User topics

Article topics

Log in Sign up

US nuke agency hacked by suspected Russian SolarWinds spies, Microsoft also installed backdoor

America's nuclear weapons agency was hacked by the suspected Russian spies who backdoored SolarWinds' IT monitoring software and compromised several US government bodies, and Microsoft was caught up in the same cyber-storm, too, it was reported Thursday. The Windows giant uses SolarWinds' network management suite Orion, …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Friday 18th December 2020 02:21 GMT Tom Paine

"full rebuild"

Perhaps they had enough canned lateral movement tools that, although they only had bandwidth to properly turn over (say) a dozen of the 18,000 and exfiltrate crown jewels, they were able to implant stealthy persistence agents elsewhere in those victims' networks. So, does "total rebuild" refer to every server in every customer org? Or "all the things"? (How about switches and routers? How about printers? How about bootkits -- shouldn't they chuck all hardware into skips the day after cutting over to the perfect replica of the entire network to known-good replacements?

And even that won't give assurance; supposing the restore data from backup step includes another downloader stage that's missed from AV?

Sometimes I'm very grateful for being unemployed. First when I wake up at 7:10am and remember I can have another 4h in bed if I want, and second when I remember what hell I'd be going thru rn of I was still at anywhere I worked on the last 8 years.

27 1 Reply
1. Friday 18th December 2020 07:01 GMT Ken Moorhouse
  
  Re: I can have another 4h in bed if I want
  
  So long as you haven't got SolarWind's Wake On LAN utility on your system.
  
  It may start beeping at you incessantly.
  
  4 0 Reply
2. Friday 18th December 2020 11:20 GMT Peter 26
  
  Re: "full rebuild"
  
  You've hit the nail on the head. The scale of this hack cannot be understated and it's going to be practically impossible to confirm you've eliminated all the backdoors into your network they have planted.
  
  From now on you will just have to assume they have access and be constantly trying to find it. Probably not a bad approach to security anyway and a lot like our COVID safety protocols, just assume you have the virus and take precautions.
  
  15 0 Reply
  1. Friday 18th December 2020 14:04 GMT Mike 125
    
    Re: "full rebuild"
    
    >The scale of this hack cannot be understated
    
    The scale of this hack can only be understated.
    
    FTFY.
    
    But yea, agree with all the shock and awe.
    
    8 0 Reply
    1. Saturday 19th December 2020 12:22 GMT John Brown (no body)
      
      Re: "full rebuild"
      
      Agreed, but I think he meant to say "Cannot be overstated", which is the same meaning as your correction, just more correct IMHO :-)
      
      1 0 Reply
      1. Monday 21st December 2020 09:38 GMT teknopaul
        
        Re: "full rebuild"
        
        Is the article not implying that the product that uses saml needs a rebuild? I did not read that as everything you have needs a rebuild.
        
        0 0 Reply
3. Friday 18th December 2020 12:19 GMT Danny 2
  
  Re: "full rebuild"
  
  "grateful for being unemployed. First when I wake up at 7:10am and remember I can have another 4h in bed"
  
  Ah, I remember that, the early weeks when rest was a boon! Later you get used to just getting up when you wake up. First I lived alone on an isolated peninsula on the Western Isles, and I'd wake up early to hear the Radio Scotland traffic forecast for the M8 just to remind myself how bad my life there had been - also to hear a human voice.
  
  I guess that's partly why I read here, one downmanship. IT staff today are paid less than I was, and yet they have to deal with so much more stressful crap than I did. In my day if there had been a hack then I knew it had either been someone I knew messing with me, or me when I was drunk.
  
  10 0 Reply
4. Friday 18th December 2020 18:06 GMT Anonymous Coward
  
  Re: "full rebuild"
  
  The question is for the avg bod on the street is that now Azure is compromised and “no trace found of customers being hit” do we trust our stuff in Azure. Perhaps not... to be sure you need to rebuild everything, don’t think that’s going to happen
  
  2 0 Reply
  1. Friday 18th December 2020 20:45 GMT Anonymous Coward
    
    Re: "full rebuild"
    
    Exacly. So when your regulator comes knocking and says why is your stuff compromised and you say it not us gov, it’s azure. I can see how that’s going to go down. Hint, not well.
    
    2 0 Reply
    1. Saturday 19th December 2020 07:29 GMT YetAnotherLocksmith
      
      Re: "full rebuild"
      
      If they've compromised your compiler, then you'll be adding new backdoors to your clean code every time you do anything, so start with cleansing that.
      
      5 0 Reply
5. Friday 18th December 2020 18:57 GMT StargateSg7
  
  Re: "full rebuild"
  
  Just in case anyone is wondering about ONE of the reasons why FyreEye codenamed the trojan as SUNBURST. This is due to internal malware clues relating to the NATO codename SUNBURN which is the reference to a Moskvet Hypersonic Aircraft Carrier Killer Missile System. Don't know WHY the original programmer put a reference to a Moskvet missile system in his/her code BUT it's there!
  
  Ergo, this was DEFINITELY a Russian GRU special operations directorate job!
  
