Stuart Galbraith Posted January 5, 2021 Share Posted January 5, 2021 Link to comment Share on other sites More sharing options...
Simon Tan Posted January 6, 2021 Share Posted January 6, 2021 Can we blame Cyberpunk 2077 woes on SVR also? Clearly an assault on NATO gaming. Link to comment Share on other sites More sharing options...
Roman Alymov Posted January 6, 2021 Share Posted January 6, 2021 (edited) 11 hours ago, Stuart Galbraith said: Sooo FBI, CISA, ODNI, and NSA (with combined budget of how many USD Bln?) are able to detect “likely Russian in origin" , but are unable to calculate the number of USG agencies involved (“fewer than 10” is not an answer allowed even in elementary school). Scripals magic I see here Edited January 6, 2021 by Roman Alymov Link to comment Share on other sites More sharing options...
Ivanhoe Posted January 6, 2021 Share Posted January 6, 2021 Having worked in the USG environment, its not a surprise they are vague. Some managers will be reluctant to report a breach, others won't investigate even though they've been warned about the attack mechanisms. An addition to the chaos; some RUMINT that folks are worried about the DameWare desktop management software now, since it is owned by SolarWinds. I think the public statements from SolarWinds imply other products like DameWare are not affected, but let's be real. Compromising the DameWare source code would be as easy as SolarWinds123. Link to comment Share on other sites More sharing options...
lucklucky Posted January 6, 2021 Share Posted January 6, 2021 It seems only the Russians hack stuff... Link to comment Share on other sites More sharing options...
bojan Posted January 6, 2021 Share Posted January 6, 2021 I have a bridge to sell to people who believe it Link to comment Share on other sites More sharing options...
CaptLuke Posted January 6, 2021 Share Posted January 6, 2021 (edited) 4 hours ago, bojan said: I have a bridge to sell to people who believe it Plenty of buyers here in the US. Edited January 6, 2021 by CaptLuke edited to fix poor wording Link to comment Share on other sites More sharing options...
Roman Alymov Posted January 7, 2021 Share Posted January 7, 2021 I wonder how they will blame that on Russian hackers (i'm sure they will find the way) Link to comment Share on other sites More sharing options...
Simon Tan Posted January 7, 2021 Share Posted January 7, 2021 DC is the new Kiev! SVR and GRU are behind everything. Link to comment Share on other sites More sharing options...
Ivanhoe Posted January 17, 2021 Share Posted January 17, 2021 https://www.zdnet.com/article/third-malware-strain-discovered-in-solarwinds-supply-chain-attack/ Quote Cyber-security firm CrowdStrike, one of the companies directly involved in investigating the SolarWinds supply chain attack, said today it identified a third malware strain directly involved in the recent hack. Named Sunspot, this finding adds to the previously discovered Sunburst (Solorigate) and Teardrop malware strains. But while Sunspot is the latest discovery in the SolarWinds hack, Crowdstrike said the malware was actually the first one used. Quote CrowdStrike said Sunspot had one singular purpose — namely, to watch the build server for build commands that assembled Orion, one of SolarWinds' top products, an IT resources monitoring platform used by more than 33,000 customers across the globe. Once a build command was detected, the malware would silently replace source code files inside the Orion app with files that loaded the Sunburst malware, resulting in Orion app versions that also installed the Sunburst malware. Quote Kaspersky, which was not part of the formal investigation of the SolarWinds attack but still analyzed the malware, said that it looked into the Sunburst malware source code and found code overlaps between Sunburst and Kazuar, a strain of malware linked to the Turla group, Russia's most sophisticated state-sponsored cyber-espionage outfit. Kaspersky was very careful in its language today to point out that it found only "code overlaps" but not necessarily that it believes that the Turla group orchestrated the SolarWinds attack. The security firm claimed this code overlap could be the result of the SolarWinds hackers using the same coding ideas, buying malware from the same coder, coders moving across different threat actors, or could simply be a false flag operation meant to lead security firms on the wrong path. I've sometimes wondered about Kaspersky. The guy sure seems to be above board. OTOH, if you are in the anti-malware business, and you live in a country which has an active cyberattack infrastructure, eventually you will run afoul of TPTB. Link to comment Share on other sites More sharing options...
Ivanhoe Posted January 17, 2021 Share Posted January 17, 2021 A detailed analysis explaining how Sunspot corrupts the Visual Studio build process to inject other malware into the source code being compiled. https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ Link to comment Share on other sites More sharing options...
