Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Hackers Lurked in SolarWinds Email System for at Least 9 Months, CEO Says (wsj.com) 23

The newly appointed chief executive of SolarWinds is still trying to unravel how his company became a primary vector for hackers in a massive attack revealed last year, but said evidence is emerging that they were lurking in the company's Office 365 email system for months. From a report: The hackers had accessed at least one of the company's Office 365 accounts by December 2019, and then leapfrogged to other Office 365 accounts used by the company, Sudhakar Ramakrishna said in an interview Tuesday. "Some email accounts were compromised. That led them to compromise other email accounts and as a result our broader [Office] 365 environment was compromised," he said. It is the latest development in the eight-week investigation into one of the worst breaches in U.S. history. SolarWinds, previously a little-known but critical maker of network-management software, is still trying to understand how the hackers first got into the company's network and when exactly that happened. One possibility is that the hackers may have compromised the company's Office 365 accounts even earlier and then used that as the initial point of entry into the company, although that is one of several theories being pursued, Mr. Ramakrishna said.
This discussion has been archived. No new comments can be posted.

Hackers Lurked in SolarWinds Email System for at Least 9 Months, CEO Says

Comments Filter:
  • We switched from Google product that integrated an office suite, shared files editing and conference etc

    Then management decided to go for Office365, We were told it is not to save money, it is not a financial decision. MS sales critters sold a cock and bull story of migration plans and all files would be ported over etc. What they did not tell them was all the cross referenced links between documents would be gone. All the pullrequests linked to user stories, defects, stories spawned from defects, notes at

  • by OffTheLip ( 636691 ) on Wednesday February 03, 2021 @01:28PM (#61024100)
    The core server management software compromised, their email/office suite compromised, what's next? I can't fathom why anyone is comfortable using their products now.
    • by raymorris ( 2726007 ) on Wednesday February 03, 2021 @03:54PM (#61024584) Journal

      We have three new vulnerabilities in Solarwinds announced today. One of them is a critical, must be patched today issue. It allows remote code execution as LocalSystem (one step above Administrator). It leverages a terribly insecure subsystem in Windows which Solarwinds should not have been using (and which should not exist).

      https://threatpost.com/solarwi... [threatpost.com]

      Why does Solarwinds keep having these problems?
      Because while they are obviously a very desirable target, they haven't taken security seriously. Simple as that. They need to act like they are the Pentagon, protecting top secret material, because their product DOES have access to high level secrets.

      Also, they need to stop fucking running their MONITORING as LocalSystem. If they want to have a separate optional component for pushing out software that runs at high privilege, fine. But you don't fucking need OS-level write privileges to READ monitoring data!

      • by sjames ( 1099 )

        This. The principle of least privilege exists for good reason.

        To be fair to Solarwinds, MS makes it a lot harder to do the right thing than it should be.

  • Comment removed based on user account deletion
    • by gweihir ( 88907 )

      Because many, many others are just as incompetent and clueless. The only reason these others have not caused such a complete disaster is that they are less attractive to attackers.

      • That's not the problem. The problem is that the other companies making the decision to use the software have no way to evaluate how good the security is, until after a hack is publicized. If companies that wanted to choose secure software over insecure software had the information and ability to evaluate the information in order to make that decision, then there'd be market pressure against insecure software. But as things stand, it's much easier to see things like price and features and ease of use that ar

  • a primary vector for hacker" easy you used Microsoft products in your business operations.
    • More like they didn't use a proper 2FA mechanism even though they're a vendor of network software and should understand the concepts of network security.
  • by oldgraybeard ( 2939809 ) on Wednesday February 03, 2021 @01:49PM (#61024196)
    you get Oursourced grade security. IE We don't need to do any of that security stuff we outsourced it so were covered.
    • by sjames ( 1099 )

      I wonder how many full circle outsources there are in the wild. A division of A outsources to B who is actually reselling C who outsourced to another division of A to actually provide the service.

  • This is why one should not use "Other People's Computers" (aka the "Cloud") for anything that might go beyond mere entertainment. When you delegate things to Other People then you should be aware that you are giving up *ALL* control and security to that third-party.

    As you sew, so shall you reap.

    • by bobby ( 109046 )

      Agreed. But if I understand correctly, you could have SolarWinds sw on your own hosted servers and be in the same boat. (but at least you'd have more control over pulling the plugs, switching to backup systems (assuming you have them on hand))

    • This is why one should not use "Other People's Computers" (aka the "Cloud") for anything that might go beyond mere entertainment. When you delegate things to Other People then you should be aware that you are giving up *ALL* control and security to that third-party.

      Google/Facebook probably do security better than most people, and yes I'm including the security of one's own account.

    • by Anonymous Coward

      That's for sure.

      LibreOffice has an email client???

      • LibreOffice has no mail client, so you cannot read your emails using LibreOffice. You could use it to send emails, but only as a mail-merge (sending personalised messages from a template to one or more recipients).

  • At this point, industries in secure fields should require security keys (FIDO). That's it. Why do we keep seeing dumb crap like this happen again and again? The federal government should pass a regulation requiring all financial and health companies to support FIDO or OTP on their consumer-facing websites within three years. It's crap that we're letting this happen again and again.

After all is said and done, a hell of a lot more is said than done.

Working...