SolarWinds releases known attack timeline, new data suggests hackers may have done a dummy run last year In an 8-K filing to the US Securities and Exchange Commission, SolarWinds has given more details on exactly how it learned its servers were spewing out malware. The notice [PDF] says that FireEye notified the network management biz's CEO (who had only been on the job for three days) of a serious security issue on 12 December. …
$, not £
But I find it highly suspicious that the old CEO along with Venture Capitalist investors bailed out 5 days /before/ FireEye told them about the hack.
What's the betting that the SEC investigation will find some WhatsApp message from the CEO to his VC chums: "Shit is hitting the fan. Sell!"
Either the company noticed the hack a few days before FireEye did but kept quiet about it, or they were complicit much earlier.. and that could attract more serious charges than just fraud and insider trading..
At a minimum, whoever bought those shares has been defrauded, and the national security of every country in the world outside Russia and China has been severely compromised by their incompetence.
But if we consider malice, Kevin Thompson and Tim Brown may not just be guilty of fraud, but also espionage and treason in 100 different countries.. That's 100 trials he could face, some of which would be considering a death penalty.
No wonder he ran away leaving his $1.4m salary behind
a. He is going to have a huge army of lawyers defending him.
b. Having been involved in responding to a few hacks, I can say that FireEye must have been in communication with the CEO BEFORE they came to the conclusion that there was a hack. There is a lot of communication that happens between the two parties.
I bet, given a court order, FireEye will give the exact truth and nothing else but the truth.
Czech security shop Avast issued a warning that up to three million Chrome and Edge users could have been infected with malware hidden in browser extensions.
Well, sure; their browser security experts have a lot of experience with software that violates user trust.
Of course they were signed!
Read the original FireEye report - it makes for grim reading.
This is why I prefer to do my updates manually, at least a few days late. But given that this 'update' lay dormant for 2 weeks before pwning the system, even that strategy may not have helped.
I really detest the idea of automatic software updates. It makes it too easy for a bait-and-switch by the software developer, a rogue employee, or someone who stole their signing key.
What the report (or SolarWinds) doesn't mention is how the binaries were signed.
Where I work, I'm the one who worked out our signing process. We use a HSM, very limited access, and the access tokens are valid for a short window. For our system, basically the final binaries would have to be swapped out at the final stage of the build, before the signing happens. Possibly feasible, but the binary would have to also match the development-release binary, too.
Using a HSM means the private signing key can't be exported, so it's at least locked to that box. The limited access means that the account of the authorized individual would have to be compromised, which is, of course, feasible. There are a number of checks of the final signed binary before release, so that cuts down on the probability that a rogue binary would be delivered to customers.
Could a nation-state hack us? Possible. It's just a question of what windows of opportunity in the process are open, and how to shut as many of them as possible.
> Could a nation-state hack us? Possible. It's just a question of what windows of opportunity in the process are open, and how to shut as many of them as possible.
Out of curiosity (as opposed to business research), what if my country decided to kidnap your family and then asked you if you would be kind enough to sign this executable instead of that one? Would that work?
Also, what if your CA (Certificate Authority) gets compromised and issues a certificate that someone else uses to distribute their improved version of your software?
Typically, I used authenticate certificates to sign binaries when I was doing Windows DLLs.
I still remember auditing our supply chain and asking a vendor what they did for signing key protection. They said that it was very secure as it was on only one person'e laptop and they had anti-virus software.
In another case, all the binaries were automatically signed with the production certificate. The CI server was signing everything. Sort of makes the process of signing unimportant.
> "The notice says that FireEye notified the network management biz's CEO (who had only been on the job for three days)"
I knew this guy who got this position in the Arctic at the last minute before the site becomes unreachable for the winter. When he got there his first job was to prepare the corpse of his predecessor for air evacuation (the job where a rope is tied to the coffin with a balloon at the other end and a C-130 hooks the rope and winches the lot up).
Always ask why a vacancy has opened.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