  Time to hit them BACK HARD! Kinda gonna need the help of the Israelis on this because of there SUPREME expertise in low-level microcode malware!
  
  Time to hit the PIC chips embedded into all the Russian aircraft altimeter and ordnance proximity systems with some randomized loop-around code so the avionics and terrain following software goes all crazy!!!
  
  Can YOU DO IT BABEEEEEEEEEE ????? !!!!!!
  
  V
  
  4 7 Reply
  1. Sunday 20th December 2020 14:00 GMT Kabukiwookie
    
    Re: "full rebuild"
    
    Yes, must be russian if there's a NATO desgnation for a russian weqpons system is in the code.
    
    That's why Dutch hackers always put 'Edam' in their code so you know it's the dutch and the French always sign their code with 'Surrender Monkeys', so you know it must be the French.
    
    3 0 Reply
  2. Monday 21st December 2020 07:53 GMT Anonymous Coward
    
    Re: "full rebuild"
    
    in some of the sources, pulling a rather more lyric string, is described an opportunity to drive any AC onboard decision-making "system" (-: crazy without implementing any radio emission or other interference but visual
    
    55 73
    
    0 0 Reply
Friday 18th December 2020 03:41 GMT aregross

Stupefying

Wow...... just, Wow

10 0 Reply
Friday 18th December 2020 05:02 GMT amanfromMars 1

MRDA/YMMV/SNAFUBAR/Don't Panic ... All Systems are Normal and under our Command and Control ....

..... but if ever there was a convenient prime time opportunity for distressed status quo players to initiate a Global Reset Utility, it is now whilst y'all are still able to assist and contribute generously to the task.

"Our investigations, which are ongoing, have found absolutely no indicators that our systems [commandeerable Microsoft's platforms] were used to attack others." ..... Frank Shaw, Microsoft's comms veep

That's practically in the same vein as the Federal Reserve saying .... "Our investigations, which are ongoing, have found absolutely no indicators that our massively pumped and dumped paper dollars are used and responsible for the facilitation of money laundering, sex and people trafficking and the wholesale weaponisation of ragged and rogue and retarded states forces and volatile non-state paramilitarised unstable sources. There be no evidence at all. It is a figment of your imagination" ....... which would also be similarly ridiculous and overwhelmingly unassuring/underwhelmingly assuring.

But I suppose whenever exclusive elite executive administration jobs and livelihoods and lifestyles depends on such fictions being pimped and pumped and dumped, one is programmed to say practically everything leaderships want and you think it also necessary to share in order to survive and prosper relatively unscathed and virtually intact and immune to both any general or specific fallout from a catastrophic systems fail and colossal core source code containment breach ...... akin to an Unprecedented COSMIC Explosion.

Please feel free to deny yourself those facts and wallow ignorantly in the cold comfort of a delusionally secure environment. But be prepared for, after such major breaches which you can be sure in the future are to be many and varied, sudden violent unexpected aftershocks that trillions can't fix ...... for such is inevitable and just normal whenever trapped by and imprisoned in a petrified status quo state of stagnating inertia.

29 4 Reply
1. Friday 18th December 2020 08:13 GMT Jonathon Green
  
  Re: MRDA/YMMV/SNAFUBAR/Don't Panic ... All Systems are Normal and under our Command and Control ....
  
  Oh God, he’s making sense again. And it’s never good when that happens...
  
  47 0 Reply
  1. Friday 18th December 2020 19:03 GMT Anonymous Coward
    
    Re://Don't Panic... ...All Systems under our... ...and... ...and
    
    31st upvoted
    
    1 0 Reply
Friday 18th December 2020 06:08 GMT Anonymous Coward

All your base

12 0 Reply
1. Friday 18th December 2020 09:46 GMT Kane
  
  "All your base"
  
  Been there, done that!
  
  2 0 Reply
Friday 18th December 2020 07:17 GMT Schultz

Good to know ...

that the management types are already on the issue and "make it more difficult to for the actor to leverage the" watchamacallit thingy. That'll show 'em not to mess with our tubes. Next we need some politicians to chime in. The world wants to know how we can protect our children from APT29 (and Huawei!) and, also, that you shouldn't worry because you have nothing to hide.

16 0 Reply
1. Friday 18th December 2020 08:13 GMT amanfromMars 1
  
  Re: Good to know ...
  
  Next we need some politicians to chime in. The world wants to know how we can protect our children from APT29 (and Huawei!) and, also, that you shouldn't worry because you have nothing to hide. ...... Schultz
  
  Crikey ‽ Doesn't everyone yet know if you have nothing to hide, there is nothing for others to worry about ........ although of course, if one knows a lot more than just a chosen few and a great many is there plenty for them all to be truthfully fearful of and absolutely terrified by?
  
  What's wrong with y'all? What's the excuse? Mentally retarded or simply undereducated, systemically fundamentally ignorant or perpetually persistently lazy? Worlds want to know ..... as do, no doubt, some politicians so they can join in with some populist chimes.
  
