Microsoft Says SolarWinds Hackers Downloaded Some Azure, Exchange, and Intune Source Code (zdnet.com) 36
Microsoft's security team said today it has formally completed its investigation into its SolarWinds-related breach and found no evidence that hackers abused its internal systems or official products to pivot and attack end-users and business customers. From a report: The OS maker began investigating the breach in mid-December after it was discovered that Russian-linked hackers breached software vendor SolarWinds and inserted malware inside the Orion IT monitoring platform, a product that Microsoft had also deployed internally. In a blog post published on December 31, Microsoft said it discovered that hackers used the access they gained through the SolarWinds Orion app to pivot to Microsoft's internal network, where they accessed the source code of several internal projects. "Our analysis shows the first viewing of a file in a source repository was in late November and ended when we secured the affected accounts," the company said today, in its final report into the SolarWinds-related breach.
How the f**k is SolarWinds still in business? (Score:2)
Orion is their main product and it should never be used again, period. Who knows what inherent flaws it has that the hackers discovered and set aside for a rainy day? In short it's completely compromised and if I was a company using it, I would have uninstalled it from everything and cancelled the support contract months ago. Since everyone should be doing the same, that should kill SolarWinds' main revenue stream and hence the business as a whole.
Yet here we are and everything appears to be just fine. Does
Re:How the f**k is SolarWinds still in business? (Score:5, Informative)
Orion is their main product and it should never be used again, period. Who knows what inherent flaws it has that the hackers discovered and set aside for a rainy day? In short it's completely compromised and if I was a company using it, I would have uninstalled it from everything and cancelled the support contract months ago. Since everyone should be doing the same, that should kill SolarWinds' main revenue stream and hence the business as a whole.
Yet here we are and everything appears to be just fine. Does that mean that (horror) companies are still using Orion? Does it mean that Microsoft (mind-numbing horror!) is still using Orion?
The security risk that Orion presented is pretty much universally applicable to every ant-malware company out there. How many computers could you gain control of world wide if you hacked the update distribution servers of Symantec, McAfee, ESET, Bitdefender, Avast, ... , etc ?? Billions I expect. People expressed skepticism over claims that Kaspersky's systems were being used by Russian Intelligence, literally as a search engine, to scour the computers of Kaspersky customers for data. After this hack that sort of scheme no longer sounds like so far fetched. All these anti-malware suites require full disk access to function, none of what they do on your computer is transparent to you, the user, and they all have a direct connection to a third party server. People download this software and give it access to every scrap of data they own without thinking about it and pay for the privilege. That kind of access to billions of computers has to be every hacker's wet dream.
Re: (Score:2)
Maybe even less vulnerable than anti-malware software. I have only lightly used other people's installs of Orion, so I don't know to what extent it is capable of can be use for pushing configurations, but you would think that as a monitoring solution it might be possible to limit an Orion install to just "read only" status monitoring of all the devices it can connect to.
I'd imagine where it really hurts, though, is to the extent that Orion is probably exposed to presumed-secure management networks with oth
Re: (Score:1)
Re: (Score:2)
Obligatory car analogy. No matter who drives, there exists the risk of distracted driving leading to crashing into a tree, fire hydrant, etc. You have a choice of two drivers. One of them has never had an accident of note, the other recently plowed through an elementary school after spilling his coffee in his lap while driving. Which one do you pick?
You want to store some important papers with a lot of value attached. Do you trust the storage place offering you a steel box with two keys inside a vault with
Re: (Score:2)
Without more information, I can't say which driver I would pick. But if both were experienced drivers and both seemed, upon interviewing them and testing their driving skills and looking at the rest of their background, to be indistinguishable except for the coffee spilling incident, I would probably pick the driver the had the coffee spilling incident.
This is because the driver that had the horrible accident is now very viscerally aware of the dangers of drinking coffee while driving. The other driver like
Re: How the f**k is SolarWinds still in business? (Score:3)
Another logic would suggest that their code has a higher chance of being secure now, due to people combing it for security holes with a fine-toothed comb and fixing them, as opposed to others who may not even be aware of their security holes. At least in open-sourcr projects, that is usually the case.
Of course the counter-argument is, that that implies they actually will do or already did that. Which is likely, with everyone who can't quickly switch to something else screaming for patches. But then, that im
Re: How the f**k is SolarWinds still in business? (Score:2)
Nevermind the typos. Caffeine hasn't reached the prefrontal cortex yet. :)
Re: (Score:1)
An analysis of M$ history indicates they routinely lie to maximise profits and minimise losses, shamelessly routinely lie. Any corporation dealing with them have to assume this announcement is a lie and demand a public audit into their systems, by filing a civil suit to access and confirm actual security risks, rather than PR=B$ lies pouring out of M$. The only way for any corporation relying on M$ for security is to sue to find out what really happened and what the risks really are going forward. M$ execut
High impact vulnerabilities ahead? (Score:4, Interesting)
Microsoft claims, that the code seen by the attackers contained no hard coded or otherwise implied security credentials, and they almost make it sound like "nothing to see here, please move along". That sigh of relief may be a bit premature, though.
