US Treasury, Dept of Commerce hacks linked to SolarWinds IT monitoring software supply-chain attack SolarWinds' Orion IT monitoring platform has been compromised, and speculation is swirling it was used as a base camp by state-backed hackers to infiltrate major US government organizations. Kevin Thompson, SolarWinds president and CEO, said his company is "aware of a potential vulnerability" that may have been in "updates …
Where I've seen Solarwinds implemented, the tool was often given administrative credentials to not just the networking gear to pull credentials (and restore them if they change without authorization), but also to perform discovery on Linux systems. Despite having well documented "these are the only sudo permissions needed on Linux", I see many shops just gave it full root.
Often, I was asking admins to choke down the access and there was surprise that the tool worked with less than full root.
So, yes, this is a very scary thing to me.
Like @sitine, I'm concerned at the blast radius. Solarwinds is inside the VPN, inside the the secure zone. The secure zone where all the deprecated machine instances run, where patching is months behind (because why would you need to patch when you're in the secure zone?).
Jake Williams, Security Analyst, might want to consider the thrill of enterprise security logic before he goes happy clappy.
>So, yes, this is a very scary thing to me.
Stop worrying and love the hack! Is this not a fine example of a state-endorsed backdoor that is only to be used by the Good Guys? As an added bonus, your data is now securely backed up for free!*
*Irony intended. Not to be taken seriously. Does not constitute an offer for a free backup service. T&Cs apply.
If you’re a SolarWinds customer, assume compromise and immediately activate your incident response team.
However, if you’re a SolarWinds customer, and they are your active security and incident response team and they have failed to protect servering of your crown jewels, with their value now decimated/reduced to single figure cents on the dollars, what else can you do other than panic a lot and hope they have a case to answer and you can still afford to sue them for whatever can be conjured up and thrown at them?
After all, is that not the American Way and the normal route to get to the root of such that matters?
Surprised the share price of Solar Winds Corp. is still on the way up. Highest it's been in 5 years.
https://www.bing.com/search?q=solar+winds+share+price&cvid=76cd4450948941f99b3b819c0f95fce0&pglt=163&FORM=ANNTA1&PC=U531
Everybody knows the stock markets are completely divorced from reality these days. Bad or good news doesn't matter to the algorithms running everybody's pensions. Meanwhile, the smart money has made a killing selling their SolarWinds shares to the bots before somebody wises up and tells them to stop buying.
Could we have a popcorn icon, please? I'm opening mine, sitting back, and waiting for fireworks...
Surprised the share price of Solar Winds Corp. is still on the way up. Highest it's been in 5 years.
https://www.bing.com/search?q=solar+winds+share+price&cvid=76cd4450948941f99b3b819c0f95fce0&pglt=163&FORM=ANNTA1&PC=U531
https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Core-SolarWinds-Orion-Agents-sw467.htm
No surprise they're boxes are used on Voting Machines Networks. Georgia uses ballot marking and ballot scanning machines, you can count the paper ballot to ensure the machines haven't been compromised in Georgia.
Texas, and other GOP states have been rolling out paperless voting machines to Democrat polling districts, notably Harris County. The same Harris county Republicans attacked in multiple legal challenges, and in closing ballot drop stations and reduced polling places to create long lines.
Paperless voting machines cannot be verified. You cannot ensure the voting record the machine has is the actual record of the vote.
Republican Secretaries of State know this, yet they rolled them out anyway. Republicans rolled out riggable voting machines intentionally.
You cannot ensure those machines voted Republican to the huge extent they did. It was a ridiculous skewing of the vote that almost saved them. By now, any sense of Republicans = Democracy you have has been dispelled. Given all the voter suppression, Republican attempts at insurrection, Arizon Republicans calling for violent ovethrow of government, Republican slow motion coups. All the things they've tried publicly, you should be in no doubt Republicans are rigging those riggable voting machines in private.
Texas AG in particular, is indicted on a securities fraud case, but has never been prosecuted, as long as he stays in power, he will not prosecute himself. Do you think he would prosecute voting machine fraud in Texas if it keeps him in power?