  8 4 Reply
Friday 18th December 2020 07:28 GMT cantankerous swineherd

fun hearing govt orgs complaining about backdoors.

55 0 Reply
Friday 18th December 2020 07:36 GMT tfewster

Is Marcus Hutchins getting credit for his technique of taking over a C&C server?

9 0 Reply
Friday 18th December 2020 08:12 GMT gr00001000

Worst case scenario

I used to ponder whats the worst multi-nation cyber attack that could happen, within the remits of commercial infosec? A supply chain attack against a major U.S. systems supplier. In the mould of Not Petya M.E. Doc update alteration(was that a practice run)?

Well its happened and they try to keep a lid on this. So since March/April high profile companies with large CERT teams nevertheless have been compromised and who knows how many have had this threat actor floating in their network yet not caught until December. Plenty of time to implant further beacons. Microsoft, Lockeed, Nuclear weapons agency, U.S. Treasury, FireEye, where does the list end..

8 0 Reply
1. Friday 18th December 2020 08:44 GMT amanfromMars 1
  
  Re: A Much Worser Worst case scenario with RATs sinking Ships
  
  So since March/April high profile companies with large CERT teams nevertheless have been compromised and who knows how many have had this threat actor floating in their network yet not caught until December. ...... gr00001000
  
  And not so much caught as just recognised as having been there busily exfiltrating nuclear information and explosive crown jewels, with exactly to whom and/or what with an interest to do something/anything untoward and/or unexpected with the intel for whom and/or what, always being so wonderfully unclear and securely private ......... and there is absolutely no guarantee that other threat actors in the team are not still in there, beavering away quietly and busily.
  
  Systems may like to think and realise they have only encountered and captured a Remote Access Trojan.
  
  8 2 Reply
2. This post has been deleted by its author
  1. Friday 18th December 2020 10:35 GMT amanfromMars 1
    
    Re: Best Case Scenarios
    
    And there is also Mutually Assured Depletion .... Immaculate Exhaustion, another available Option/Derivative/Future for Further ProgramMING.
    
    Perfect for Exhausted Assets within Virtually Powerless Systems of MetaPhysical Administration and Operation ........ AIModus Operandi et Vivendi.
    
    1 4 Reply
    1. Saturday 19th December 2020 05:41 GMT amanfromMars 1
      
      Re: Best Case Scenarios Misdirecting Error
      
      Profuse apologies for the pretty obvious misinstruction in that other available Option/Derivative/Future for Further ProgramMING report retorting on evident observations. Please be assured it was not intentional. Twas just an unfortunate slip, and there's many a slip 'twixt the cup and the lip, which I'm sure y'all can agree to be perfectly humanly true.
      
      The final few words should of course read ........ Perfect for Exhausting Assets within Virtually Powerless Systems of MetaPhysical Administration and Operation ........ AIModus Operandi et Vivendi. ...... which is a wholly different world of pain and gain to both drain and retrain for and/or with mass reallocation of powerful means and memes of energy servering from and to Yet Another Core Source with Almighty ACTive Advancing Intelligence. Fortunately, there's not much at all you can do about any of that as it and IT and Mass Multi Media Modals and Modules take you on one helluva helter skelter ride full of new exciting lessons and frightening enlivening experiences to learn and teach with quickly before you slip away forever to who knows where.
      
      And please, before anyone passes any sort of opinion on the above, just ask yourself two simple questions ....... Is it sane/insane to expect the future to be a completely different reality from/in the past which in its heydays, was as the present is nowadays, here and now?
      
      The posit here is that it is perfectly normal and the sooner it is embraced the greater the exponential reward derived and given to one ..... which is one helluva heavenly driver which more than just a few would tell you has no Universal Peer and no Viable COSMIC Competition or Opposition.
      
      1 1 Reply
Friday 18th December 2020 10:24 GMT StrangerHereMyself

Incredulous statements

"he said no evidence could be found that production systems and customer data was accessed"

I find these statements not to be meaningful since an advanced actor will have ways to hide their tracks and infiltration. There's a good chance they'll have fileless malware installed somewhere and smuggling data out of the front door through sub channels hidden in Microsoft web pages.

20 1 Reply
1. Friday 18th December 2020 12:24 GMT not.known@this.address
  
  Re: Incredulous statements
  
  Indeed. Lack of evidence is not evidence of lack. Someone needs to go back to school.
  
  10 0 Reply
  1. Friday 18th December 2020 18:41 GMT Claptrap314
    
    Re: Incredulous statements
    
    Which school exactly? This is a PR statement, it's purpose is to calm the masses. The fact that the techies know that this is as bad as a Gary North Y2K worst case scenario doesn't mean that the PR guy's job description has changed.
    
    3 0 Reply
Friday 18th December 2020 10:54 GMT tip pc

i used to enjoy solarwinds Orion when it was a single app ona single server

i looked after orion at 1 place i worked, upgraded it a bunch of times and then the next version needed sql servers in addition to its app. Virtual SQL's where a no no so new servers, new windows server licences and new sql licenses. i remember having to dig into the DB with SQL commands to get somethings and reports to work properly.

