Show Navigation
Conversation
Notices
-
Player two has entered the game...
Second hacking team was targeting SolarWinds at time of big breach Reuters
https://nu.federati.net/url/279006
>(Reuters) - A second hacking group, different from the suspected Russian team now associated with the major SolarWinds data breach, also targeted the company’s products earlier this year, according to a security research blog by Microsoft.
>
>“The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,” the blog said.
>
>Security experts told Reuters this second effort is known as “SUPERNOVA.” It is a piece of malware that imitates SolarWinds’ Orion product but it is not “digitally signed” like the other attack, suggesting this second group of hackers did not share access to the network management company’s internal systems.
>
>It is unclear whether SUPERNOVA has been deployed against any targets, such as customers of SolarWinds. The malware appears to have been created in late March, based on a review of the file’s compile times.
>...
- LinuxWalt (@lnxw48a1) {3EB165E0-5BB1-45D2-9E7D-93B31821F864} repeated this.
-
EXCLUSIVE-U.S. Treasury breached by hackers backed by foreign government sources Reuters
https://nu.federati.net/url/278882
>WASHINGTON, Dec 13 (Reuters) - A sophisticated hacking group backed by a foreign government stole information from the U.S. Treasury Department and a U.S. agency responsible for deciding policy around the internet and telecommunications, according to people familiar with the matter. (Reporting by Christopher Bing; Editing by Daniel Wallis)
Robert J. DeNault on Twitter:
https://twitter.com/robertjdenault/status/1338197708079771649
>Major story here. Foreign government has hacked Treasury; Trump removed the entire leadership at the Cyber and Infrastructure Agency weeks ago and there is a bevy of inexperienced folks having emergency meeting to respond.
Welp... Who didn't see this happening...
-
I hadn't even heard that the leadership of CISA had been fired. CERT also?
-
The Guardian's text is pretty similar to the Jerusalem Post's: https://nu.federati.net/url/278891
#US_Treasury #security #breach
-
> Hackers broke into the NTIA's office software, Microsoft's Office 365. Staff emails at the agency were monitored by the hackers for months, sources said.
> The hackers are "highly sophisticated" and have been able to trick the Microsoft platform's authentication controls ...
I'm not a domain admin, but I would assume the affected agencies had to set up domain trust between O365 and their agencies, such that logging into the management account on Microsoft's side required the agency's Active Directory to approve the login.
When I look at it this way, it does sound like there might have been some help from inside the agencies (or perhaps inside of Microsoft)
-
https://nitter.net/razhael/status/1338267165221396480
Suspected vector: SolarWinds
( I notice that the SolarWinds Wikipedia page looks like it could have been written by their PR department. https://en.wikipedia.org/wiki/SolarWinds )
-
https://nu.federati.net/url/278897 [www reuters com]
Article implies that SolarWinds, FireEye penetrations are related to the USGovt penetrations.
-
@geniusmusing https://www.bbc.com/news/world-us-canada-55265442 this may be one already linked in-thread, but I link anyway, so it doesn't get left out.
-
Sacred bovine! They hit the mother lode.
-
@geniusmusing What a scary thought! It is bad enough to learn that Putin and Xi are looking at my #TSA #crotchscan photos. If they’re also looking at my finances from #IRS records, I’ll be embarrassed and they’ll be laughing.
-
> anyone could access SolarWinds’ update server by using the password “solarwinds123”
OOF!
-
> a time of transition for the company, which on Dec. 9 announced
Timing seems a little suspicious. Could Thompson have realized that their main product had been compromised and not wanted the fallout to affect salary & bonus?
-
https://sully.site/@sullybiker/105386008132694493 Just knitting another thread with similar information into this one.
-
So I was listening to Security Now and Steve did a deepish dive into this mess, highlights/things I learned below.
SolarWinds
https://twit.tv/shows/security-now/episodes/797
The dll that was used was signed with the Solarwind signing cert, meaning that either they got access to the code repo and modified the code or the cert was stolen and used. The modified dll also still did the proper functions that were put in it so either really good reverse engineering or they had the code.