Trump got 74 million votes, vastly up from 62 million of 2016. Yet his popularity slumped from 2016.
Do people hate Biden so much more than Clinton? No. Is it because "hidden Trump supporters pop out of nowwhere and vote on those machines?" no. Is it because "latinos are difficult to poll?" No, if Facebook can reach them then so can pollsters.
Its because the machine are set to turn a percentage of votes Republican, and turnout was up as people try to eject Trump, so the machines gave Trump a large chunk of those votes.
And you cannot verify those votes because Republicans rolled out unverifiable machine voting. But in Georgia the court required they roll out paper ballot machines, so the paper can be checked. Georgia swung to democrat despite massive voter suppression.
You need to protect US elections from Russia and agents of Russia within the Republican party. You need to force paper audit trails on all voting machines for every future election, to ensure you can verify the vote independent of the machine.
Have "Trust=confidence" in elections, not "Trust=Blind-Faith" in elections. You verify the result, you don't trust the Republican tally of their votes, you verify it.
The party of sedition and coups and militias will rig any machine to stay in power, and will seek the help of any foreign power while doing it.
You think Lindsey Graham would ring Republican States to block votes being counted, but wouldn't ring Putin? Of course he would. He's shown his true nature.
Wrong "he". The OP is clearly saying Trump lost and the Republican votes cast in states using paperless voting machines may be higher than they would be had fully auditable voting systems been used.
Saying it again. And again, and again, and...
In other words, OP's assertion is the Republicans rigged the vote but failed to rig it enough.
"Oh just fuck off and accept he lost."
Do you not think it weird that Trump is incredibly unpopular but still managed to rack up huge amounts of votes? Republicans have been found to be using all methods they could think of to rig the vote, like breaking the USPS, off-rolling voters by the truck-load, voter intimidation, closing polling places. I wouldn't put it past them to engage in ballot stuffing.
There have been vote rigging allegations in US election for about 20 years now ... but so far there has been very little real evidence that it's happening or that it's one party and not the other. I find it interesting that the Republicans are the ones making most of the allegations these days ... clearly they know more about methods of rigging a vote than anyone else.
Vote rigging in the US is legal if you do it by simple stopping your opponents from voting.
so far there has been very little real evidence that it's happening
Oki, a random search result, on google no less:
"Former Philadelphia Judge of Elections Convicted of Conspiring to Violate Civil Rights and Bribery"
https://www.justice.gov/opa/pr/former-philadelphia-judge-elections-convicted-conspiring-violate-civil-rights-and-bribery
Are you really of the belief that there was no cheating whatsoever? I can understand the belief that there was no significant amount of cheating (that would effectively skew the result), but to assert absolutely no cheating whatsoever is a pretty bold claim IMO.
On one hand you have countless democrats who decry Trump as being "The Orange Hitler".
If you (or anyone) was in a position where it would be possible to skew the results, and you thought that one candidate was literally Hitler... Would it not be tempting to do a little skewing? Would you not, in fact, be morally obliged to do so? What would it say about you as a person if you did not do your part to keep Hitler out of office?
Same if you were a reporter. Is it not your moral duty to help the other candidate win and downplay allegations of fraud? (never mind that said reporters should have done their job prior to the nomination and helped support a candidate who hasn't reached retirement age)
"There have been vote rigging allegations DUE TO THE USE OF ELECTRONIC VOTING MACHINES in US election for about 20 years now"
FTFY - vote rigging is almost a tradition in some parts of the US.
There has been evidence of voting machine "issues" such as polling booths recording zero votes or more votes than were registered to vote but these have generally been discarded and at a level where they are unlikely to have affected the result (i.e. 1000's of votes when the votes were won by hundreds of thousands or more). Note that I'm not suggesting that there shouldn't be more in-depth investigations or a method to provide a physical audit trail to allow more scrutiny.
The investigations into voting fraud have centred around people being eligible to vote (i.e. dead voters or foreign nationals) or people voting multiple times. The studies suggest that while these cases happen, the aggregate number of cases across the US is likely to be in the 10's or 100's for votes that are counted. There is less certainty about the number of cases where votes are discarded but I suspect that both parties have skeletons they wish to hide here (gerrymandering/how money is distributed to ensure voters can vote/reliability and accuracy of voting records/policies that disenfranchise voters/electronic voting machine reliability/postal votes being lost or discarded etc).