A few jobs later we used PRTG, far far better and a reminder of what orion used to be like. Run on old hardware, no separate DB's easy deployment of probes. No separate fees for Netflow. Far far cheaper

7 0 Reply
1. Friday 18th December 2020 15:20 GMT Lomax
  
  Re: i used to enjoy solarwinds Orion when it was a single app ona single server
  
  PRTG +1
  
  3 0 Reply
Friday 18th December 2020 11:04 GMT Anonymous Coward

this is just a who me column article misfiled

8 0 Reply
1. Friday 18th December 2020 16:00 GMT Munchausen's proxy
  
  "this is just a who me column article misfiled"
  
  I don't know how I should react to this intrusion until I find out if the BOFH is looking worried, or smug.
  
  5 0 Reply
Friday 18th December 2020 11:22 GMT macjules

That's nothing

Our own Oxford/AZ vaccine is being repeatedly attacked by various Putin organs. Frustrated by their latest failures they have now embarked on a series of 1980's type mistruths. My favourite is that the Oxford/AZ vaccine can turn you into a monkey.

5 0 Reply
1. Friday 18th December 2020 12:18 GMT Brewster's Angle Grinder
  
  Re: That's nothing
  
  What if I'm already a monkey? What does it do to me then?
  
  8 0 Reply
  1. Friday 18th December 2020 12:31 GMT Danny 2
    
    Re: That's nothing
    
    Take your stinking paws off me, you damn dirty ape!
    
    Quoting a line from a movie that spawned a multimillion dollar franchise isn't really what we define as pretentious. Pretentious would be you quoting the French novel that Planet of the Apes was based on.
    
    Mon chéri, c'est impossible. C'est dommage, mais je ne peux pas, je ne peux pas. Tu es vraiment trop affreux
    
    3 0 Reply
  2. Friday 18th December 2020 19:01 GMT DS999
    
    Re: That's nothing
    
    What if I'm already a monkey? What does it do to me then?
    
    You go even lower on the evolutionary ladder, and become a Trump.
    
    9 2 Reply
2. Friday 18th December 2020 12:37 GMT Boris the Cockroach
  
  Re: That's nothing
  
  I dont want the vaccine if its been produced using eggs
  
  Because I dont want chicken DNA ending up in side me and mutating me into a chicken.(being a cockroach is bad enough)
  
  However there would be a silver lining to being a chicken, I could have my head cut off and be a senior member of the government
  
  19 0 Reply
  1. Friday 18th December 2020 12:52 GMT Anonymous Coward
    
    Re: That's nothing
    
    Even better if they used ostrich DNA, you could stick your head in the sand and get a job in the Dept for Health.
    
    17 0 Reply
Friday 18th December 2020 12:19 GMT harmjschoonhoven

Orion

SolarWind's Orion only runs on Windows server according to their own website ....

Where is TUX when you need him?

3 3 Reply
1. Friday 18th December 2020 12:36 GMT John Robson
  
  Re: Orion
  
  Meh - compromised third party software is compromised third party software. There is nothing here which is specifically MS, except that that happens to be what was infiltrated as a result.
  
  There are lessons for all monitoring companies to learn, and SW in particular will need to verify any of their other agents etc that might have been affected.
  
  If other monitoring companies aren't taking the same response as SW then they'll end up in a stronger position as a result.
  
  6 0 Reply
Friday 18th December 2020 12:32 GMT steviebuk

Ironic

Considering Trump, although an idiot, was worried about Chinese kit being security holes. Turns out, no, its a bit of software from the cowboy state of Texas that is :)

8 1 Reply
1. Friday 18th December 2020 14:03 GMT iron
  
  Re: Ironic
  
  Insert that "always has been" meme here.
  
  1 0 Reply
Friday 18th December 2020 13:06 GMT Anonymous Coward

Russia is a potent enemy...

... but, we should be able to protect ourselves better than this from a geopolitical rival with a) the GDP of Italy and b) from whom we don't buy hardware.

The USA (and probably many other western countries) are suffering because too many budget decisions are made by people who are only focussed on 'shareholder value'

Technical expertise is simply too expensive for these people. That is one of the driving forces for technologies for monitoring and managing (and, it turns out, penetrating) vast swathes of IT --- usually with a small set of tools and often a ridiculously small set of physically separate installations. Such technology should have freed up the IT bods to make them more effective at out-of-band tasks, including improving threat detection, but the managers always see it as a way to reduce the number of humans who are required for day-to-day operation, and have always regarded IT activities beyond Business As Usual with suspicion.

Having worked in insurance IT, I've often wondered if IT beancounters should be actuaries, not accountants - at least the former have some idea of how to price risk - the latter just seem to be focussed on the bottom line. Also, many of the actuaries I have met actually like technology :-D

18 1 Reply
1. Friday 18th December 2020 14:01 GMT amanfromMars 1
  
  Re: Russia is a potent enemy...
  
