Jump to content

Solar Winds Data Breach


rmgill

Recommended Posts

  • Replies 167
  • Created
  • Last Reply

Top Posters In This Topic

11 hours ago, Stuart Galbraith said:

 

Sooo FBI, CISA, ODNI, and NSA (with combined budget of how many USD Bln?) are able to detect “likely Russian in origin" , but are unable to calculate the number of USG agencies involved (“fewer than 10” is not an answer allowed even in elementary school). Scripals magic I see here :)

Edited by Roman Alymov
Link to comment
Share on other sites

Having worked in the USG environment, its not a surprise they are vague. Some managers will be reluctant to report a breach, others won't investigate even though they've been warned about the attack mechanisms.

An addition to the chaos; some RUMINT that folks are worried about the DameWare desktop management software now, since it is owned by SolarWinds. I think the public statements from SolarWinds imply other products like DameWare are not affected, but let's be real. Compromising the DameWare source code would be as easy as SolarWinds123.

 

 

Link to comment
Share on other sites

  • 2 weeks later...

https://www.zdnet.com/article/third-malware-strain-discovered-in-solarwinds-supply-chain-attack/

Quote

 

Cyber-security firm CrowdStrike, one of the companies directly involved in investigating the SolarWinds supply chain attack, said today it identified a third malware strain directly involved in the recent hack.

Named Sunspot, this finding adds to the previously discovered Sunburst (Solorigate) and Teardrop malware strains.

But while Sunspot is the latest discovery in the SolarWinds hack, Crowdstrike said the malware was actually the first one used.

 


 

Quote

 

CrowdStrike said Sunspot had one singular purpose — namely, to watch the build server for build commands that assembled Orion, one of SolarWinds' top products, an IT resources monitoring platform used by more than 33,000 customers across the globe.

Once a build command was detected, the malware would silently replace source code files inside the Orion app with files that loaded the Sunburst malware, resulting in Orion app versions that also installed the Sunburst malware.

 


 

Quote

 

Kaspersky, which was not part of the formal investigation of the SolarWinds attack but still analyzed the malware, said that it looked into the Sunburst malware source code and found code overlaps between Sunburst and Kazuar, a strain of malware linked to the Turla group, Russia's most sophisticated state-sponsored cyber-espionage outfit.

Kaspersky was very careful in its language today to point out that it found only "code overlaps" but not necessarily that it believes that the Turla group orchestrated the SolarWinds attack.

The security firm claimed this code overlap could be the result of the SolarWinds hackers using the same coding ideas, buying malware from the same coder, coders moving across different threat actors, or could simply be a false flag operation meant to lead security firms on the wrong path.

 

 

I've sometimes wondered about Kaspersky. The guy sure seems to be above board. OTOH, if you are in the anti-malware business, and you live in a country which has an active cyberattack infrastructure, eventually you will run afoul of TPTB.

 

 

Link to comment
Share on other sites

A detailed analysis explaining how Sunspot corrupts the Visual Studio build process to inject other malware into the source code being compiled.

https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

Link to comment
Share on other sites

https://www.darkreading.com/threat-intelligence/fireeyes-mandia-severity-zero-alert-led-to-discovery-of-solarwinds-attack/d/d-id/1339851
 

Quote

 

Stage one of the attack planted the backdoor onto FireEye's network via the SolarWinds platform, Mandia said. Stage two used the backdoor to access domain credentials, he said, such as user accounts and passphrases. "Stage three was to get the token signing-certs to access O365, likely for specific email accounts," Mandia said. The final stage of the FireEye attack was the theft of its red-team tools.

Mandia said he had not seen many ".com" breaches for this type of espionage, so the attack group behind this "smells different."

While the US intelligence community as well as several government officials and security experts have cited Russia as the perpetrator, FireEye has not done so. The company has attributed the attack to an unknown or unclassified group or nation-state. "We have not made any attribution beyond assigning this activity to UNC 2452. An UNC group, short for unclassified, is a cluster of cyber-intrusion activity — which includes observable artifacts such as adversary infrastructure, tools, and tradecraft — that we are not yet ready to give a classification such as APT or FIN," a FireEye spokesperson said. "As we collect additional intelligence, UNC group activity can be assigned to an existing group, graduated to a new group, or simply remain unclassified."

 

 

Link to comment
Share on other sites

Yeah, even if the IT industry and/or western intelligence services identify specific perps at the implementation level, there are still questions about whose idea, who directed the attack, who benefits, etc.

 

Link to comment
Share on other sites

As if 2021 didn't already have enough weirdness, it is looking like there is a connection between SolarWinds and Ghislaine Maxwell of Jeffrey Epstein fame.

Ghislaine Maxwell's sister is Isabel Maxwell, who is a tech venture capital exec purportedly involved with a company bought by SolarWinds. Still digging...

Link to comment
Share on other sites

1 minute ago, Ivanhoe said:

As if 2021 didn't already have enough weirdness, it is looking like there is a connection between SolarWinds and Ghislaine Maxwell of Jeffrey Epstein fame.

Ghislaine Maxwell's sister is Isabel Maxwell, who is a tech venture capital exec purportedly involved with a company bought by SolarWinds. Still digging...

Jeffrey Epstein may not be dead, his consciousness may be in the net... somewhere...

Link to comment
Share on other sites

Yeah, if you have a weak stomach you don't want to go snooping around in the Epstein/Maxwell arena.