Based on how long (first signed/modified dll is from March) I would guess they had access to the code and modified it to their liking and then let Solarwind compile/sigh and distribute it for them.
It also sounded like many countries were targeted.
From Steve's show notes
https://www.grc.com/sn/SN-797-Notes.pdf
>And to make matters still worse, it turns out that Orion had been (I’m using the past tense) ahighly trusted component which, by design, was trusted to hold and deploy credentials, includingthe Domain Admin, Cisco/Router/SW root/enable credentials, ESXi/vCenter Credentials,AWS/Azure/Cloud root API keys. and so much more. If you had the malicious Orion componenton your network, ALL of those credentials must be considered to have been compromised.
>
>And let’s not forget that these cretins had been crawling around since the end of March of thisyear. The mistake they made — and they probably didn’t make it until they had already done alot more damage elsewhere — was in attempting to crawl around within FireEye’s network.SOMETHING tipped-off FireEye to the presence of this extremely stealthful intrusion. If it weren’tfor FireEye’s detection, SolarWinds would still be unwittingly distributing malicious componentsand this probably-Russian espionage campaign would still be going strong.
This is about as scary as it can get.
Moar reading:
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor FireEye Inc
https://nu.federati.net/url/278899
Global Intrusion Campaign Leverages Software Supply Chain Compromise FireEye Inc
https://nu.federati.net/url/278943
-
#SolarWinds wrote that #FLOSS is dangerous because anyone could add code. https://nu.federati.net/url/278946 [thwack solarwinds com]
Source: https://mastodon.social/@rysiek/105392714163855009
-
@adcock I think you should get Windows. But wait until I buy some Microsoft stock.
-
Oh, sh*t. This is about as bad as it could be, other than learning that they downloaded the missile launch codes.
-
@geniusmusing Next up, Microsoft. https://www.reuters.com/article/us-global-cyber-microsoft-idUSKBN28R3BY
-
I do note that I haven't heard anything about any ISPs, cable companies, or telcom companies yet. We all know that some of them are likely on the list of targets.
-
Serious question, though: we all know about least privilege being a foundational principle of security. Do everything with the lowest possible rights that will enable you to do your job. So how does any IT security person justify giving these monitoring boxes full admin privileges on everything in the network?
Active directory administrator account
SMTP administrator account
SQL database administrator account
and so on.
It should be able to monitor the network without necessarily having the keys to the kingdom.
($EMPLOYER's IT security office has admin accounts on every server, though I've always thought they should have read-only access that requires documenting the reason whenever they elevate to gain full control.)
-
What they need is to replace some of the meetings with work observations. Rather than tell someone what you’re doing, do it in front of them and answer any questions that arise during the process.
They can still have jawbone sessions, only now they should be a little more productive.
-
I was thinking about the implications of #MSFT's compromise ... could be that every #Win10 system in the world has another backdoor added. And #Win8.1 and all supported #WinServer versions.
-
@geniusmusing As you know, once a system gets malware / trojan infected, you can never be 100% sure you removed everything. I foresee a wave of hardware replacements hitting nearly every organization. I just hope that the old hardware is destroyed and not just sold to unsuspecting bargain hunters.
Which brings up another question: Did MSFT destroy its old, infected devices and reprovision with brand new hardware? Or did they just add a few signatures to Windows Defender and run scans to try to disinfect them? I think this time, they need to do the right thing and bring in truckloads of previously-unused server hardware.
-
If MSFT got hit, what about larger Linux and BSD distros? While I'm sure Hannah Montana Linux doesn't have enough of a network to require monitoring hardware, Red Hat, Suse, Canonical, Arch, Gentoo, Debian are large enough organizations that they may.
-
@geniusmusing I didn't know the name SolarWinds before, but I can see this revelation being the killing blow if the first penetration wasn't.
Apparently, their company's security is a sieve, not a barrier.