• If you enjoy the forum please consider supporting it by signing up for a NES Membership  The benefits pay for the membership many times over.

Solar Winds Hack....

Rating - 100%
1   0   0
Joined
Mar 18, 2012
Messages
8,648
Likes
4,214
Location
A Fair Haven in an unfair state.
I know there are some fellow IT pros on this forum. IDK if you're following the Solar Winds story, but this shit is the scariest shit I have ever seen in my career... This is a truly epic compromise we'll be learning more about each day for weeks. It's already played a role in the compromise at FireEye, now Microsoft, many branches of the Federal Government.... This shit is scary stuff...

IMHO, if you work in IT and aren't following this, you may want to reevaluate your priorities...
 

paul73

NES Member
Rating - 0%
0   0   0
Joined
Oct 30, 2020
Messages
1,653
Likes
1,562
Location
MA
So what about the story? It happens every day. An inside job selling passwords for a remote access, then a Trojan horse planted in and sent to customers.

Then blame it on Russians as it is a simplest way to go. Could indeed be their act, but, usually those jobs have much more humble origins. Then an evil empires are blamed to redirect the guilt - as local supervisors screwed up badly.
 

BostonVI

NES Member
Rating - 100%
14   0   0
Joined
Jan 12, 2011
Messages
2,547
Likes
2,248
Location
MA
In a way the Speculative Side Channel stuff from last year scared me way more than this because of the lengths it took to actually implement the mitigations, and the performance impact those mitigations had on workloads. Not sure if those vulnerabilities were ever actually popped in the wild, but the complexity of updating microcode, OS code, then actually enabling mitigations (at least on Windows machines) wasn't as simple as the usual ensure your servers are patched from XYZ vulnerability.

That said, this is by far one of the most successful widespread attacks I've seen in my life.
 

Broccoli Iglesias

NES Member
Rating - 100%
13   0   0
Joined
Sep 18, 2010
Messages
29,010
Likes
31,222
It has been a tough year for Netops and Secops guys. I wonder if many have the time to follow this.

Working from home was/is challenging.

Getting hardware orders was challenging and some were running over 90 days behind at one point. That nice $90K controller you need, those 3K access points and 500 switches ... all running late, and the software upgrades wille expire in 20 days. Oh sh*t!

Purching has been a mess, they are just now starting to get their sh*t together working remote.

The guys working in EDU had to deal with all the remote learning crap and getting those systems up and running.

And all that on top of their normal routine of putting out fires.

Even RMAs have been a pain in the a**. A broken switch needs to be returned but it is hard to get in the office. Or they are waiting for a replacement switch but it is hard to get in the office and be there when the delivery guy arrives from the depot.

I feel bad for all those guys. I deal with them every day and they have been pretty stressed.

I spoke with a dude today that was freaking out because his purchasing department is 6 month late on renewing expired services and his FireEye license expired so his network is exposed.

The Secops guys had it a little easier since most of their cool stuff is just code running on someone else's server.
 

paul73

NES Member
Rating - 0%
0   0   0
Joined
Oct 30, 2020
Messages
1,653
Likes
1,562
Location
MA

Broccoli Iglesias

NES Member
Rating - 100%
13   0   0
Joined
Sep 18, 2010
Messages
29,010
Likes
31,222
2FA...it's a thing. Fireye was hacked and their Red Team tools were used to breech solarwinds, 2FA would have mitigated the breech...but it wasn't mandatory.

Axiom....Security is not convenient,

SolarWinds was skinflint RMM. You get what you pay for,
I only knew SolarWinds for their SIEM, and I never met anyone that uses it, lol.

If I didn't work with a dude that used to work at SolarWinds, I probably wouldn't know they have a SIEM.
 

new guy

NES Member
Rating - 100%
64   0   0
Joined
Dec 7, 2009
Messages
26,452
Likes
27,899
And all the while clients and their auditors are ratcheting up the pressure, sending more intrusive questionnaires, dictating more aggressive terms, etc. Not for the faint of heart or shallow pocketed.
 

GM-GUY

NES Member
Rating - 100%
5   0   0
Joined
May 27, 2008
Messages
10,930
Likes
8,311
Location
North Central Mass
My friend is high up in the IT Security world, he sent me a text on this and DOS attacks - this isn’t something like always happens. Hell, Biden even mentioned it.
 