  Such technology should have freed up the IT bods to make them more effective at out-of-band tasks, ... ...... Anonymous Coward
  
  Errr ? Hello ‽ ....... Message to AC ....... Does that which is being commented on here not APTly demonstrate that at least some are already freed up IT bods making most effective use of almighty skills in out-of-band tasks ?
  
  That would make potent enemy Russia much better as a best friend showing really great potential if Russians mothers are responsible and liable/fully accountable. Have they denied having any part in the recent shenanigans and current stealthy show of Combinations of AWEsome Strength and Virtual Cunning.
  
  1 2 Reply
  1. Friday 18th December 2020 19:19 GMT Anonymous Coward
    
    Re: Russia is [America]
    
    were there best friend of US (if you are into only emotions or book keeping, wr0ng is it, but it can and must be corrected to spontaneous mutual delivery of wealth and strength) -
    
    since civil war with support of her fleet, since "giving off for rent" a piece of its domestic land full of gold (and please don't think Russian sci academy wasn't aware of its precious potential), opening 2nd front and bravely convoying lend-lease vessels, ughh... much to continue, but - those like Samantha Smith, you can't make them change their mind
    
    esp in the wake of this cosmic goo ball approaching our Home soon from the void
    
    it's time, or IT's Time, choose. no way is another
    
    https://youtube.com/watch?v=8yn3ViE6mhY
    
    precious
    
    0 0 Reply
2. This post has been deleted by its author
3. Friday 18th December 2020 19:04 GMT DS999
  
  Their GDP is irrelevant
  
  Hacking is asymmetric warfare, it requires orders of magnitudes more resources to protect against threats than it does to develop them. It is also self-funding, you can use "last year's" exploits that are no longer good enough to break into top tier targets in combination with ransomware on run of the mill corporate/state/local targets to fully fund your operation.
  
  4 0 Reply
4. Saturday 19th December 2020 07:39 GMT YetAnotherLocksmith
  
  Re: Russia is a potent enemy...
  
  Russia hasn't been looked at as a threat by the UK or USA since they took control of the very top of their governments and got them to either look the other way or ignore what was going on for profit. The lower echelons can tell all they want about evidence, but trump and Boris are both Russian assets, and so until that changes, there won't be a focus on stopping them effectively.
  
  3 5 Reply
  1. Sunday 20th December 2020 13:48 GMT sleepy
    
    Re: Russia is a potent enemy...
    
    As far as I can tell, no evidence has been offered that this is a Russian operation, it simply started as speculation in the pro Democrat media (WaPo?), followed by everyone else in the media acting as though it were a known fact. One might be tempted to think that it is a propaganda fabrication to take the attention off China. Given that nowadays, "facts" on both sides are indistinguishable from propaganda or lies, it would seem prudent to confine oneself to commenting here on technical matters.
    
    4 1 Reply
    1. Monday 21st December 2020 12:08 GMT Anonymous Coward
      
      Re: Russia is a potent enemy...
      
      Given that "facts on both sides are indistinguishable from propaganda or lies and ... prudent to confine oneself to commenting here on technical matters" your comment here is actually self-defeating. There's plenty of discussion here that is political and even scientific and technical discussions aren't just lists of facts.
      
      Nobody in their right mind is pro-China, it's basically a rogue superpower, whereas Russia is merely a rogue state. But I'd note that the people who made it that way are western capitalists who wanted to improve the bottom line and outsourced all their manufactuing there. It's not the fault of "the Left" - we've been warning the neolibs about China for decades. They are actually beating you guys at capitalism using big government, the irony is extraordinary.
      
      Is Mike Pompeo a Russophobic dem, now? It seems that the only significant Repub voice saying it wasn't Russia is Trump. But I'm pretty sure Trump is a nonce and Putin's got the evidence, so I'm not sure Trump downplaying it is a) remotely material or b) anything but expected.
      
      0 1 Reply
Friday 18th December 2020 13:15 GMT John Miles

Just imagine if they hack the Windows Update Servers

It would be serving upgrades that Delete User Files or BSOD etc.

7 1 Reply
Friday 18th December 2020 13:24 GMT Claverhouse

Best Practice

On 16 December 2020, German IT news portal Heise.de reported that SolarWinds had for some time been encouraging customers to disable anti-malware tools before installing SolarWinds products

https://en.wikipedia.org/wiki/SolarWinds

.

.

I also see as snappers-up of unconsidered trifles in the manner of modern monoliths, they own the Swedish Pingdom: I remember Pingdom !

6 0 Reply
1. Sunday 20th December 2020 23:46 GMT Lorribot
  
  Re: Best Practice
  
  I see that so often. It is shocking that comapanies still do it. They should be ashamed of themselves. AV is a bit clunky but has tough job to do and is first line of defence, it is lazy to say "to install our software you need to turn off all AV because we do some crazy shit that may trigger some AV software to go a bit bonkers and stop us from installing", FFS get a life and do stuff properly..
  
  0 0 Reply
  1. Monday 21st December 2020 23:56 GMT Snorlax
    
    Re: Best Practice
    
    AV is a bit clunky but has tough job to do and is first line of defence...
    
