Solarwinds - Supply Chain Hack

sk3tch

[H]ard|Gawd
Joined
Sep 5, 2008
Messages
1,611
nothing, that why i said that. ms has not commented or released anything, its just more anonymous garbage for now.


doesnt matter, see above.
Don't hold your breath. Companies don't just announce breaches unless they are compelled to do so.
 

FlawleZ

[H]ard|Gawd
Joined
Oct 20, 2010
Messages
1,327
I voted China but honestly the more I think about it it easily could be the U.S. too. With the as many tools at their disposal like Vault 7 and many more we don't know about, its likely just disguised for who they want it to look like.
 

$trapped

Limp Gawd
Joined
Jan 18, 2012
Messages
148
Yeah, the sheer scale and breadth of the attack will make a lot of powerful people/entities want justice. You don't piss off the people with the money and the power. If it was one of us - yeah, slap on the wrist if they stole from us or leaked our data (hello: Equifax).
I was referring to the trades that were made, not the hack.
 

Mchart

Supreme [H]ardness
Joined
Aug 7, 2004
Messages
4,255
"

Billions Spent on U.S. Cyberdefenses Failed to Detect Giant Russian Hack​

"

https://news.yahoo.com/billions-spent-u-cyberdefenses-failed-131219060.html

(curtesy of KarateBob )
We could spend trillions and it wouldn’t change anything.

You can’t secure something that is fundamentally impossible to secure.

I hate working in this field, personally, because I know it’s all a sham. I can’t wait to retire soon. It’s just not sustainable. Something will have to change in a big way at some point. Pouring more into cyber defense isn’t the solution. It’s just putting your finger into a hole in the Hoover dam.

And it also really pisses me off that the idiots in charge think AI will fix this. It is so incredibly easy to influence AI just as you would a human being.
 
Last edited:

Mega6

2[H]4U
Joined
Aug 13, 2017
Messages
3,400
Glad I'm done with it. Yeah the latest buzz word AI will fix everything, yeah right. If there's a way out, there's a way in. The fix is the quantum network supposedly.
 

w1retap

[H]F Junkie
Joined
Jul 17, 2006
Messages
12,877
The problem is, you can mandate 3rd party software providers follow all the laws and regulations, but you're still depending on them. In my field, to meet US Cyber Security Law under 10CFR73.54, we actually go to the 3rd party vendor's physical office and investigate their supply chain security, software/hardware security, physical security, QA program, etc before using their products to make sure they're also meeting our requirements under the law. Obviously, if that isn't good enough, nothing will be.

There's always people looking for the next exploit or hack, and when powered with the resources of a nation-state behind it, a single company cannot keep up with staying ahead of them. In order to keep ahead, you'd need borderline tyranny of the federal government over businesses, with cyber command resources at all companies feeding them counter-intelligence from the latest spy activites in other countries. What makes it even harder is, most technology products are made in countries who are an enemy, so they can put hardware level and software level back doors in just about anything they want by having a compromised employee working for a US company on foreign soil where all the government oversight is by the nation-state that controls the company activities.

This is one of the main motivators behind bringing back American manufacturing and putting America first. It may cost more to manufacture something here (marginally in the long run), but it is still cheaper than having all your companies hacked, data leaked, businesses bankrupt, and homeland security sensitive information leaked. We're in a cyber and economic war. Next comes physical war if it isn't turned around.
 

w1retap

[H]F Junkie
Joined
Jul 17, 2006
Messages
12,877

erek

Supreme [H]ardness
Joined
Dec 19, 2005
Messages
7,716
Supply chain related: About 80 companies to be blacklisted from US for national defense reasons.

"SMIC will also be explicitly prohibited from acquiring technology to build chips with 10-nanometer circuits and smaller." --- this is huge, because Qualcomm / Broadcom depend on them. Looks like a lot of changes will be happening.

https://www.foxbusiness.com/markets/us-to-blacklist-dozens-of-chinese-companies-wilbur-ross-says

UK Use of Software Linked To Russia-Hack Runs Deep

 
  • Like
Reactions: Mega6
like this

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,548
We could spend trillions and it wouldn’t change anything.

You can’t secure something that is fundamentally impossible to secure.

I hate working in this field, personally, because I know it’s all a sham. I can’t wait to retire soon. It’s just not sustainable. Something will have to change in a big way at some point. Pouring more into cyber defense isn’t the solution. It’s just putting your finger into a hole in the Hoover dam.

And it also really pisses me off that the idiots in charge think AI will fix this. It is so incredibly easy to influence AI just as you would a human being.

The only way to secure data is to not keep it in systems connected to the public internet, either directly or indirectly.

If you have enough data in one place, something becomes a target, and once something is a target it CAN NOT be secured. All you can do is make it more difficult to breach. AI won't change this.

In order to secure something it needs to be completely air gapped. You can't even use VLANS or other techniques to accomplish this. The network hardware needs to be completely separate.

Even then - as Stuxnet showed us - you are still vulnerable to social engineering or people doing things they aren't supposed to with portable storage media.

You have to go completely draconian. Fill USB ports with cement. Prevent use of portable devices on site. Use millimeter wave body scanners at every entrance and exit and charge people with crimes if they are caught carrying cellphones or USB sticks. That sort of thing.

