Microsoft: a Second, Different Threat Actor Had Also Infected SolarWinds With Malware (reuters.com) 61
Reuters reports:
A second hacking group, different from the suspected Russian team now associated with the major SolarWinds data breach, also targeted the company's products earlier this year, according to a security research blog by Microsoft.
"The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," the blog said... It is unclear whether SUPERNOVA has been deployed against any targets, such as customers of SolarWinds. The malware appears to have been created in late March, based on a review of the file's compile times.
Microsoft's detailed blog post notes that the code "provides an attacker the ability to send and execute any arbitrary C# program on the victim's device."
"The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor," the blog said... It is unclear whether SUPERNOVA has been deployed against any targets, such as customers of SolarWinds. The malware appears to have been created in late March, based on a review of the file's compile times.
Microsoft's detailed blog post notes that the code "provides an attacker the ability to send and execute any arbitrary C# program on the victim's device."
Common link between the two (Score:3, Insightful)
Re:Common link between the two (Score:5, Interesting)
This is rather long, so I have put it on my blog: https://www.fagain.co.uk/node/... [fagain.co.uk]
What really makes this hack nightmarish in its damage is the control+total information awareness obsession of the current government (and associated companies) security professionals. Solar winds has built something which is an anathema to most security conscious sysadmins and a lucid dream to the idiot spook - a "GOD level NMS". If you have bought the full package it can stick its grubby fingers into everything and it does so as a privileged user - https://www.solarwinds.com/sol... [solarwinds.com]
Re:Common link between the two (Score:5, Funny)
One vendor. One platform. One single pane of glass.
Now where have I heard something like that before?
"Ein Volk, ein Reich, ein Fuhrer"
Re: (Score:2)
Re: (Score:2, Insightful)
a lucid dream to the idiot spook - a "GOD level NMS".
Technically, it is possible to create a less privileged user to run most of the monitoring parts. It is just that most admins took the defaults to give the solution full access because it was so much easier than doing the hard work to create and deploy without admin rights.
Re: (Score:3)
The problem is with the security model, not so much the security breach. Specifically, SolarWinds was creating a back-door to Microsoft PCs for remote support purposes. Microsoft has a general policy that if you have network admin rights, then you are in control of the local network. Thus, if SolarWinds security can be penetrated, and SolarWinds is used on PCs on sensitive networks, then it is possible to go after really sensitive data.
The fundamental security issue is that:
a) our current security mode
Re: (Score:3, Insightful)
Re: (Score:1)
...so how does this require Microsoft to work?
When last I checked, to run SolarWinds, required some form of Microsoft OS or SQL server database to deploy on ... so there is that.
Re: (Score:1)
Re: (Score:2)
So, just when did 'solar winds' get brought in to machines used by the government?
--
I have never used it, did use a lot of Nagios Core then Nagios XI at (let's just say state associated) hospitals.
I did manual updates but I sure didn't have the time/resources to check all the code.
Re: (Score:1)
Look at that Blibbering Humdinger in the Window (Score:3, Insightful)
Nice try attempting to deflect blame that it was your alleged software that enabled this breach, Microsoft. Remember Luna's comment to distract people the Great Hall from noticing as Harry Potter slipped on his invisibility cloak. And don't you wish you had one, Microsoft, to cover the security nightmare of your products.
Re: (Score:2)
Re:Look at that Blibbering Humdinger in the Window (Score:4, Funny)
Remember Luna's comment to distract people the Great Hall from noticing as Harry Potter slipped on his invisibility cloak.
Um... not offhand, no. What about this story made you think "it's time for some obscure Harry Potter references"?
Re: (Score:1)
Re:Look at that Blibbering Humdinger in the Window (Score:5, Funny)
Which systems were pwned in these hacks? We know SolarWinds was the delivery host but who were the victims?
Apparently it was mostly Gryffindor.
Re: (Score:1)
Re:Look at that Blibbering Humdinger in the Window (Score:5, Informative)
As far as a "security nightmare" of Microsoft's products, where in the world are you even getting that?
Once an attacker achieves Domain Administrator access, and every Solarwinds Orion customer must assume this has happened, the attacker can generate what is known as a golden ticket.
The golden ticket gets them full uncontrolled domain administrator level access to every computer in the domain.
Removing an attacker at this point is nightmarishly hard, there are companies that specialise in it. The standard technique is to completely isolate the system, cycle all kerberos creds to try and expire the golden ticket, which typically takes ten hours. This must be coupled with monitoring to ensure no new golden tickets are created during this time process. Once the golden ticket is removed this just leaves identifying any persistence left in any domain joined computer.
To reliably remove an attacker you are looking at rebuilding the entire domain. Wiping out and rebuilding every server, every PC.
The ability to obtain an active directory golden ticket is a security nightmare, one that the world and Microsoft has been aware of since 2014, without any meaningful fix or mitigation being produced.
Re: (Score:1)
Re: (Score:1)
They do not want to mention, who the other attack came from, let's all guess. I would bet dimes to dollar, the CIA pushed through the first hack and because they leak like a sieve for profits, the Russians were able to follow in through the hack created by the CIA (after having been sold access information by corrupt contracts). Snowden stands out because he released information to the public, the corrupt do no stand out because they release information into tax havens, crypto exchanges, local organised cri
Why is the US getting fisted? (Score:1)
Re: Why is the US getting fisted? (Score:3)
Re:Why is the US getting fisted? (Score:4, Informative)
The US has the biggest budgets etc so why is the US getting its ass handed to it so badly? Maybe instead of a space force those guys should be sorting out their IT skills. they seem to be sorely lacking according to hacking news.