The attackers seemed to have focused their attention on security and identity components, which are exactly the parts likely containing the most critical as of yet unknown vulnerabilities, and those with the highest impact.
We'll probably see, how many urgent security fixes these products will receive over the next few months ...
Re: (Score:3)
Well, all the code I run is certain to have its sources downloaded by hackers, including any unknown vulnerabilities. I guess I'm fucked :p
Re: (Score:3)
Closed source = only blackhats have access to the code, giving them an advantage
Open source = whitehats have access to the code too so everyone is on a level field
Re: High impact vulnerabilities ahead? (Score:5, Insightful)
Both cases = Everybody assumes somebody else does the cumbersome work of combing all the code for security holes. Especially the hard to understand crucial core parts that nobody wants to touch. ;)
Open source is undoubtedly better. But don't make the assumption that just because it can be done, it actually is done. (Or that unless you are an auditor, you could judge the competence of an auditor.)
Re: (Score:2)
If you look at the long term track record of most established open source projects, even moderately critical bugs are fixed much, much more quickly than even super-critical bugs in most parts of the closed source world. Also, the fixed to open source products are universally available, whereas patches to closed source software are frequently offered in tranches based on priority level.
Note, how I used the phrase "over the next few months" instead of "today" in my original message.
Re: (Score:2)
I believe (with no statistical information other that ad-hoc experiences) you are correct that typically the open source products get patched sooner, but that still doesn't fix the issue of the vulnerability being there initially which is the crux of the whole issue.
Re: (Score:2)
Microsoft claims, that the code seen by the attackers contained no hard coded or otherwise implied security credentials, and they almost make it sound like "nothing to see here, please move along". That sigh of relief may be a bit premature, though.
The attackers seemed to have focused their attention on security and identity components, which are exactly the parts likely containing the most critical as of yet unknown vulnerabilities, and those with the highest impact.
We'll probably see, how many urgent security fixes these products will receive over the next few months ...
It's a good thing it is in the cloud, which keeps your data invulnerable.
Pivot pivot (Score:3)
Well, if, thanks to this, "pivot" becomes associated with criminal activity, maybe it can finally be removed from business "bullshit bingo" cards.
Ethical Hacking (Score:1)
Oh wait.. They already have. [zimbra.com]
Don't like hackers? (Score:1)
Don't go online.
Re: Don't like hackers? (Score:2)
*laughs in Stuxnet*
Or the 90s hacker teen variant: USB stick into the PC at the doctor's office while waiting for the doc, waiting a few seconds for autorun to launch your malware, pull it out, go home and enjoy your new botnet! ;)
(OK the latter still requires Internet access for the command & control channel, but not for the infecting. And also only an outgoing connection, so firewalls won't help.)
Another version was dropping a USB drive (or floppy, back in the days) into somebody's mailbox, decorated
Absolutely (Score:2)
Suuuurre.
Azure Source code? (Score:2)
Poor hackers. The things they've seen that man was not meant to know.
SolarWinds hacker published description: (Score:2)
One SolarWinds hacker published https://www.hplovecraft.com/wr... [slashdot.org]">a description of his experience.
Excuse the symbolism. His mind is not the same anymore.
Re: SolarWinds hacker published description: (Score:2)
Oh goddammit. Excuse the buggy HTML. *twitches* *has flashbacks to ASP coding*.
Re: (Score:2)
This quote from the article really struck me:
"Upon looking at the source code, the hackers immediately regretted it, as the blinding glare from the toxic code was quite painful. On the darknet, a message of warning was found: 'do not look at code with remaining good eye."
How.convenient! (Score:2)
Now everybody who ever leaked something or had bad security is gonna come out and claim it was "dem SolarWinds hackers! Totally not our bad security." to please the war drummers that grant contracts. :D
Looking at the Azure code (Score:2)
Will probably tremendously improve the hackers' skills. About 3 years ago I got a close look at the Azure Storage code and it was very well-written. Clever, but not in Scalzi's Law ways. Every return value was checked . Every method call wrapped (where appropriate) in try/catches. Very well commented. Clearly written to be read by people who weren't the original developers.
Fork With Useful Error Messages? (Score:3)
strange PR ... (Score:2)
Goes against Microsoft's "safe" view on security (Score:3)
So much so, that most critical vulnerabilities can be safely deferred and worked on as needed, because, you didn't know.
Out of sight, out of mind.
Microsoft is "taking care of you". The idea is that they can fix critical problems (and believe me, the list is larger than you can imagine) at their leisure, because.... people don't know about them.
Here's the problem... now we can know. Or maybe worse, the only people that "now know" aren't the greatest examples of humanity out there.
Rumor Has It... (Score:2)
... they also got access to Dovecot, Xen, and Kubernetes source.
See, the Free World is in just as much danger as those behind Microsoft's Iron Curtain.
the poo (Score:3)
The hax0rs got the poo on them. Now the poo will be exposed for all to see, one dingelberry at a time.
github (Score:2)
Re (Score:1)