pendragon1
Extremely [H]
- Joined
- Oct 7, 2000
- Messages
- 62,200
Last edited:
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Solarwinds - Supply Chain Hack
- Thread starter That_Sound_Guy
- Start date
What some conspiracy theory now? Everyone and their mother suspects Russia via APT29/SVR ie Cosy Bear.
pendragon1
Extremely [H]
- Joined
- Oct 7, 2000
- Messages
- 62,200
go to the thread in soapbox.
I don't have a key to that hole.
pendragon1
Extremely [H]
- Joined
- Oct 7, 2000
- Messages
- 62,200
get a sub, its $5 and supports the site.
MavericK
Zero Cool
- Joined
- Sep 2, 2004
- Messages
- 32,385
We use SolarwindsMSP which is like, the cheaper version, and N-Able - not affected as far as I can tell.
MrGuvernment
Fully [H]
- Joined
- Aug 3, 2004
- Messages
- 22,366
Mega6 yes, not yet but from what we do know, the facts so far is that, it is a dll, it is only Orion on -prem so far and also what ever comes from their M365 being compromised. Unless they update their hosted cloud platform from the same repo's they use for customers on prem....then cloud should not be affected via this specific method, but we do not know that either.
The cloud is as secure as Windows or Linux or your Intel or AMD hardware. The people, processes, and technology around what you do with any of that stuff is what leads to security. No silver bullet exists - i.e. "let's move to the cloud" for security. People move to the cloud so they can have elastic workloads, economies of scale, and because the whole damn country has been in semi-lockdown for 8 months+ and the server monkeys can't go into data centers.
Yeah i get it a ddll with a backdoor on orion which is not clould but I also get "we do not know..." - That's my point.
Rockenrooster
Gawd
- Joined
- Apr 11, 2017
- Messages
- 957
It looks like like Microsoft uses the tool and they ARE a Cloud provider. We can only assume everything Microsoft has been compromised without any confirmation of the extent of the damage
Rockenrooster
Gawd
- Joined
- Apr 11, 2017
- Messages
- 957
Cloud is just someone else's server. That Cloud provider will still have people going to the data center
YeuEmMaiMai
Extremely [H]
- Joined
- Jun 11, 2004
- Messages
- 35,246
dang they got the Subaru information....
w1retap
[H]F Junkie
- Joined
- Jul 17, 2006
- Messages
- 13,867
There is no known extent to the hack. The update portal for Solarwinds has been compromised for the better part of the whole year. This opened the door for any actors to put whatever payloads in any applications, then compromise any system which recieved those payloads on the client end. Their Orion product just happens to be the first shown exploit.
Oh how convienent, Dominion Software is not listed.
Before the company answered subpoena;
And after they removed it before going to testify:
Yeah weve been busted so.lets fabricate an extensive "weve been hacked" story. Too bad federal supercomputers data collected everything in advance.
Last edited:
w1retap
[H]F Junkie
- Joined
- Jul 17, 2006
- Messages
- 13,867
I personally know of 2 other large companies that were compromised by the hack after speaking with a few industry peers and vendors. However, they haven't gone public about it so I cannot comment. (also, I'm an InfraGard contributor and NITSL/USA member)
Can we not take this the conspiracy theory route? Attribution to Russia (as everyone seems to think it is them) is near impossible. So attributing election fraud and all kinds of other things is even more far fetched.
Just know - because of the nature of this compromise the bad actors were able to collect data and likely move laterally - SolarWinds is just the start point. Any conspiracy theory for one side, can easily be used the same way for the other side because whoever did this can use the info to develop influence campaigns in social media, info the media anonymously, etc. etc. - just so many things that can be done.
Just know - because of the nature of this compromise the bad actors were able to collect data and likely move laterally - SolarWinds is just the start point. Any conspiracy theory for one side, can easily be used the same way for the other side because whoever did this can use the info to develop influence campaigns in social media, info the media anonymously, etc. etc. - just so many things that can be done.
It seems the attackers weren't that sophisticated after all.
So they just walked in through the front door. That level of capability is not limited to APTs.
https://savebreach.com/solarwinds-credentials-exposure-led-to-us-government-fireye-breach/
So they just walked in through the front door. That level of capability is not limited to APTs.
[FYI - be careful on the sources that you trust and be sure to read into what they're saying - they use words like "possible" and source random twitter users. I have not seen this validated yet but any security researchers...that said it could easily be true and does not make this hack any more simple - this is just the breach component]
Getting in is often the easiest part thanks to simple shit like lack of patching or social engineering. The persistence is the challenge and these guys exfil'd data (and more) for 8 months before discovery...and it is highly unlikely it was just data.
Internet Pearl Harbor shit right here. Not a good look for the current admin.
Last edited:
Rockenrooster
Gawd
- Joined
- Apr 11, 2017
- Messages
- 957
oh wow!
![Zarathustra[H]](/data/avatars/m/9/9298.jpg?1723407683){kind=avatar}
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 40,839
OMG. Their password was solarwinds123
How does this happen? How utterly incompetent can an enterprise network solutions provider be?
