Solar Winds Data Breach

[Ivanhoe]

So I have read the claim that login credentials for servers at SolarWinds were available for purchase on hacker boards in the Dark Web. Seems possible, given the ability to change source code without detection.

Its probably gonna be awhile before we know the internal goings-on. The attack mechanism, logic of the malware, etc. are pretty well known now. People with good creds are claiming that very specific gov't agencies in the US and Europe were the targets; other victims were collateral damage. I have yet to see Canada mentioned.

Note that the C2 servers used "fast flux DNS", i.e. frequently changing hostnames pointing to the IP addresses of the C2 servers. Fast flux defeats some intrusion detection systems.

[Simon Tan]

Rache Bartmoss wuz ere.

[Ivanhoe]

Here is a web page that provides a good summary of the situation as currently understood;

https://securityboulevard.com/2020/12/visual-notes-solarwinds-supply-chain-compromise-using-sunburst-backdoor-detected-by-fireeye/

Amusing early theory that has since been discarded; that FireEye was the target due to FireEye's targeting of various Russian hacker groups. Code analysis of the malware shows that the malware's actions on a compromised system were dependent on the domain name of the system (for example, if the server was part of the state.gov domain, then find and exfiltrate any files containing account credentials). 

One thing is now for sure; FireEye is on it, big time. Quite a bit of malware analysis is coming from them.

[Stuart Galbraith]

15 hours ago, Ivanhoe said:

Which, in the case of cyberattacks, is often disinformation. The major state actors are known to configure their attacks to emulate the style of a different state actor.

 

The problem is, the people you have monitoring the situation would be aware of that. There is probably no tricks that the NSA or GCHQ have not already seen.

If they said it was Russia, im willing to bet the attribution was NOT solely based upon analysis of the methods of the hackers, but probably including other data sources. For example, the attribution of MH17 was not based upon physical evidence, so much as phone intercepts.

[Ivanhoe]

20 minutes ago, Stuart Galbraith said:

The problem is, the people you have monitoring the situation would be aware of that. There is probably no tricks that the NSA or GCHQ have not already seen.

If they said it was Russia, im willing to bet the attribution was NOT solely based upon analysis of the methods of the hackers, but probably including other data sources. For example, the attribution of MH17 was not based upon physical evidence, so much as phone intercepts.

Has the NSA said that? TMK, no. As always with this sort of thing, early speculation was APT29, and due to the Russian connection, the chattering classes went into howler monkey mode.

Until the FBI does a press release asserting the culprit was APT29, its all just noise.

[Stuart Galbraith]

I  assume that Pompeo would have had an intelligence brief before commenting. The NSA never says anything publically, but it would be the first point of call on something like this I would think.

People will believe what they will, but I don't see Pompeo saying what he did based purely on hearsay. 

Edited December 23, 2020 by Stuart Galbraith

[Ivanhoe]

[Ivanhoe]

https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident

Quote

The overall picture is therefore confusing, as government sources are using “APT29” for this intrusion, while commercial entities that have directly responded to events are associating events with different entities. While DomainTools does not engage in direct attribution, observations and analysis of publicly available information indicate likely misunderstanding between organizations.

Based on a close reading of media reporting, it appears that sources linking activity to “APT29” may be using this term as a catch-all for SVR activity. Meanwhile, entities responding to events and with the most data at present see clear differences between the current activity and legacy APT29 behaviors. If using a behavior-based attribution methodology where naming conventions are assigned to collections of activities or behaviors as opposed to distinct entities (such as, “SVR”), having a separate naming convention for distinct behaviors makes sense

Overall, current analysis indicates that entities are almost certainly using different meanings for “APT29” in this event, with certain sources equating “APT29” with “SVR” while threat intelligence and incident response companies view possible SVR-linked cyber activities distributed among distinct groups. The one note of caution for defenders out of this confusion is that, given security company tracking as “not APT29,” standard playbooks and assumptions on APT29 behaviors and activity are not necessarily applicable for this campaign.

As the saying goes, read the whole thing.

 

[Ivanhoe]

https://www.reuters.com/article/usa-cyber/solarwinds-hackers-broke-into-u-s-cable-firm-and-arizona-county-web-records-show-idUSKBN28S2B9

Quote

The intrusions into networks at Cox Communications and the local government in Pima County, Arizona, show that alongside victims including the U.S. departments of Defence, State, and Homeland Security, the hackers also spied on less high-profile organisations.

Note that Cox Communications is a telecom provider serving southern Arizona, including the areas around Fort Huachuca.

 

 

[rmgill]

On 12/21/2020 at 9:50 AM, Ivanhoe said:

https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

This makes my head hurt from the security implications. 

Once they're on your network....

[Ivanhoe]

Compromise of infrastructure is keys to the kingdom.

The SolarWinds debacle clearly illustrates that:

- you can't buy security, and

- often you are actually buying insecurity.

To save money, the IT industry has gone to COTS, outsourcing, etc. In the short run, money is saved; but the attack surface is greatly increased.

In a rational world, IT vendors would need to maintain and present some sort of security accreditation to successfully sell their products/services. Basically a UL badge sort of thing. Sadly, right now vendor security risk management is having vendors fill out a questionnaire. Security theater.

 

 

 

[lucklucky]

20 hours ago, rmgill said:

This makes my head hurt from the security implications. 

Once they're on your network....

Quote

The threat actors were savvy enough to avoid give-away terminology like “backdoor”, “keylogger”, etc., and instead opted for a more neutral jargon

That is like a police reports saying that the thiefs did not had a shirt saying thief...

