Solar Winds Hack....

Joined
Mar 18, 2012
Messages
12,055
Likes
9,770
Location
A Fair Haven in an unfair state.
Feedback: 1 / 0 / 0
I know there are some fellow IT pros on this forum. IDK if you're following the Solar Winds story, but this shit is the scariest shit I have ever seen in my career... This is a truly epic compromise we'll be learning more about each day for weeks. It's already played a role in the compromise at FireEye, now Microsoft, many branches of the Federal Government.... This shit is scary stuff...

IMHO, if you work in IT and aren't following this, you may want to reevaluate your priorities...
 
So what about the story? It happens every day. An inside job selling passwords for a remote access, then a Trojan horse planted in and sent to customers.

Then blame it on Russians as it is a simplest way to go. Could indeed be their act, but, usually those jobs have much more humble origins. Then an evil empires are blamed to redirect the guilt - as local supervisors screwed up badly.
 
In a way the Speculative Side Channel stuff from last year scared me way more than this because of the lengths it took to actually implement the mitigations, and the performance impact those mitigations had on workloads. Not sure if those vulnerabilities were ever actually popped in the wild, but the complexity of updating microcode, OS code, then actually enabling mitigations (at least on Windows machines) wasn't as simple as the usual ensure your servers are patched from XYZ vulnerability.

That said, this is by far one of the most successful widespread attacks I've seen in my life.
 
It has been a tough year for Netops and Secops guys. I wonder if many have the time to follow this.

Working from home was/is challenging.

Getting hardware orders was challenging and some were running over 90 days behind at one point. That nice $90K controller you need, those 3K access points and 500 switches ... all running late, and the software upgrades wille expire in 20 days. Oh sh*t!

Purching has been a mess, they are just now starting to get their sh*t together working remote.

The guys working in EDU had to deal with all the remote learning crap and getting those systems up and running.

And all that on top of their normal routine of putting out fires.

Even RMAs have been a pain in the a**. A broken switch needs to be returned but it is hard to get in the office. Or they are waiting for a replacement switch but it is hard to get in the office and be there when the delivery guy arrives from the depot.

I feel bad for all those guys. I deal with them every day and they have been pretty stressed.

I spoke with a dude today that was freaking out because his purchasing department is 6 month late on renewing expired services and his FireEye license expired so his network is exposed.

The Secops guys had it a little easier since most of their cool stuff is just code running on someone else's server.
 
2FA...it's a thing. Fireye was hacked and their Red Team tools were used to breech solarwinds, 2FA would have mitigated the breech...but it wasn't mandatory.

Axiom....Security is not convenient,

SolarWinds was skinflint RMM. You get what you pay for,
I only knew SolarWinds for their SIEM, and I never met anyone that uses it, lol.

If I didn't work with a dude that used to work at SolarWinds, I probably wouldn't know they have a SIEM.
 
And all the while clients and their auditors are ratcheting up the pressure, sending more intrusive questionnaires, dictating more aggressive terms, etc. Not for the faint of heart or shallow pocketed.
 
My friend is high up in the IT Security world, he sent me a text on this and DOS attacks - this isn’t something like always happens. Hell, Biden even mentioned it.
 
Another note: If you were running Intercept-x and Sophos EDR, even with SolarWinds, the malicious behavior would have been flagged.

We bagged this hack for a monitor-only client with LiveDiscover before the payload got deployed.. They're hating the T&E bill for the forensics
 
2FA...it's a thing. Fireye was hacked and their Red Team tools were used to breech solarwinds, 2FA would have mitigated the breech...but it wasn't mandatory.

Axiom....Security is not convenient,

SolarWinds was skinflint RMM. You get what you pay for,

this is a gross oversimplification and complete misrepresentation of what actually happened. Please read up on it and get your facts in line.
 
Another note: If you were running Intercept-x and Sophos EDR, even with SolarWinds, the malicious behavior would have been flagged.

We bagged this hack for a monitor-only client with LiveDiscover before the payload got deployed.. They're hating the T&E bill for the forensics

The shop I left in August was on sophos. The place on that now is on crowd strike. I watched the sophos webinar on this attack. major feather in their cap that they were able to pick it up when others were flying blind. I always liked their software. They just need to add remote shell functionality like crowd strike has.
 
The shop I left in August was on sophos. The place on that now is on crowd strike. I watched the sophos webinar on this attack. major feather in their cap that they were able to pick it up when others were flying blind. I always liked their software. They just need to add remote shell functionality like crowd strike has.

The problems with Sophos are their corporate arrogance, large resource footprint on hosts, and cost....with some of our CMMC-prepping shops at almost $15 per node per month, it can be hard to swallow....but their isolation technology with their XG's and compromised endpoints is pretty cool. I say this with Sophos as our primary endpoint solution.
 