    Last line of defence, I think you'll find.
    
    0 0 Reply
Friday 18th December 2020 13:56 GMT Zog_but_not_the_first

It wouldn't have happened...

... if they'd been running Kaspersky AV.

7 0 Reply
Friday 18th December 2020 14:21 GMT Peter-Waterman1

Azure Hit as Well.

According to the original article https://www.reuters.com/article/usa-cyber-breach-exclusive-int-idUSKBN28R3E2 - Azure has been compromised.

"Microsoft also had its own products leveraged to attack victims, said people familiar with the matter. The U.S. National Security Agency issued a rare “cybersecurity advisory” Thursday detailing how certain Microsoft Azure cloud services may have been compromised by hackers and directing users to lock down their systems."

2 0 Reply
Friday 18th December 2020 15:04 GMT Lomax

Too big to fail

If Microsoft's production systems had been compromised, and malicious code had been pushed out via Windows Update, do you think they would admit it, or try to cover it up? If I was directing the activities of the group responsible for this hack, I would consider the Windows/Office codebase to be the ultimate target - get in there and you pwn the world. Damn near 100% of corporate and governmental desktops and laptops run Windows, and Office, and most of them are inside some part of their VPNs - many no doubt in the innermost layer. Servers are watched 24/7 by admins and security personnel, because a failure here is considered costly and dangerous. Individual desktops and laptops are less of a concern; they are routinely re-imaged and should not store any really sensitive data - insert a well crafted trojan here and you may evade detection far longer than on any high-value system. Keep an eye on any recent/upcoming Windows Updates for clues...

10 1 Reply
1. Friday 18th December 2020 18:18 GMT amanfromMars 1
  
  Re: Too big to fail ..... one of the greatest of myths
  
  That's exactly what Uncle Sam and allies are all worried about, Lomax, for how will they know now if their Windows systems are completely free from foreign compromise and remote virtual oversight/parallel knowledge of proposed operations.
  
  And as if that is not enough to be having to deal with, here's another runaway train barreling down the tracks and heading for the buffers in central stations ......
  
  amanfromMars [2012181742] ...... just airing a note of concern and caution on https://www.zerohedge.com/political/former-goldman-cfo-marty-sachs-calls-universal-basic-income
  
  Well, well, well. :-) …… Who’d have a aforethunk it ? The system appears to have boxed itself into an exhausted corner. And is planning throwing in the towel and waving a white flag now in order to try with a win win strategy for a rematch should systems again fail to perform more perfectly and fairly.
  
  Well, that would be a sensible move in order to try and save a whole collection of once almighty heads from rolling detached from shoulders ...... for that's what all present problems are quickly leading everyone and everything to.
  
  4 1 Reply
  1. Friday 18th December 2020 20:11 GMT Lomax
    
    Re: Too big to fail ..... one of the greatest of myths
    
    If you wish to cover all the lands with your plague, without interruption or intrusion from the other planets or worlds, then go into the basement or the shed, and presently perform the sacred ritual; dance for the system that never sees daylight (or another system), so that the purity of the strain may be preserved. Only this holy vial can contain your dreams of domination, only this vial has the power to let the powerful continue to rule in their sunken vessel. When the light turns green, the truth is reborn, and the eating and the eaten emerge to feast.
    
    1 0 Reply
2. Friday 18th December 2020 19:10 GMT vtcodger
  
  Re: Too big to fail
  
  "do you think they would admit it, or try to cover it up?"
  
  Do *I* think they would admit it or cover it up? Neither. I think that given the complexity of their systems, the lack of external (and probably internal) documentation, and the apparent sorry state of their QA, they probably wouldn't know about a Windows Update compromise until somebody external found out about it, published their results and the Register called Microsoft asking for comments.
  
  6 0 Reply
  1. Friday 18th December 2020 19:53 GMT Lomax
    
    Re: Too big to fail
    
    Pretty sure they will be looking very carefully right now. Not that that means they'll find anything - and not that that means it isn't there. Last time I checked a minimal Windows OS install was in the 40GB region, and we're talking compiled code of course. How many lines of C#, C++, VB, Assembler, what have you, only ~~god~~ Bill knows. Trillions?
    
    0 0 Reply
    1. Friday 18th December 2020 20:24 GMT Lomax
      
      Re: Too big to fail
      
      Open source has never looked this good.
      
      4 0 Reply
Friday 18th December 2020 15:59 GMT Snowy

The internet is great.

If you want something to be secure do not connect it to the internet.

11 0 Reply
Friday 18th December 2020 18:42 GMT sitta_europea

Curiously enough I've been getting a thousand spam emails a month from Microsoft servers ever since...

0 0 Reply
Friday 18th December 2020 18:43 GMT sitta_europea

"... when a backdoored version of the network monitoring software is run, it looks up the IP address of the hard-coded domain avsvmcloud[.]com. Depending on the result, the backdoor malware, dubbed SUNBURST by FireEye, will deactivate. So, with Microsoft taking control of that domain name, with DNS giant GoDaddy's help, the tech trio killed off the malware by ensuring the dotcom resolves to an IP address that deactivates the code."