JayMcB

NES Member
Rating - 100%
20   0   0
Joined
Aug 8, 2011
Messages
12,014
Likes
8,661
Location
Assachusetts when necessary. NH when possible
Another note: If you were running Intercept-x and Sophos EDR, even with SolarWinds, the malicious behavior would have been flagged.

We bagged this hack for a monitor-only client with LiveDiscover before the payload got deployed.. They're hating the T&E bill for the forensics
 
Rating - 100%
1   0   0
Joined
Mar 18, 2012
Messages
8,648
Likes
4,214
Location
A Fair Haven in an unfair state.
2FA...it's a thing. Fireye was hacked and their Red Team tools were used to breech solarwinds, 2FA would have mitigated the breech...but it wasn't mandatory.

Axiom....Security is not convenient,

SolarWinds was skinflint RMM. You get what you pay for,

this is a gross oversimplification and complete misrepresentation of what actually happened. Please read up on it and get your facts in line.
 
Rating - 100%
1   0   0
Joined
Mar 18, 2012
Messages
8,648
Likes
4,214
Location
A Fair Haven in an unfair state.
Another note: If you were running Intercept-x and Sophos EDR, even with SolarWinds, the malicious behavior would have been flagged.

We bagged this hack for a monitor-only client with LiveDiscover before the payload got deployed.. They're hating the T&E bill for the forensics

The shop I left in August was on sophos. The place on that now is on crowd strike. I watched the sophos webinar on this attack. major feather in their cap that they were able to pick it up when others were flying blind. I always liked their software. They just need to add remote shell functionality like crowd strike has.
 

JayMcB

NES Member
Rating - 100%
20   0   0
Joined
Aug 8, 2011
Messages
12,014
Likes
8,661
Location
Assachusetts when necessary. NH when possible
The shop I left in August was on sophos. The place on that now is on crowd strike. I watched the sophos webinar on this attack. major feather in their cap that they were able to pick it up when others were flying blind. I always liked their software. They just need to add remote shell functionality like crowd strike has.

The problems with Sophos are their corporate arrogance, large resource footprint on hosts, and cost....with some of our CMMC-prepping shops at almost $15 per node per month, it can be hard to swallow....but their isolation technology with their XG's and compromised endpoints is pretty cool. I say this with Sophos as our primary endpoint solution.
 

DecOFlaherty

NES Member
Rating - 100%
1   0   0
Joined
Oct 13, 2011
Messages
570
Likes
364
Location
MA northshore
We looked into Solar Winds a few years ago and ended up going with Kaseya.

Solar winds looked a little bit nicer, but I honestly couldn't be happier. (even without the hack) Kaseya is a great product.
 

fshalor

NES Member
Rating - 100%
10   0   0
Joined
Jul 1, 2012
Messages
4,306
Likes
3,128
Location
Portland, ME
Another note: If you were running Intercept-x and Sophos EDR, even with SolarWinds, the malicious behavior would have been flagged.

We bagged this hack for a monitor-only client with LiveDiscover before the payload got deployed.. They're hating the T&E bill for the forensics

As much as I have a love-hate relationship with Sophos.. their kit is functional and easy to proof. Utm 9 may be not as real as palo alto stuff, but it does work. EDR has never disappointed me for the price point either.

Now their support? Escalate or don't just it. ;).

This Solar Winds thing is interesting in timing and scope. Quite a scary thing.
 

turbolovah

NES Member
Rating - 0%
0   0   0
Joined
Apr 25, 2016
Messages
50
Likes
85
Had read an article, I'll try to find it, that the compromised SolarWinds patch/update server was set to something like "solarwinds123," you'd think something relatively easy to crack/brute force, hell, even guess.

All it takes is one lazy step.
 
Rating - 100%
4   0   0
Joined
Jan 7, 2010
Messages
775
Likes
740
2FA...it's a thing. Fireye was hacked and their Red Team tools were used to breech solarwinds, 2FA would have mitigated the breech...but it wasn't mandatory.

Axiom....Security is not convenient,

SolarWinds was skinflint RMM. You get what you pay for,

Imma be blunt - you need to stop pretending you have enough clue to wave your it penis around and do some more research:

 

Boris

Son of Kalashnikov
Rating - 100%
21   0   0
Joined
Jan 14, 2011
Messages
20,365
Likes
20,458
Location
Back from Motherland

Moral? Dump Microsoft and use Linux.

the guy who wrote that article has Windoz logo tattooed on the inside of his ass hole.
 

hminsky

NES Life Member
NES Member
Rating - 100%
76   0   0
Joined
Dec 2, 2005
Messages
8,259
Likes
4,227
So once the SolarWinds software updated itself with malware, was it primarily an attack on Windows operating systems, or
did it attack or compromise other operating systems?
 