What is so dumbfounding is that none of this critical stuff seems to be air-gapped or networked on a secure encrypted and tamper resistant network that is separate from the internet at large. How the hell is it possible that China was able to steal design data on the F-35 in 2009 and US adversaries are still able to pull shit like this in 2020 for months at a time without anybody noticing? You'd expect government agencies and defence contractors to be vetted monthly by NSA security experts regardless of which corporate pinheads and politically connected people a negative inspection report may embarrass. Instead there seems to be a network of politically connected outfits that get security contracts because they are politically connected and not because they actually know anything about security.
Re: (Score:3)
vetted monthly by NSA security experts
You mean the people who misplaced their hacking toolkit which became the basis for a new wave of crypto-extortion trojans?
Re: (Score:2)
vetted monthly by NSA security experts
You mean the people who misplaced their hacking toolkit which became the basis for a new wave of crypto-extortion trojans?
I won't argue with that, the NSA is in dire need of reform, but it is still the agency that is supposed to defend against signet attacks.
Re: (Score:1)
Re: (Score:2)
> How the hell is it possible that China was able to steal design data on the F-35 in 2009
Obama's fault
Is there anything that went wrong in the entire history of the USA since 1776 that isn't Obama's fault?
Re:Why is the US getting fisted? (Score:4, Interesting)
What is so dumbfounding is that none of this critical stuff seems to be air-gapped or networked on a secure encrypted and tamper resistant network that is separate from the internet at large.
A computer with the power off sitting in a safe is super secure from hacking. It's also kinda useless.
The 9/11 commission report went into extensive detail around the lack of intelligence sharing between and within government agencies.
For the 17 members of the US intelligence community with offices around the world to work together you need a large interlinked network. It is no longer viable for this to be air-gapped and entirely contained within secure locked rooms. They can and do tightly control links between these networks and the internet at large, but the links have to be there and the solarwinds attack was very clever in disguising the traffic flows.
Re: (Score:2)
What is so dumbfounding is that none of this critical stuff seems to be air-gapped or networked on a secure encrypted and tamper resistant network that is separate from the internet at large.
A computer with the power off sitting in a safe is super secure from hacking. It's also kinda useless.
I see you have the power of selective reading. I vividly remember saying:
... networked on a secure encrypted and tamper resistant network that is separate from the internet.
There is no earthly reason to expose top secret data to the common internet unless it is absolutely necessary. These bozos have had over ten years to secure the US government infrastructure since the F-35 heist. The result is that their IT security contractor got hacked and used as an attack vector which also instantly disables the usual fallback excuse that private industry wold have done a better job, Solar Winds is private industry
Involves much more than just isolating networking (Score:2)
Re: (Score:2)
Like Willie Sutton said: "That's where the money is."
Re: (Score:2)
Re: (Score:2)
Has anyone else seen the /. ad (Score:2)
for solarwinds today?
Re: (Score:2)
Its been up for a few days at least
The wonders of a monoculture (Score:3)
I guess some admins and companies just never learn.
Hate to say it (Score:2)
I hate to say this because I would not want to see innocent people loose work, but wonder if this latest incident will cause SolarWinds to go to Chapter 11.
If so maybe it will finally get other IT companies to wake up and take security seriously
Re:Hate to say it (Score:5, Interesting)
CCPA is causing companies to take security seriously, because a big information leak can end a company ($1000 fine or more per leaked record).
They are taking it seriously, but running into trouble because they don't know how to do security. There are a lot of security people, and finding the ones who know what they are doing instead of just talking good is hard for a CEO.
Meanwhile, Slashdot still has ads for SolarWinds (Score:2, Redundant)
Sure doesn't enhance Slashdot's credibility. But I guess money talks.
Re: (Score:1)
Sure doesn't enhance Slashdot's credibility. But I guess money talks.
To be fair, many of the ads are auto-selected based on site/audience/discussions, and are not directly vetted by the sites they appear on. On the other hand, it is surprsing that SolarWinds has not terminated their advertising expenditures to conserve capital while they figure out if they will have any product left to sell.
Re: (Score:2)
There's no such thing as bad publicity! Said the dude selling ads.
Re:Meanwhile, Slashdot still has ads for SolarWind (Score:5, Insightful)
To be fair, many of the ads are auto-selected based on site/audience/discussions, and are not directly vetted by the sites they appear on.
That's a problem itself, and is why I block ads. If the site presenting the ads won't take any responsibility for them, why would I accept them?
Meanwhile . . . (Score:3, Informative)
The con artist continues to ignore this massive attack on the government, even going so far as to deflect responsibility from his Russian handler [cnn.com].
This sounds oddly familiar. As if for the last nine months he's been doing the same ignoring about something else. Apparently taking responsibility as a "leader" isn't something he's willing to do. Must be why he got fired last month.
Re: (Score:2)
It took Donald Trump to turn The Family Circus [pinimg.com] into a political cartoon.
Re: (Score:2)
Con artist, indeed. He came in, posturing as a guy who wants to shake things up. That could be somewhat useful, and I was interested to see what would happen with him. Unfortunately, he just turned out to be a guy who wa
Re: (Score:1)
It's not stupidity, why do you think Trump recently replaced all the heads at the top of the Pentagon right when this attack was coming to the fore? Why do you think he's actively taking Russia's side yet again as he always has?
A lot of stuff in Trump's presidency just never made sense - e.g. randomly abandoning the Kurds whom he'd been supportive of previously without any notice at all. That is, it doesn't make sense until you look through the lens of benefit to Russia. In doing this he handed control of E