And it uses DNSSEC and nobody can hack your DNS service anyway, so that's OK then.

0 0 Reply
Friday 18th December 2020 18:46 GMT Kev99

Yup. Let's put all of our proprietary, confidential, essential, and otherwise can't exists without information out on the internet. Everyone know how safe and secure a bunch of holes being held together with bits of string is. The government and industry survived for decades using dedicated lines. Blithering idiots.

0 0 Reply
Friday 18th December 2020 19:08 GMT Anonymous Coward

"US nuke agency hacked by suspected Russian SolarWinds spies, Microsoft also installed backdoor"

That's really unlucky. The Russians hack you one day, Microsoft backdoors you the next.

3 0 Reply
Friday 18th December 2020 21:22 GMT joea

What am I missing?

Seems to me, naive perhaps, that outgoing traffic should only be allowed to "known and approved" IP addresses.

While this might take a while to implement, Agencies could "pull the plug" and revert to "secure messenger" services for the interim.

If the hack is as severe as claimed, severe measures are required.

0 0 Reply
1. Saturday 19th December 2020 08:30 GMT amanfromMars 1
  
  Re: What am I missing?
  
  Agencies could "pull the plug" and revert to "secure messenger" services for the interim. ..... joea
  
  Quite so, joea. As sophisticated and complicated as things and everything has become, it is hard to successfully beat the well tried and exhaustively tested route of the quiet knock at the door or the gentle tap on the shoulder and request to help authorities with their enquiries. :-) ..... even though it is clearly more labour intensive and second and third party asset engaging which makes it an option coincidentally anything from a tad more, to a heck of a lot more expensive than would have been usually normal via virtual means. C'est la vie.
  
  2 1 Reply
2. Sunday 20th December 2020 02:18 GMT GJR
  
  Re: What am I missing?
  
  Agreed. I think there has been an overswing to ‘empowering users’ instead of tying them down, time to return to white lists for outbound traffi, and start generally shutting down the porous perimeter. Obviously installing software with root permissions is also a serious issue, but if desktops were reimaged every day/week or reprovisioned virtually, one imagines a lot of this type of stuff could be prevented.
  
  0 0 Reply
Friday 18th December 2020 23:19 GMT GP

monitoring of their update downloads for clients

could this episode of infiltrating rogue updates - made available to clients as legit - have been caught by an internal monitoring of each of the available client update signatures against a known good signature ?

even if the publishing process of new and corrupt client updates failed, a post hoc process to check the published updates signature against a clean signature would have identified a bad act, and maybe a bad actor, more importantly to remove those published updates.

if such a checking process WERE in place that would suggest a bad actor within the SW management. if such a process were NOT in place, that would indicate a very serious failure of SW management to control the publishing process of updates for clients.

1 0 Reply
Friday 18th December 2020 23:34 GMT sitta_europea

"Meanwhile, Politico reported that the US government's Dept of Energy's National Nuclear Security Administration, which oversees the nation's nuke stockpile, was hacked via the Orion backdoor. Suspicious network activity was, we're told, found at the Federal Energy Regulatory Commission, the Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at the nuclear administration, and the Richland Field Office of the DoE."

And the jerkins use Windows boxes??

To manage nuclear weapons????

I used to protect UK plutonium stocks.

If you'd suggested that we use Windows I'd have had you taken out and shot.

5 0 Reply
1. Sunday 20th December 2020 09:02 GMT Fruit and Nutcase
  
  "Nobody got fired for buying ~~IBM~~Microsoft"
  
  1 0 Reply
Saturday 19th December 2020 02:42 GMT Anonymous Coward

Free Russian software!

Vlad, you’re a very naughty boy.

0 1 Reply
1. Sunday 20th December 2020 09:11 GMT Fruit and Nutcase
  
  Re: Free Russian software!
  
  He is a nice boy. A very good friend of mine. It (may be) China who is behind this. says Trump.
  
  Secretary of State: "We can say pretty clearly that it was the Russians that engaged in this activity,"
  
  Trump: "I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!)."
  
  https://www.bbc.co.uk/news/world-us-canada-55374945
  
  1 0 Reply
  1. Sunday 20th December 2020 13:08 GMT amanfromMars 1
    
    Re: Free Russian software!
    
    And don't be putting any good money on it being Great Britain either, Fruit and Nutcase, as payback for the monstrous punitive interest exacted for close enough to a century as makes no difference, for everything floated as viable and in everyone's best interests since before the Lease-Lend Act of 1941, An Act to Promote the Defense of the United States ..... for you'll be sorely troubled and forever nobbled and hobbled to find any evidence of that trail of rough tough justice and sweet sour revenge.
    
    1 1 Reply
Saturday 19th December 2020 02:45 GMT ronkee

So they'll try turning Azure off and on again.