If they can't even get this right, they deserve every bit of business loss they get out of this thing.
w1retap
[H]F Junkie
- Joined
- Jul 17, 2006
- Messages
- 13,867
You wouldn't believe some of the passwords major cyber security vendors use. It isn't just SolarWinds. I see it first hand when I have to work with some of them.. some of the passwords are even hard coded into an executable with dependencies, so you have to recompile programs or modify database server backends to change passwords. It's a leftover from their legacy implementations 15+ years ago that never have updated the core underlying source code. I've seen some that even use 3 and 4 digit numerical passcodes instead of actual passwords.
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 40,839
Jesus Christ.
At the very least the people who have to use those passwords on a semi-regular basis should be aware this isn't good, and report it up the chain until it gets fixed.
It's one thing if you are logging into some stupid shit like Animal Crossing or something like that. It's something different all together if your software is deeply integrated with large companies around the world, and if it gets pwned, they might get pwned too.
I still say this is inexcusable.
If anything, this is a motivation to go all open source, and ditch all the "appliances in a box". I haveno idea hwy IT departments keep buying that garbage. It is always slower, more expensive and less secure to - say - get a Sonicwall box, than it is to just run a pfSense box. IMHO, whenhever possible, always pass on specialized "solution in a box, with hardware", and use your own server instead.
w1retap
[H]F Junkie
- Joined
- Jul 17, 2006
- Messages
- 13,867
I've submitted CR fixes and bug reports for years to the vendors.. they just get closed saying they'll fix it in the next major product version, which it never does.
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 40,839
ugh. There's a "You had one job" joke in here somewhere....
The thing about passwords is users have to remember them. Complex password requirements with double-digit characters seem great to people trying to prevent brute force password hacks. Telling people not to reuse passwords sounds good. In reality they fail because the user has to, you know, USE the system and needs to remember that password plus 8 others for work, plus 30 others for daily life (one for every streaming service, shopping website, bank account, credit card, gaming service, utility bill, mortgage/rent, ad nauseum). I'd like to think I'm pretty smart and can remember a lot of stuff, but that's fucking impossible.
The organization I work for adopted the NIST password requirements of 15+ characters, at least 1 capital letter, 1 lower case letter, 1 number, and 1 special character. Then NIST realized "You know what? That's fucking ridiculous and unusable" and dropped their password recommendations. I still have to remember 15 character passwords.
The organization I work for adopted the NIST password requirements of 15+ characters, at least 1 capital letter, 1 lower case letter, 1 number, and 1 special character. Then NIST realized "You know what? That's fucking ridiculous and unusable" and dropped their password recommendations. I still have to remember 15 character passwords.
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 40,839
It is easy to use complex passwords if you manage it properly, either through the use of an encrypted password vault, or through synchronizing password requirements and expiration dates accross all systems a user needs to use.
Where it becomes impossible to keep track of is when you have 16 different systems, some of which you only have to use once every couple of months, all of which have different requirements for password length, upper lower case, numbers, and special characters, and they all expire after different intervals. A password manager helps here, but even with one, it becomes difficult.
It's 2020. In our connected age you can't just ignore password best practices just because it is hard. Having strong passwords is the bare minimum.
It's also difficult to design a boat that can stay afloat and not sink. That doesn't mean we just don't do it and let the boat sink to the bottom.
There are some things you just can't ignore no matter how difficult they are because they take you down if you don't. Password strengths and data security are increasingly one of those.
We need to get to the point where as an economy people who can't keep track of strong passwords or avoid phishing attacks need to be fired and relegated to flipping burgers or something. These things are too important to have them screw it up. We need to get to the point where we have weekly pentests and if you wind up being that weakest link that fails, you pack your bags, you are out of here. I don't care if you are the CEO or some executive.
Last edited:
IcePickFreak
[H]ard|Gawd
- Joined
- Dec 1, 2010
- Messages
- 1,801
I mean the very first paragraph in Solarwinds security advisory...
Now I don't have a decades worth of firsthand experience, but I don't think the hackers are coming to the premises to pick up a print-out of the compromised info.
Solar Winds, what a great game it was! Ah, the memories!
https://www.dosgamesarchive.com/download/solar-winds/
https://www.dosgamesarchive.com/download/solar-winds/
erek
[H]F Junkie
- Joined
- Dec 19, 2005
- Messages
- 12,725
BREAKING REPORT: Feds Arrive at SolarWinds HQ in Austin — More News Coming on CEO and Executive Vice President — New Update = https://www.thegatewaypundit.com/20...angers-us-marshals-raid-solarwinds-hq-austin/
This company and board are toast.
"The Washington Post reported Tuesday that top investors in SolarWinds sold millions of dollars in stock in the days before the intrusion was revealed. SolarWinds’s stock price has fallen more than 20 percent in the past few days. The Post cited former enforcement officials at the U.S. Securities and Exchange Commission (SEC) saying the sales were likely to prompt an insider trading investigation."
Yeah, the sheer scale and breadth of the attack will make a lot of powerful people/entities want justice. You don't piss off the people with the money and the power. If it was one of us - yeah, slap on the wrist if they stole from us or leaked our data (hello: Equifax).
erek
[H]F Junkie
- Joined
- Dec 19, 2005
- Messages
- 12,725
"
Billions Spent on U.S. Cyberdefenses Failed to Detect Giant Russian Hack
"https://news.yahoo.com/billions-spent-u-cyberdefenses-failed-131219060.html
(curtesy of KarateBob )