TL;DR: the studies suggest voter fraud has an insignificant effect (<1000 counted votes) on electoral college votes and therefore the outcome of US elections. However, there are many very serious issues that need to be addressed to provide a fair system for all US voters.
Reference studies:
Multiple votes: https://scholar.harvard.edu/files/morse/files/1p1v.pdf
Dead voters: https://siepr.stanford.edu/news/dead-people-don-t-vote-study-points-extremely-rare-fraud
Overall US voter fraud: https://www.brennancenter.org/sites/default/files/2019-08/Report_Truth-About-Voter-Fraud.pdf
It's pretty common to find illegal activity/fraud around voting, it just usually takes a few months after it matters for the FBI or whoever to press charges. Here's a recent one from my state:
https://www.nytimes.com/2019/07/30/us/mccrae-dowless-indictment.html
Here's a recent case from my old state:
https://www.salon.com/2016/02/14/election_fraud_chicago_style_illinois_decades_old_notoriety_for_election_corruption_is_legendary/
"I would have expected some sort of federal law that stipulates a min number of polling points per 1,000 of population. Anything else is liable to manipulation."
And yet here we are. Most of the issues were with advanced polling places and mail-in ballot locations. Deliberate roadblocks set up to stop people voting during a pandemic.
Its why i believe trump when he says its the most corrupt election ever [he should know, yet more trump projection] unfortunately for the impeached former 1 term president, his efforts to corrupt didn't corrupt enough in the right way lol.
What im looking forward to will be the reality distortion cognitive dissonance caused in his base by him pulling a weinstein zimmer shuffle to court during one of the dozens inevitable days in court come January and then claiming he's fighting fit for 2024.
Half tempted to place a bet on if he will be found hanging, or dead of an aneurism on the bog....
Why's that? They were only doing their jobs just like you. Conceivably they might be pulling a few all nighters themselves to have pulled this lot off in the first place and now keep their selves/paymasters unattributable. I imagine they're nervier than a novel private space launch.
I disagree. Someone made an affirmative choice to break into Solarwinds and compromise their tool chain. They have a responsibility to secure their assets, but that doesn't change the fact that a criminal entity broke in. Let's not lose focus on the fact that the people who planted the malware are, in fact, criminals. They're the ones who deserve the blame.
Two comments:
- How did this update arrive on the targeted computers? Phishing? Corruption of SolarWinds servers?
- "Security analyst Jake [...]urges readers not to assume the attack automatically translates to an ability to control systems.". Perhaps, but "the .dll [...] retrieves and executes commands, called 'Jobs', that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services." Sounds quite serious to me!
The first comment, they infiltrated the SolarWinds network and they managed to get the trojan compiled with the SW code signing certificate.
Yes, the comment from Jake doesn't match with FireEye's description of the system. I can only assume he made his comment based on the information released by SW, which was fairly down played, then the FireEye analysis was released at a later time.
My assumption is that like so many things now the installations silently update as soon as an update is available. So many things do this now it is only going to be a matter of time before something wipes out a major application or system that actually matters.
If there are options for auto-update they should be off by default though that may not help if someone is still logging in, seeing there is an update and then applying it. Even it due process with change control is followed the sooner you do this after release the greater the likelihood of it happening.
Anyone could get zapped like this, just imagine the chaos if something got into the update packages for Windows, iOS, Android or a major Linux stream. It does not matter who the company is, it could happen. You just hope that the systems are left with sufficient functionality to be able to download any official updates that fix the malicious one.
What a lovely piece of news to come into.
Now I get to spend the rest of the day fighting with IT when they say they don't want to do any upgrades coz it's the Xmas halt, everyone is on leave after the COVID summer and you know "Russian's hacking us", well that just in Hollywood isn't it?
Add to that 365 is having the day off and all is well with the world clearly.
This post has been deleted by its author
Of course they do. And it's true - until they get hacked.
