2020...nevermind a huge chunk of the Fortune 500...it just goes on and on and on.
 

etudiant

n00b
Joined
Jan 28, 2017
Messages
32
Anyone who has the skill to build this malware is surely also going to have more than one domain available as a backup. So this seizing of one domain is just more security kabuki.
The government sponsored hackers are smart.
Years ago, they hacked RSA, which made most of the key tokens for encrypting sensitive messages. They exfiltrated the core algorithms, which allowed these encryptions to be broken at scale easily.
Then they hacked the US Office of Personnel, which includes the career records of all government employees. That makes finding the spies easy, you have the career data and it includes confidential data which can be used to impersonate or suborn individuals of interest.
Now this larger scale penetration, over an extended period.
One might wonder whether the problem is that the government has so many secrets and classifications that it is impossible to plug all the holes, the attack surface is just too big.
 

pendragon1

Fully [H]
Joined
Oct 7, 2000
Messages
24,622
no, 4saken is right. it affects their orion stuff, not that or the helpdesk software we use from them..
 

Mega6

2[H]4U
Joined
Aug 13, 2017
Messages
3,400
no, 4saken is right. it affects their orion stuff, not that or the helpdesk software we use from them..
fair enough my bad (for now). Let's wait a bit and see if more has been hacked. I dont think the full extent has been found yet.
 

Mega6

2[H]4U
Joined
Aug 13, 2017
Messages
3,400
A Dll, in an update back in march for SolarWind Orions ON-PREMISES platform, was the culprit. Period. Not sure what else you are going for?
Russians

Full implications of all compromised systems is not known.
 
Last edited:
Top