BostonVI

NES Member
Rating - 100%
14   0   0
Joined
Jan 12, 2011
Messages
2,547
Likes
2,248
Location
MA

VetteGirlMA

NES Member
Rating - 100%
1   0   0
Joined
Feb 3, 2015
Messages
4,284
Likes
7,136
Location
western mass
I have a friend who worked in cryptography at darpa. I remember him telling me once that they would send out mathematicians to security conferences where they would suggest making small changes to algorithms used to encrypt information. Why? Because someone had figured out that if the encryption algorithm used this the small tweak it could be trivially decrypted. This kind of thing goes on every day out there and not just by the US it's all the key players. If someone wants in to the data they will get it. These hackers out there want the covid vaccine information because they know the US actually invented it and they stole it so they don't have the background information on how the US did it. But like the Rosenberg spy case illustrated it's sometimes easier to plant people inside companies than it is to try and steal it the hard way.

When I worked with the edge security on my companies network I was always amazed at the number of attempted intrusions that the hardware would log in a day. In my case most came from North Korea, but it wasn't uncommon to see attempted network intrusions from Russia, Ukraine, China, you name it.
 
Rating - 100%
1   0   0
Joined
Mar 18, 2012
Messages
8,648
Likes
4,214
Location
A Fair Haven in an unfair state.
So once the SolarWinds software updated itself with malware, was it primarily an attack on Windows operating systems, or
did it attack or compromise other operating systems?


ALL operating systems. Solar Winds is a network management and monitoring solution. In order to monitor things like system services, the resource has to have a certain level of system access. IF you monitor other Windows systems - those systems need to be considered compromised. If you monitored Linux servers, those servers need to be considered compromised. Any service accounts used to grant Solar Winds permission to monitor or manage need to be considered compromised. If you used Solar Winds to monitor your certificate servers and PKI infrastructure, YOUR ENTIRE PKI INFRASTRUCTURE IS COMPROMISED! For any user who logged into any machine monitored by solar winds, their credentials need to be considered compromised. These servers/machines all need to be completely flattened and rebuilt... This includes the ENTIRE IT INFRASTRUCTURE for many organizations.... This isn't just me saying this, this is the official recommendation from US CISA!!

The Solar Winds hack gave them an initial foothold from which TO DEPLOY ADDITIONAL malware. Even if you completely removed Solar Winds, changed the credentials for every service account, and every user who touched that machine, they may have already moved laterally in your network, established other means of persistent access, command and control...

This is a total shit show!
 

Broccoli Iglesias

NES Member
Rating - 100%
13   0   0
Joined
Sep 18, 2010
Messages
29,010
Likes
31,222
ALL operating systems. Solar Winds is a network management and monitoring solution. In order to monitor things like system services, the resource has to have a certain level of system access. IF you monitor other Windows systems - those systems need to be considered compromised. If you monitored Linux servers, those servers need to be considered compromised. They need to be completely flattened and rebuilt... This includes the ENTIRE IT INFRASTRUCTURE for many organizations.... This isn't just me saying this, this is the official recommendation from US CISA!!

The Solar Winds hack gave them an initial foothold from which TO DEPLOY ADDITIONAL malware. Even if you completely removed Solar Winds, changed the credentials for every service account, and every user who touched that machine, they may have already moved laterally in your network, established other means of persistent access, command and control...

This is a total shit show!
There goes the Holidays for the network guys.

A final kick in the nuts for 2020.
 
Rating - 100%
28   0   0
Joined
May 29, 2008
Messages
1,074
Likes
149
Location
Florence Mass
We use solarwinds at work (NPM & SAM) but I have shut down services and disabled them (server it was hosted on had no internet access). We use very little of it and can replace it with another great piece of software we have, EventSentry.
 

neum69

NES Member
Rating - 100%
7   0   0
Joined
Jul 19, 2012
Messages
1,153
Likes
371
Location
Massachusetts
Hah, I dodged a bullet. Couple months ago was contacted about a leadership position at SolarWinds. Said no, in part due to the limited upside and unlimited downside of taking over responsibility for that stack.
 
Top Bottom