But that won't keep them from crowing about their "strong defenses" in the future because, you see, we will forget that they got hacked and, if we remember, they will trot out the good ol' "lessons learned" trope.
So it's all good, people. No reason to panic.
All too often these tools are given too much freedom, partly because the CISO people want to see everything, but in doing so they create openings for an attack Network tools and IDS tools are both hugely tempting targets for attack. I can believe that some orgs are fighting people right now who don't want to turn it off.
It will sit on a network that has access to your AD, your servers, your firewalls, your appliances. Not only can this compromised server now be instructed to execute whatever the hell it likes to gather information from its own privileged location on the network, it will also likely have full dominion over those devices its monitoring tool.
If you were going to hack one server to compromise your entire estate, Solarwinds would be it, and it has been fully hacked and compromised remotely.
This. Is. BAD.
Don't think just replacing the compromised dll will fix it either. This allowed install of malicious code remotely. Assume your entire Solarwinds server is compromised - and depending how much you reuse local admin passwords, the rest of your servers too....
"We believe that this vulnerability is the result of a highly sophisticated, targeted and manual supply chain attack by a nation state. We are acting in close coordination with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters. As such, we are limited as to what we can share at this time."
In other words, they are clueless. Maybe they should find a heavyweight P.R. company?
Cheers… Ishy
Right now, a whole bunch of people who should know better need to be asking why their Solarwinds server ever had internet access. Including, and maybe especially, FireEye.
It's one thing for your server to get compromised by a signed piece of malware - and yes Solarwinds, you have some 'splaining to do, but if you've allowed your Solarwinds server to access the internet then you made the C&C connection that causes all the damage possible.
why their Solarwinds server ever had internet access.
They might use Orion to monitor things on the Internet: site availability, DNS resolution, CDN, cloud services, etc.
They might send alerts across the Internet, like to a mobile number. "Company email is down." "Oh bugger, my server is on fire."
BUF: The software package was too big to fail. To many security fences provided by one vendor. Break it up or source the software differently.
Bullet 1) The note on Solar Winds stock drop. Keeping the stock competive has probably been cause for Lean Sig Sigma being applied to the Coders and Compliance Branches processes.
Bullet 2) Coders not filing their Test Compliance Reports (TPS) and generally showing poor coding practices. Think Boeing and their Space Capsule. Dynamic Link Libraries (DLL) are god’s gift to the coder. You just add a Library and call it fixed. It is'nt really a Box set program review. Dynamic Link Libraries are just a repository for actions in the as built program. I bet you a dollar to a doughnut the library has been creeping in size instead of a whole code rebuild.
Bullet 3) Compliance is in charge of the code base validation and integrity processes. One part of Validation is certificates for the code. Probably just a fancy word for an MD5 hash of the DLL that was recompiled and added into the check of the entire module’s MD5 Hash. The integrity is real gritty stuff when you are using a modification / monitoring tool like Solar winds. What are the compliance metrics being checked. I’d be interested to see the work breakdown statement on the compliance portion. IMO I’d check my Remedy for the audits after checking its integrity.
Jeesh
FireEye said they was hacked with “novel techniques”. A supply train hack isn't that novel of an idea these days but the update and communicating over the trusted apps protocol is. Its been bugging me since they announced it what it could be and this sounds like it fits.
All this attack on Hauwei saying the chinese will use their hardware to infiltrate everyone and now we have news that its the Russians using American owned software that could potentially pwn Americas top ten comms companies. Oh and all five branches of the US military, the NSA, the Pentagon, The Office of the President of the US etc.
Some kind of irony there.
Is it due to deferred updates, or selection of (choice) victims by the attackers? Did all 18,000 lose data?
Consider that the attack has been going on for months, did 94% of their customers defer updates all that time? I think I saw somewhere that the malware was distributed/available back in June.
We'll probably have to wait for an after-action report for all the technical detail.
This entire internet thing is starting to become a liability as far as I'm concerned. If even security and critical system management companies are being infiltrated what hope do we have of being able to win a military conflict or keeping our state secrets secret?
Our entire society is based on a house of cards, and it's about to come crashing down on us.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