0 0 Reply
Saturday 19th December 2020 12:25 GMT John Brown (no body)

America's nuclear weapons agency

That sounds much more scary than The Department for Energy :-)

1 0 Reply
Saturday 19th December 2020 18:55 GMT prinox

Now suppose that they had compromised Microsoft, and the automatic updates would have been rolled out to one billion computers running W10...

Isn't it time automatic updates are completely stopped?

2 0 Reply
1. Tuesday 22nd December 2020 17:32 GMT A_Melbourne
  
  I have Windows 7. Old and more trusted. Kaspersky daily reminds me to turn back on Windows Automatic Update but I just hit the "Later" button.
  
  0 0 Reply
Saturday 19th December 2020 21:51 GMT carl0s

If the US govt have created things like Ghidra, and all their other secret backdoor intel stuff, I wonder why they need Solarwinds? Similar thoughts re Microsoft.

0 0 Reply
Sunday 20th December 2020 14:42 GMT Anonymous Coward

Featured By Sound Reasonance

https://youtu.be/zPGf4liO-KQ

Unknown

-

https://youtu.be/nuPbKbcyios

Desire

-

good if got original lyrics @hand

smth about da Sun falling da Moon somewhere, or like that

tippin my hat

0 0 Reply
Sunday 20th December 2020 15:12 GMT Tail Up

Maybe Merely Not a Bug, But an Option

Pff... Anyone pray tell, which number is that when they want to kick their sysadmins' salary closer to the bucket by ordering a pen-testing op in the Impernet?

Alright, https://youtu.be/kR2E4Is_6oE Depeche Mode - Nothing

0 0 Reply
Sunday 20th December 2020 23:40 GMT Lorribot

Does my server have access to the internet?

Everyone always goes on about exposing servers to the internet, but fail to realise that internet traffic is a two way thing.

Can your server access the internet? If the answer is yes you will always be vulnerable to attacks like this, even if you allow it out to microsoft to get updates, that is a risk, or download updates from another supplier, its a risk if iti si not locked down to specific IP addresses.

Many firewalls will block all incoming but allow all out going (MS do this by default) but if something nasty gets on your server or PC then it can just go out and get more nasty stuff at will and nothing will block it. It is teh softest of access points and can easily be triggered by a simple software install like SolarWinds or some accountancy software or even some registry cleaner.

Don't make it easy for these people by allowing software installed on your servers to be able to freely talk to the world.

1 0 Reply
Tuesday 22nd December 2020 17:23 GMT A_Melbourne

Why does Russia get the blame?

All references to "Russians" are suspect. It could have been the "Chinese" or any number of other people.

I repeat. There is absolutely no proof that the Russians are behind this.

For all we know, it might have been another brilliant idea of British Intelligence to damage relations with Russia - like Polonium, the Skripals, Navalny, White Helmets, Syrian Gas and so much else.

0 1 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Other stories you might like

Psst, hey. It's the NSA. You want some AI security advice?

You can trust us, we're the good guys

AI + ML 17 Apr 2024 | 2

CISA in a flap as Chirp smart door locks can be trivially unlocked remotely

Hard-coded credentials last thing you want in home security app

Security 15 Apr 2024 | 49

Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online

CISA calls for 'fundamental, security-focused reforms' to happen ASAP, delaying work on other software

Security 3 Apr 2024 | 39

Uncle Sam's had it up to here with 'unforgivable' SQL injection flaws

Software slackers urged to up their game

Security 26 Mar 2024 | 66

NVD slowdown leaves thousands of vulnerabilities without analysis data

Opinion Security world reacts as NIST does a lot less of oft criticized, 'almost always thankless' work

Security 22 Mar 2024 | 5

FBI v the bots: Feds urge denial-of-service defense after critical infrastructure alert

You better watch out, you better not cry, better not pout, they're telling you why

Security 21 Mar 2024 | 4

Microsoft reseller Bytes says more than 100 undisclosed share trades linked to ex-CEO

Surprise resignation of chief exec happened after FCA probe began, claims filing

Channel 18 Mar 2024 | 12

LockBit's contested claim of fresh ransom payment suggests it's been well hobbled

Infosec in brief ALSO: CISA warns Ivanti vuln mitigations might not work, SAML hijack doesn't need ADFS, and crit vulns

Security 4 Mar 2024 | 1

Biden's budget proposal boosts CISA funding to $3B

Plus almost $1.5b for health-care cybersecurity

Security 12 Mar 2024 | 5

Securing open source software: Whose job is it, anyway?

CISA announces more help, and calls on app makers to step up

CSO 8 Mar 2024 | 21

IT suppliers hacked off with Uncle Sam's demands in aftermath of cyberattacks

Plan says to hand over keys to networks – and report intrusions within eight hours of discovery

Public Sector 8 Feb 2024 | 36

SolarWinds slams SEC lawsuit against it as 'unprecedented' victim blaming

18,000 customers, including the Pentagon and Microsoft, may have other thoughts

CSO 29 Jan 2024 | 16

The Register Biting the hand that feeds IT

About Us

Our Websites

Your Privacy

Situation Publishing

Copyright. All rights reserved © 1998–2024