And even if you do, occasionally, still some Will slip through.
 

sk3tch

[H]ard|Gawd
Joined
Sep 5, 2008
Messages
1,611
It's not impossible. It is just being looked at the wrong way. You can't spend your way out of it if you don't have the right people. If you don't have the right processes...technology is tertiary. Too many people buy a tool but don't bother to operationalize it correctly. Nevermind once you do that then you need to get proactive and hunt. People just want to cut corners and do the bare minimum for whatever regulation or checkbox their industry has. The hacks will keep happening as long as it is not financially incentivized to have protection of that scale.
 

erek

Supreme [H]ardness
Joined
Dec 19, 2005
Messages
7,716
It's not impossible. It is just being looked at the wrong way. You can't spend your way out of it if you don't have the right people. If you don't have the right processes...technology is tertiary. Too many people buy a tool but don't bother to operationalize it correctly. Nevermind once you do that then you need to get proactive and hunt. People just want to cut corners and do the bare minimum for whatever regulation or checkbox their industry has. The hacks will keep happening as long as it is not financially incentivized to have protection of that scale.
"VMware Flaw a Vector in SolarWinds Breach?" -- https://krebsonsecurity.com/2020/12/vmware-flaw-a-vector-in-solarwinds-breach/


sorry if dupe
 

erek

Supreme [H]ardness
Joined
Dec 19, 2005
Messages
7,716
It seems the attackers weren't that sophisticated after all.


https://savebreach.com/solarwinds-credentials-exposure-led-to-us-government-fireye-breach/

So they just walked in through the front door. That level of capability is not limited to APTs.

OMG. Their password was solarwinds123

How does this happen? How utterly incompetent can an enterprise network solutions provider be?

If they can't even get this right, they deserve every bit of business loss they get out of this thing.

"solarwinds123"

think this was overlooked as being pretty important ^

Thanks folks
 

Red Falcon

[H]F Junkie
Joined
May 7, 2007
Messages
10,835
"solarwinds123"

think this was overlooked as being pretty important ^

Thanks folks
At first I thought you both were joking, but after reading the article...
Vinoth further mentions in the tweet that the password was *****123. Our guess is that, the password of that FTP server was solarwinds123, leaving the redacted part, which is a very weak credential. solarwinds123 is an example of the weakest credentials one can think of. Credentials of the FTP download server which was exposed on the SolarWinds GitHub repo are as follows
fbe2d27df9a43f9cbb2480f57b593edd.jpg
...you can't make this shit up. :dead:
 

Red Falcon

[H]F Junkie
Joined
May 7, 2007
Messages
10,835
So glad we have a President who trusts and admires the Russians
Because it will be so much better when the next one gets in who trusts and admires the Chinese... :p
The next one also has an uphill battle, and will probably have the administration responsible for Skynet and/or any other rouge AI - only half-joking about that one.
 

$trapped

Limp Gawd
Joined
Jan 18, 2012
Messages
148

chithanh

Gawd
Joined
Oct 18, 2010
Messages
845
Seems that a second hacker group was also able to hack into Solarwinds and distribute their malware through them (under "Additional malware discovered"). And they were only discovered because of the investigation into the first hack.
Getting in is often the easiest part thanks to simple shit like lack of patching or social engineering. The persistence is the challenge and these guys exfil'd data (and more) for 8 months before discovery...and it is highly unlikely it was just data.
Looking at the public available Solarwinds attack and malware analysis there is nothing which stands out as particularly advanced. The attackers were professional and kept a low profile, sure.
But given that:
  • they infiltrated monitoring software which normally reads all files anyway,
  • they distributed through the hijacked software update process,
  • they were able to sign their malware (signed software is treated very differently from unsigned software by antivirus software), and
  • Solarwinds gave questionable advice like exempting their program directory from antivirus scans,
it is not surprising that the attack went undetected for so long.
 
  • Like
Reactions: erek
like this

erek

Supreme [H]ardness
Joined
Dec 19, 2005
Messages
7,716
Seems that a second hacker group was also able to hack into Solarwinds and distribute their malware through them (under "Additional malware discovered"). And they were only discovered because of the investigation into the first hack.

Looking at the public available Solarwinds attack and malware analysis there is nothing which stands out as particularly advanced. The attackers were professional and kept a low profile, sure.
But given that:
  • they infiltrated monitoring software which normally reads all files anyway,
  • they distributed through the hijacked software update process,
  • they were able to sign their malware (signed software is treated very differently from unsigned software by antivirus software), and
  • Solarwinds gave questionable advice like exempting their program directory from antivirus scans,
it is not surprising that the attack went undetected for so long.
SUPERNOVA not previously mentioned in this thread:


https://www.bleepingcomputer.com/ne...oor-found-in-solarwinds-cyberattack-analysis/
 

Mega6

2[H]4U
Joined
Aug 13, 2017
Messages
3,400
Where's the guy saying that the one back door was an isolated issue?
 
  • Like
Reactions: erek
like this

Mega6

2[H]4U
Joined
Aug 13, 2017
Messages
3,400
yep deeper than just the first malware find as i suspected.

"The source said the intruders behind the SolarWinds compromise seeded the AO’s network with a second stage “Teardrop” malware that went beyond the “Sunburst” malicious software update that was opportunistically pushed out to all 18,000 customers using the compromised Orion software."
 

erek

Supreme [H]ardness
Joined
Dec 19, 2005
Messages
7,716
yep deeper than just the first malware find as i suspected.

"The source said the intruders behind the SolarWinds compromise seeded the AO’s network with a second stage “Teardrop” malware that went beyond the “Sunburst” malicious software update that was opportunistically pushed out to all 18,000 customers using the compromised Orion software."
pendragon1 related to: https://hardforum.com/threads/whos-behind-the-solarwinds-hack.2005148/

"SolarWinds hackers linked to known Russian spying tools, investigators say" -- https://www.reuters.com/article/glo...-spying-tools-investigators-say-idINKBN29G16Z
 

pendragon1

Fully [H]
Joined
Oct 7, 2000
Messages
24,602
"Raiu said the digital clues uncovered by his team did not directly implicate Turla in the SolarWinds compromise, but did show there was a yet-to-be determined connection between the two hacking tools."
why didnt you post it there then? i havent been in this thread for weeks...
 
Top