Ivanhoe Posted January 17, 2021 Share Posted January 17, 2021 https://www.darkreading.com/threat-intelligence/fireeyes-mandia-severity-zero-alert-led-to-discovery-of-solarwinds-attack/d/d-id/1339851 Quote Stage one of the attack planted the backdoor onto FireEye's network via the SolarWinds platform, Mandia said. Stage two used the backdoor to access domain credentials, he said, such as user accounts and passphrases. "Stage three was to get the token signing-certs to access O365, likely for specific email accounts," Mandia said. The final stage of the FireEye attack was the theft of its red-team tools. Mandia said he had not seen many ".com" breaches for this type of espionage, so the attack group behind this "smells different." While the US intelligence community as well as several government officials and security experts have cited Russia as the perpetrator, FireEye has not done so. The company has attributed the attack to an unknown or unclassified group or nation-state. "We have not made any attribution beyond assigning this activity to UNC 2452. An UNC group, short for unclassified, is a cluster of cyber-intrusion activity — which includes observable artifacts such as adversary infrastructure, tools, and tradecraft — that we are not yet ready to give a classification such as APT or FIN," a FireEye spokesperson said. "As we collect additional intelligence, UNC group activity can be assigned to an existing group, graduated to a new group, or simply remain unclassified." Link to comment Share on other sites More sharing options...
Simon Tan Posted January 18, 2021 Share Posted January 18, 2021 The assumption of course is that the intelligence services are under control......which is not necessarily true as we have come to learn. Link to comment Share on other sites More sharing options...
Ivanhoe Posted January 18, 2021 Share Posted January 18, 2021 Yeah, even if the IT industry and/or western intelligence services identify specific perps at the implementation level, there are still questions about whose idea, who directed the attack, who benefits, etc. Link to comment Share on other sites More sharing options...
Ivanhoe Posted January 19, 2021 Share Posted January 19, 2021 As if 2021 didn't already have enough weirdness, it is looking like there is a connection between SolarWinds and Ghislaine Maxwell of Jeffrey Epstein fame. Ghislaine Maxwell's sister is Isabel Maxwell, who is a tech venture capital exec purportedly involved with a company bought by SolarWinds. Still digging... Link to comment Share on other sites More sharing options...
RETAC21 Posted January 19, 2021 Share Posted January 19, 2021 1 minute ago, Ivanhoe said: As if 2021 didn't already have enough weirdness, it is looking like there is a connection between SolarWinds and Ghislaine Maxwell of Jeffrey Epstein fame. Ghislaine Maxwell's sister is Isabel Maxwell, who is a tech venture capital exec purportedly involved with a company bought by SolarWinds. Still digging... Jeffrey Epstein may not be dead, his consciousness may be in the net... somewhere... Link to comment Share on other sites More sharing options...
Ssnake Posted January 19, 2021 Share Posted January 19, 2021 Ewww Link to comment Share on other sites More sharing options...
Ivanhoe Posted January 19, 2021 Share Posted January 19, 2021 Yeah, if you have a weak stomach you don't want to go snooping around in the Epstein/Maxwell arena. Bill Gates and Paul Allen apparently have some social connectivity with Epstein and/or the Maxwells. Even better; Isabel Maxwell's son, Alexander Djerassi, was given a job in the US State Department by Hillary Clinton as a favor to Ghislaine Maxwell. The patriarch of the Maxwell clan, Robert Maxwell, has quite an interesting Wikipedia page. If you have some fresh, mil-spec tinfoil handy, you can read the following; https://www.unz.com/wwebb/isabel-maxwell-israels-back-door-into-silicon-valley/ Link to comment Share on other sites More sharing options...
R011 Posted January 19, 2021 Share Posted January 19, 2021 41 minutes ago, Ivanhoe said: Yeah, if you have a weak stomach you don't want to go snooping around in the Epstein/Maxwell arena. Bill Gates and Paul Allen apparently have some social connectivity with Epstein and/or the Maxwells. Even better; Isabel Maxwell's son, Alexander Djerassi, was given a job in the US State Department by Hillary Clinton as a favor to Ghislaine Maxwell. The patriarch of the Maxwell clan, Robert Maxwell, has quite an interesting Wikipedia page. If you have some fresh, mil-spec tinfoil handy, you can read the following; https://www.unz.com/wwebb/isabel-maxwell-israels-back-door-into-silicon-valley/ Six degrees of Jeffrey Epstein is going to get a lot of people. I suspect I'm just three or four away because I know people who know people who know Prince Andrew's mum - for a given value of "know". I'm not having tea with Mrs. Mountbatten anytime soon or at all. Link to comment Share on other sites More sharing options...
bojan Posted January 19, 2021 Share Posted January 19, 2021 Nobility is always inbred. Link to comment Share on other sites More sharing options...