We looked into Solar Winds a few years ago and ended up going with Kaseya.

Solar winds looked a little bit nicer, but I honestly couldn't be happier. (even without the hack) Kaseya is a great product.
 
Another note: If you were running Intercept-x and Sophos EDR, even with SolarWinds, the malicious behavior would have been flagged.

We bagged this hack for a monitor-only client with LiveDiscover before the payload got deployed.. They're hating the T&E bill for the forensics

As much as I have a love-hate relationship with Sophos.. their kit is functional and easy to proof. Utm 9 may be not as real as palo alto stuff, but it does work. EDR has never disappointed me for the price point either.

Now their support? Escalate or don't just it. ;).

This Solar Winds thing is interesting in timing and scope. Quite a scary thing.
 
Had read an article, I'll try to find it, that the compromised SolarWinds patch/update server was set to something like "solarwinds123," you'd think something relatively easy to crack/brute force, hell, even guess.

All it takes is one lazy step.
 
2FA...it's a thing. Fireye was hacked and their Red Team tools were used to breech solarwinds, 2FA would have mitigated the breech...but it wasn't mandatory.

Axiom....Security is not convenient,

SolarWinds was skinflint RMM. You get what you pay for,

Imma be blunt - you need to stop pretending you have enough clue to wave your it penis around and do some more research:

 

Moral? Dump Microsoft and use Linux.

the guy who wrote that article has Windoz logo tattooed on the inside of his ass hole.
 
So once the SolarWinds software updated itself with malware, was it primarily an attack on Windows operating systems, or
did it attack or compromise other operating systems?
 
I have a friend who worked in cryptography at darpa. I remember him telling me once that they would send out mathematicians to security conferences where they would suggest making small changes to algorithms used to encrypt information. Why? Because someone had figured out that if the encryption algorithm used this the small tweak it could be trivially decrypted. This kind of thing goes on every day out there and not just by the US it's all the key players. If someone wants in to the data they will get it. These hackers out there want the covid vaccine information because they know the US actually invented it and they stole it so they don't have the background information on how the US did it. But like the Rosenberg spy case illustrated it's sometimes easier to plant people inside companies than it is to try and steal it the hard way.

When I worked with the edge security on my companies network I was always amazed at the number of attempted intrusions that the hardware would log in a day. In my case most came from North Korea, but it wasn't uncommon to see attempted network intrusions from Russia, Ukraine, China, you name it.
 
So once the SolarWinds software updated itself with malware, was it primarily an attack on Windows operating systems, or
did it attack or compromise other operating systems?


ALL operating systems. Solar Winds is a network management and monitoring solution. In order to monitor things like system services, the resource has to have a certain level of system access. IF you monitor other Windows systems - those systems need to be considered compromised. If you monitored Linux servers, those servers need to be considered compromised. Any service accounts used to grant Solar Winds permission to monitor or manage need to be considered compromised. If you used Solar Winds to monitor your certificate servers and PKI infrastructure, YOUR ENTIRE PKI INFRASTRUCTURE IS COMPROMISED! For any user who logged into any machine monitored by solar winds, their credentials need to be considered compromised. These servers/machines all need to be completely flattened and rebuilt... This includes the ENTIRE IT INFRASTRUCTURE for many organizations.... This isn't just me saying this, this is the official recommendation from US CISA!!

The Solar Winds hack gave them an initial foothold from which TO DEPLOY ADDITIONAL malware. Even if you completely removed Solar Winds, changed the credentials for every service account, and every user who touched that machine, they may have already moved laterally in your network, established other means of persistent access, command and control...

This is a total shit show!
 
ALL operating systems. Solar Winds is a network management and monitoring solution. In order to monitor things like system services, the resource has to have a certain level of system access. IF you monitor other Windows systems - those systems need to be considered compromised. If you monitored Linux servers, those servers need to be considered compromised. They need to be completely flattened and rebuilt... This includes the ENTIRE IT INFRASTRUCTURE for many organizations.... This isn't just me saying this, this is the official recommendation from US CISA!!

The Solar Winds hack gave them an initial foothold from which TO DEPLOY ADDITIONAL malware. Even if you completely removed Solar Winds, changed the credentials for every service account, and every user who touched that machine, they may have already moved laterally in your network, established other means of persistent access, command and control...

This is a total shit show!
There goes the Holidays for the network guys.

A final kick in the nuts for 2020.
 
We use solarwinds at work (NPM & SAM) but I have shut down services and disabled them (server it was hosted on had no internet access). We use very little of it and can replace it with another great piece of software we have, EventSentry.
 
Hah, I dodged a bullet. Couple months ago was contacted about a leadership position at SolarWinds. Said no, in part due to the limited upside and unlimited downside of taking over responsibility for that stack.
 
Back
Top Bottom