[Ivanhoe]

3 hours ago, lucklucky said:

That is like a police reports saying that the thiefs did not had a shirt saying thief...

What is interesting, at least to me, is that the malicious code added to SolarWinds' source code files was written in the same coding style as the legit SolarWinds coding. Thus, when SolarWinds programmers were changing source code, they wouldn't have likely spotted the malicious code. Likewise, automated scanning tools were less likely to catch it.

This is an indicator of fairly high skill level, and desire for real persistence.

[lucklucky]

Disagree, i  find strange that the level of coding malfeasance is judged at such lower level compared to traditional malfeasance.I don't see anything out of the ordinary competence in that. I'll probably rate higher what they accomplished with the code not this effort to hide.

I mean a simple check in .dll kb size before and after would show a difference, i think a check like that should be a simplest even basic thing to do in a crucial security application.

[Adam Peter]

Unrelated to this breach, Google just published a proof of concept for a critical Windows 10 bug for the Holidays.

[Ivanhoe]

On 12/26/2020 at 6:02 PM, lucklucky said:

I mean a simple check in .dll kb size before and after would show a difference, i think a check like that should be a simplest even basic thing to do in a crucial security application.

Rather than file size, the normal thing to use for a file integrity check is a hash function, such as performed by the Tripwire program.

[WRW]

On 12/27/2020 at 1:33 AM, Ivanhoe said:

What is interesting, at least to me, is that the malicious code added to SolarWinds' source code files was written in the same coding style as the legit SolarWinds coding. Thus, when SolarWinds programmers were changing source code, they wouldn't have likely spotted the malicious code. Likewise, automated scanning tools were less likely to catch it.

This is an indicator of fairly high skill level, and desire for real persistence.

Or someone already inside

[Ssnake]

...which sounds way more likely, TBH.

[lucklucky]

4 hours ago, Ivanhoe said:

Rather than file size, the normal thing to use for a file integrity check is a hash function, such as performed by the Tripwire program.

That too. What it means is there wasn't need for the hackers to even be that smart concerning the code. Not even integrity checks were in place. A simple integrity check would have stopped this on arrival.

[Adam Peter]

4 hours ago, Ivanhoe said:

Rather than file size, the normal thing to use for a file integrity check is a hash function, such as performed by the Tripwire program.

Don't think it is useful in our CI/CD world.

[Ivanhoe]

4 hours ago, Adam Peter said:

Don't think it is useful in our CI/CD world.

With a decent auditing program, one can spot anomalies like file changes at odd hours.

Of course, the fact that an attacker was able to login in remotely and edit files without being detected is shameful.

 

 

[Ivanhoe]

So now it appears that SolarWinds Orion had a zero-day;

https://thehackernews.com/2020/12/a-new-solarwinds-flaw-likely-had-let.html

Quote

 

An authentication bypass vulnerability in the SolarWinds Orion software may have been leveraged by adversaries as a zero-day to deploy the SUPERNOVA malware in target environments.

According to an advisory published yesterday by the CERT Coordination Center, the SolarWinds Orion API that's used to interface with all other Orion system monitoring and management products suffers from a security flaw (CVE-2020-10148) that could allow a remote attacker to execute unauthenticated API commands, thus resulting in a compromise of the SolarWinds instance.

 

Quote

 

In the past week, Microsoft disclosed that a second threat actor might have been abusing SolarWinds' Orion software to drop an additional piece of malware called SUPERNOVA on target systems.

It was also corroborated by cybersecurity firms Palo Alto Networks' Unit 42 threat intelligence team and GuidePoint Security, both of whom described it as a .NET web shell implemented by modifying an "app_web_logoimagehandler.ashx.b6031896.dll" module of the SolarWinds Orion application.

 

 

 

 

 

[Roman Alymov]

On 12/22/2020 at 1:43 PM, Mistral said:

Only an idiot would fight a conventional conflict with either Russia or China.

 

Well, unfortunately it is not making the conflict less likely: taking into account dramatic loss of professionalism in every field (“solarwind123” is not surprising after “overload” button gift or Salisbury  magic tales). People with the same degree of professionalism are preparing major political decisions, writing ICBM safety software etc.

We here in Russia are not immune of this trend, as we have adopted western model – but at least we started this process later and it is still not gone so deep.

[Roman Alymov]

On 12/23/2020 at 7:17 PM, Stuart Galbraith said:

  For example, the attribution of MH17 was not based upon physical evidence, so much as phone intercepts.

Not just phone intercepts, but fake phone intercepts provided by Ukrainian SBU. No doubt they will find the same sort of evidence for this case

https://www.youtube.com/watch?v=wkDWwYk4-Ho&feature=emb_logo

[Roman Alymov]

On 12/22/2020 at 4:45 PM, Ivanhoe said:

It is looking like the Chinese own a substantial chunk of the permanent state. I can imagine that cyberattacks would be a technique the PRC would use to frighten the American political class, so that the 3 branches of gov't (FB, Twitter, Google) all agree to dial back freedoms further.

Frighten the American political class into what? If American political class is frightened into not using political power for making personal profit (like Biden family business or Clinton foundation etc.), not meddling with own elections outcome, not basing political decisions on false stories prepared by own intelligence services, not ruining foundations of own society for short-living political profit etc. – is it such a bad thing to happen? We here in Russia are already enjoying results of Russian political class frightened by Western sanctions into not taking stolen money out of Russia to Western banks and property, not having double citizenship to be able to evade any criminal case against them etc.