Bill Gates and Paul Allen apparently have some social connectivity with Epstein and/or the Maxwells.

Even better; Isabel Maxwell's son, Alexander Djerassi, was given a job in the US State Department by Hillary Clinton as a favor to Ghislaine Maxwell.

The patriarch of the Maxwell clan, Robert Maxwell, has quite an interesting Wikipedia page.

If you have some fresh, mil-spec tinfoil handy, you can read the following;

https://www.unz.com/wwebb/isabel-maxwell-israels-back-door-into-silicon-valley/

 

Link to comment
Share on other sites

41 minutes ago, Ivanhoe said:

Yeah, if you have a weak stomach you don't want to go snooping around in the Epstein/Maxwell arena.

Bill Gates and Paul Allen apparently have some social connectivity with Epstein and/or the Maxwells.

Even better; Isabel Maxwell's son, Alexander Djerassi, was given a job in the US State Department by Hillary Clinton as a favor to Ghislaine Maxwell.

The patriarch of the Maxwell clan, Robert Maxwell, has quite an interesting Wikipedia page.

If you have some fresh, mil-spec tinfoil handy, you can read the following;

https://www.unz.com/wwebb/isabel-maxwell-israels-back-door-into-silicon-valley/

 

Six degrees of Jeffrey Epstein is going to get a lot of people.  I suspect I'm just three or four away because I know people who know people who know Prince Andrew's mum - for a given value of "know".    I'm not having tea with Mrs. Mountbatten anytime soon or at all.

Link to comment
Share on other sites

There's that old saying that power corrupts. In some cases true, but in many cases I think power attracts the already corrupt.

 

Link to comment
Share on other sites

https://thehackernews.com/2021/01/solarwinds-hackers-also-breached.html

Quote

 

Malwarebytes on Tuesday said it was breached by the same group who broke into SolarWinds to access some of its internal emails, making it the fourth major cybersecurity vendor to be targeted after FireEye, Microsoft, and CrowdStrike.

The company said its intrusion was not the result of a SolarWinds compromise, but rather due to a separate initial access vector that works by "abusing applications with privileged access to Microsoft Office 365 and Azure environments."

 

 

Quote

The news comes on the heels of a fourth malware strain called Raindrop that was found deployed on select victim networks, widening the arsenal of tools used by the threat actor in the sprawling SolarWinds supply chain attack.

 

Quote

 

FireEye, for its part, has published a detailed rundown of the tactics adopted by the Dark Halo actor, noting that the attackers leveraged a combination of as many as four techniques to move laterally to the Microsoft 365 cloud.

  • Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users
  • Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls.
  • Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, and
  • Backdoor an existing Microsoft 365 application by adding a new application

 

 

I've had vague concerns about SSO and federated identity systems for awhile. It is turning out that cookie- and token-based authentication systems are problematic.

 

 

 

 

Link to comment
Share on other sites

https://www.bleepingcomputer.com/news/security/solarleaks-site-claims-to-sell-data-stolen-in-solarwinds-attacks/

Quote

 

Today, a solarleaks[.]net website was launched that claims to be selling the stolen data from Microsoft, Cisco, FireEye, and SolarWinds. All of these companies are known to have been breached during the supply chain attack.

The website claims to be selling Microsoft source code and repositories for $600,000. Microsoft confirmed that threat actors accessed their source code during their SolarWinds breach.

 

 

Quote

The solarleaks.net domain is registered through NJALLA, a known registrar used by the Russian hacking groups Fancy Bear and Cozy Bear.

 

Quote

To make matters worse, a copycat site at SolarLeak[.]net has been created with the same website content, but a different Monero address. 

 

This all seems fishy, at this point. I'm going to predict that the "source code" being sold anonymously is going to be some kind of fraud. Perhaps some form of decompiled executables turned into gibberish-looking C code rather than original source code. 

 

 

 

 

Link to comment
Share on other sites

https://www.zdnet.com/article/four-security-vendors-disclose-solarwinds-related-incidents/
 

Quote

 

This week, four new cyber-security vendors — Mimecast, Palo Alto Networks, Qualys, and Fidelis — have added their names to the list of companies that have installed trojanized versions of the SolarWinds Orion app.

The most important of this week's announcements came from Mimecast, a vendor of email security products.

 

 

Quote

 

Speaking to Forbes investigative reporter Thomas Brewster this week, Palo Alto Networks said it detected two security incidents in September and October 2020 that were linked to SolarWinds software.

"Our Security Operation Center [...] immediately isolated the server, initiated an investigation and verified our infrastructure was secure," Palo Alto Networks told Forbes on Monday.

However, the company said it investigated the breaches as separate solitary incidents and didn't detect the broader supply chain attack, which would be spotted only months later when hackers breached fellow security vendor FireEye.

Palo Alto Networks said the investigation into the September and October SolarWinds-linked intrusions didn't yield much and concluded that "the attempted attack was unsuccessful and no data was compromised."

 

 

 

Link to comment
Share on other sites

  • 3 weeks later...

Microsoft says it found 1,000-plus developers' fingerprints on the SolarWinds attack

Quote

Microsoft president Brad Smith said the software giant's analysis of the SolarWinds hack suggests the code behind the crack was the work of a thousand or more developers.

Speaking on US news magazine program 60 Minutes, Smith labelled the attack "the largest and most sophisticated attack the world has ever seen."

"When we analysed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000."

Was it an insider job?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...