Ivanhoe Posted January 19, 2021 Share Posted January 19, 2021 There's that old saying that power corrupts. In some cases true, but in many cases I think power attracts the already corrupt. Link to comment Share on other sites More sharing options...
Ivanhoe Posted January 20, 2021 Share Posted January 20, 2021 https://thehackernews.com/2021/01/solarwinds-hackers-also-breached.html Quote Malwarebytes on Tuesday said it was breached by the same group who broke into SolarWinds to access some of its internal emails, making it the fourth major cybersecurity vendor to be targeted after FireEye, Microsoft, and CrowdStrike. The company said its intrusion was not the result of a SolarWinds compromise, but rather due to a separate initial access vector that works by "abusing applications with privileged access to Microsoft Office 365 and Azure environments." Quote The news comes on the heels of a fourth malware strain called Raindrop that was found deployed on select victim networks, widening the arsenal of tools used by the threat actor in the sprawling SolarWinds supply chain attack. Quote FireEye, for its part, has published a detailed rundown of the tactics adopted by the Dark Halo actor, noting that the attackers leveraged a combination of as many as four techniques to move laterally to the Microsoft 365 cloud. Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, and Backdoor an existing Microsoft 365 application by adding a new application I've had vague concerns about SSO and federated identity systems for awhile. It is turning out that cookie- and token-based authentication systems are problematic. Link to comment Share on other sites More sharing options...
Ivanhoe Posted January 21, 2021 Share Posted January 21, 2021 https://www.bleepingcomputer.com/news/security/solarleaks-site-claims-to-sell-data-stolen-in-solarwinds-attacks/ Quote Today, a solarleaks[.]net website was launched that claims to be selling the stolen data from Microsoft, Cisco, FireEye, and SolarWinds. All of these companies are known to have been breached during the supply chain attack. The website claims to be selling Microsoft source code and repositories for $600,000. Microsoft confirmed that threat actors accessed their source code during their SolarWinds breach. Quote The solarleaks.net domain is registered through NJALLA, a known registrar used by the Russian hacking groups Fancy Bear and Cozy Bear. Quote To make matters worse, a copycat site at SolarLeak[.]net has been created with the same website content, but a different Monero address. This all seems fishy, at this point. I'm going to predict that the "source code" being sold anonymously is going to be some kind of fraud. Perhaps some form of decompiled executables turned into gibberish-looking C code rather than original source code. Link to comment Share on other sites More sharing options...
Ivanhoe Posted January 27, 2021 Share Posted January 27, 2021 https://www.zdnet.com/article/four-security-vendors-disclose-solarwinds-related-incidents/ Quote This week, four new cyber-security vendors — Mimecast, Palo Alto Networks, Qualys, and Fidelis — have added their names to the list of companies that have installed trojanized versions of the SolarWinds Orion app. The most important of this week's announcements came from Mimecast, a vendor of email security products. Quote Speaking to Forbes investigative reporter Thomas Brewster this week, Palo Alto Networks said it detected two security incidents in September and October 2020 that were linked to SolarWinds software. "Our Security Operation Center [...] immediately isolated the server, initiated an investigation and verified our infrastructure was secure," Palo Alto Networks told Forbes on Monday. However, the company said it investigated the breaches as separate solitary incidents and didn't detect the broader supply chain attack, which would be spotted only months later when hackers breached fellow security vendor FireEye. Palo Alto Networks said the investigation into the September and October SolarWinds-linked intrusions didn't yield much and concluded that "the attempted attack was unsuccessful and no data was compromised." Link to comment Share on other sites More sharing options...
Adam Peter Posted February 16, 2021 Share Posted February 16, 2021 Microsoft says it found 1,000-plus developers' fingerprints on the SolarWinds attack Quote Microsoft president Brad Smith said the software giant's analysis of the SolarWinds hack suggests the code behind the crack was the work of a thousand or more developers. Speaking on US news magazine program 60 Minutes, Smith labelled the attack "the largest and most sophisticated attack the world has ever seen." "When we analysed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000." Was it an insider job? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now