Solarwinds - Supply Chain Hack

T

That_Sound_Guy

2[H]4U
Joined
Apr 29, 2002
Messages
3,076
"SolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020. We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack. We recommend taking the following steps related to your use of the SolarWinds Orion Platform."


https://www.solarwinds.com/securityadvisory
 
Yup, been a shitty day at work. But I guess I'm happy I don't work at more of the higher profile places.
 
Yeah, we upgraded our version today, and will apply the second patch ASAP after its available.

Rebuilding or blocking traffic to all hosts is not a realistic option for many operations.
 
What does SolarWinds do? I tried googling, but all I found was some high level description of monitoring. Nothing detailed enough to make sense of it.
 
It is going to be a fun couple weeks.....

You wonder how many of their customers who have to spend time and resources rebuilding will be sending Solarwinds and big fat bill for them to pay for it..

https://krebsonsecurity.com/2020/12...e-depts-hacked-through-solarwinds-compromise/

1607978470315.png


In response to the intrusions at Treasury and Commerce, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) took the unusual step of issuing an emergency directive ordering all federal agencies to immediately disconnect the affected Orion products from their networks.

“Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed,” CISA advised.

A blog post by Microsoft says the attackers were able to add malicious code to software updates provided by SolarWinds for Orion users. “This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials,” Microsoft wrote.

From there, the attackers would be able to forge single sign-on tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts on the network.

“Using highly privileged accounts acquired through the technique above or other means, attackers may add their own credentials to existing application service principals, enabling them to call APIs with the permission assigned to that application,” Microsoft explained.

Malicious code added to an Orion software update may have gone undetected by antivirus software and other security tools on host systems thanks in part to guidance from SolarWinds itself. In this support advisory, SolarWinds says its products may not work properly unless their file directories are exempted from antivirus scans and group policy object restrictions.
Click to expand...
 
Zarathustra[H] said:
What does SolarWinds do? I tried googling, but all I found was some high level description of monitoring. Nothing detailed enough to make sense of it.
Click to expand...
Device Health and Performance Management (DHPM) - think things like SNMP, ICMP checks - "host up/down?" at a basic level - but they get down to CPU utilization, memory utilization, disk space, etc. (SNMP or agent-based) - so you can get ahead of issues before they become issues.
 
Yeah this was not fun to hear about last night. Thankfully we are behind on patching. Going to catch up this week though. Just had to wait for for the non-Trojanized hotfix.
 
Yeah, first calls were last night. Patch immediately. Scan for signs of intrusion. End of day today the leadership came down and said they no longer have faith in the patching. So nuke everything and rebuild with the version that is said to be good. It's going to be a long few days.
 
Is this related to the Intel hack a few months ago that leaked a bunch of their IME code?
 
4saken said:
no. compromised DLL in Solarwinds update back in March. Probably the most massive cyber attack in history.
Click to expand...
Yep, Lots of HIGH profile companies apparently use SolarWinds, and I think SolarWinds is primarily like a device performance monitor but on a massive scale, they probably have other RMM tools too.
Anything that can get that kind of sensitive/important info needs to be super secured.
Hackers with that info can now make even more targeted attacks now that they know every detail about every server in each companies environment...
If Hackers indeed have this info, expect lots of hacks in the very near future, like this week....
 
Rockenrooster said:
Yep, Lots of HIGH profile companies apparently use SolarWinds, and I think SolarWinds is primarily like a device performance monitor but on a massive scale, they probably have other RMM tools too.
Anything that can get that kind of sensitive/important info needs to be super secured.
Hackers with that info can now make even more targeted attacks now that they know every detail about every server in each companies environment...
If Hackers indeed have this info, expect lots of hacks in the very near future, like this week....
Click to expand...
Indeed, and even mid size enterprises and lower. I know lot's of folks here probably never heard of solarwinds before this week, but I can throw a stone in any direction and hit a company that has Solarwinds running to monitor their apps and infra. Insane how big this is.
 
Stryker7314 yup, but this is going to carry into 2021 for sure.

sk3tch it is more or less, but to empirically prove it is state sponsored and be able to go to war back... 10+ years ago i recall a show i was watching talking about how insecure the U.S's infrastructure was and how it would be an easy target if someone wanted to attack the U.S..... All of these cyber attacks over the last 2-3 years that you can read about every day was just the build up and testing the perimeter so to speak....this was a major attack...
 
MrGuvernment said:
Stryker7314 yup, but this is going to carry into 2021 for sure.

sk3tch it is more or less, but to empirically prove it is state sponsored and be able to go to war back... 10+ years ago i recall a show i was watching talking about how insecure the U.S's infrastructure was and how it would be an easy target if someone wanted to attack the U.S..... All of these cyber attacks over the last 2-3 years that you can read about every day was just the build up and testing the perimeter so to speak....this was a major attack...
Click to expand...
(sorry if double post :( )

Microsoft and Industry Partners Seize Key Domain Used In SolarWinds Hack

 
MrGuvernment said:
Stryker7314 yup, but this is going to carry into 2021 for sure.

sk3tch it is more or less, but to empirically prove it is state sponsored and be able to go to war back... 10+ years ago i recall a show i was watching talking about how insecure the U.S's infrastructure was and how it would be an easy target if someone wanted to attack the U.S..... All of these cyber attacks over the last 2-3 years that you can read about every day was just the build up and testing the perimeter so to speak....this was a major attack...
Click to expand...
I don't think attribution is needed to call it a WW3 moment. The collateral damage is going to take place for months and years to come. It is just an absolute wreck of damage. Any cyber attack is not going to lead to physical warfare directly, but it will lead up to other elements (economic devastation, state secrets theft, blackmail, etc.) that will change the course of the world.

Lakados said:
So the attack got uglier if that were possible.
https://www.technologyreview.com/20...potted/?utm_source=nextdraft&utm_medium=email
Click to expand...

I mean, essentially U.S. gov't email was likely being read for most of 2020...nevermind a huge chunk of the Fortune 500...it just goes on and on and on.
 
erek said:
(sorry if double post :( )

Microsoft and Industry Partners Seize Key Domain Used In SolarWinds Hack

Click to expand...
Anyone who has the skill to build this malware is surely also going to have more than one domain available as a backup. So this seizing of one domain is just more security kabuki.
The government sponsored hackers are smart.
Years ago, they hacked RSA, which made most of the key tokens for encrypting sensitive messages. They exfiltrated the core algorithms, which allowed these encryptions to be broken at scale easily.
Then they hacked the US Office of Personnel, which includes the career records of all government employees. That makes finding the spies easy, you have the career data and it includes confidential data which can be used to impersonate or suborn individuals of interest.
Now this larger scale penetration, over an extended period.
One might wonder whether the problem is that the government has so many secrets and classifications that it is impossible to plug all the holes, the attack surface is just too big.
 
no, 4saken is right. it affects their orion stuff, not that or the helpdesk software we use from them..
 
pendragon1 said:
no, 4saken is right. it affects their orion stuff, not that or the helpdesk software we use from them..
Click to expand...
fair enough my bad (for now). Let's wait a bit and see if more has been hacked. I dont think the full extent has been found yet.
 
4saken said:
A Dll, in an update back in march for SolarWind Orions ON-PREMISES platform, was the culprit. Period. Not sure what else you are going for?
Click to expand...
Russians

Full implications of all compromised systems is not known.
 
Last edited:
You must log in or register to reply here.
Back
Top