Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Privacy

SolarWinds Hackers Have a Whole Bag of New Tricks For Mass Compromise Attacks (arstechnica.com) 43

An anonymous reader quotes a report from Ars Technica: Almost exactly a year ago, security researchers uncovered one of the worst data breaches in modern history, if not ever: a Kremlin-backed hacking campaign that compromised the servers of network management provider SolarWinds and, from there, the networks of 100 of its highest-profile customers, including nine US federal agencies. Nobelium -- the name Microsoft gave to the intruders -- was eventually expelled, but the group never gave up and arguably has only become more brazen and adept at hacking large numbers of targets in a single stroke. The latest reminder of the group's proficiency comes from security firm Mandiant, which on Monday published research detailing Nobelium's numerous feats -- and a few mistakes -- as it continued to breach the networks of some of its highest-value targets.

Mandiant's report shows that Nobelium's ingenuity hasn't wavered. Since last year, company researchers say the two hacking groups linked to the SolarWinds hack -- one called UNC3004 and the other UNC2652 -- have continued to devise new ways to compromise large numbers of targets in an efficient manner. Instead of poisoning the supply chain of SolarWinds, the groups compromised the networks of cloud solution providers and managed service providers, or CSPs, which are outsourced third-party companies that many large companies rely on for a wide range of IT services. The hackers then found clever ways to use those compromised providers to intrude upon their customers.
The advanced tradecraft didn't stop there. According to Mandiant, other advanced tactics and ingenuities included:
  • Use of credentials stolen by financially motivated hackers using malware such as Cryptbot (PDF), an information stealer that harvests system and web browser credentials and cryptocurrency wallets. The assistance from these hackers allowed the UNC3004 and UNC2652 to compromise targets even when they didn't use a hacked service provider.
  • Once the hacker groups were inside a network, they compromised enterprise spam filters or other software with "application impersonation privileges," which have the ability to access email or other types of data from any other account in the compromised network. Hacking this single account saved the hassle of having to break into each account individually.
  • The abuse of legitimate residential proxy services or geo-located cloud providers such as Azure to connect to end targets. When admins of the hacked companies reviewed access logs, they saw connections coming from local ISPs with good reputations or cloud providers that were in the same geography as the companies. This helped disguise the intrusions, since nation-sponsored hackers frequently use dedicated IP addresses that arouse suspicions.
  • Clever ways to bypass security restrictions, such as extracting virtual machines to determine internal routing configurations of the networks they wanted to hack.
  • Gaining access to an active directory stored in a target's Azure account and using this all-powerful administration tool to steal cryptographic keys that would generate tokens that could bypass two-factor authentication protections. This technique gave the intruders what's known as a Golden SAML, which is akin to a skeleton key that unlocks every service that uses the Security Assertion Markup Language, which is the protocol that makes single sign-on, 2FA, and other security mechanisms work.
  • Use of a custom downloader dubbed Ceeloader.

This discussion has been archived. No new comments can be posted.

SolarWinds Hackers Have a Whole Bag of New Tricks For Mass Compromise Attacks

Comments Filter:
  • by ttspttsp ( 7600944 ) on Monday December 06, 2021 @10:52PM (#62054443)
    I never saw the evidence that the attack came from the 'Kremlin'. I understood that the software was determined to probably have originated in Russia but I didn't know we had evidence that the attack came from Russia or was directed by the Russian government.
    • I never saw the evidence that the attack came from the 'Kremlin'. I understood that the software was determined to probably have originated in Russia but I didn't know we had evidence that the attack came from Russia or was directed by the Russian government.

      The "Kremlin-backed hacking" claim is from arstechnica and I'm unable to find it in any of it's sources.

    • I never saw the evidence that the attack came from the 'Kremlin'. I understood that the software was determined to probably have originated in Russia but I didn't know we had evidence that the attack came from Russia or was directed by the Russian government.

      Of course not tovarich! Russia is our golden friend with pure intentions that doesn't let criminal gangs blackmail others from within it's border, as long as they pay an "operations cost" as part of doing business, to the Mother Russia.

      You're either so naïve it's cute or you're a deflection troll. I've been doing security work for over two decades, and have tracked a lot of activity to places people don't expect. Today, however, it's primarily state sponsored (and financed, as in they are financed

      • by Pascoea ( 968200 )

        ...they are an enemy conducting attacks, and the cybercriminals are paid thugs, doing the job they were hired to do by their state sponsored employer.

        So, just like we're doing?

      • I hope you don't take my question about the Solarwinds attack being launched by Russian operatives as saying that Russia is our friend. I don't think any other country is really our 'friend', and we have plenty of enemies. I think in some cases our own intelligence services act against our best interests and are therefore not our friend as well. If the US government believes that Russia was behind the attack they should say so in clear unambiguous language.
  • by Anonymous Coward on Monday December 06, 2021 @11:00PM (#62054453)

    Nothing in this list constitutes a new bag of tricks. This is all the same shit we have been seeing happening to poor fools for years. Especially fools who drink the one ring to rule them all central management of everything no matter the risks or consequences koolaid.

    SAML is unnecessarily complex and pathetically insecure by design.

    AD was designed by crazy people and has a long distinguished track record of epic fail.

    Geo-blocking / classification is so dumb it needs no further explanation.

    Moving laterally is what always happens with ease once the perimeter is breached. After all these years of epic fail everyone is still obsessed with CASTLE DEFENSE.

    • by Z00L00K ( 682162 )

      As soon as you are inside the corporate firewall with a central IT organization you can compromise all servers and most network equipment in one blow - worldwide.

      As soon as you have central IT management you have a huge security hole.

      • by Aighearach ( 97333 ) on Tuesday December 07, 2021 @01:57AM (#62054601)

        As soon as you have central IT management you have a huge security hole.

        The problem, of course, is that before you have central IT management you have a whole bunch of huge security holes.

        • by Z00L00K ( 682162 )

          Not really - the holes are still there, but now the consequences with a huge central managed network the impact will spread to ALL sites instead of being local to a single site.

          Central management will just cause people to make workaround solutions with shadow nets locally.

          • You can't just "nuh uh" your way out of the history of IT security.

            It is perfectly reasonable to be for or against central management, as there are a lot of variables and which is better depends on context.

            But the base state is having a lot of huge security holes. There is no way around that. Security is hard.

            • by Z00L00K ( 682162 )

              And with central management you tie together all sites - or you will have IT security people travel around the world.

              If the central management is breached then it's a corporate wide issue, and that's why Solarwinds was so bad, they have central management systems accessing all sites.

    • the groups compromised the networks of cloud solution providers and managed service providers, or CSPs

      Ah, the cloud, a.k.a "the single centralised point of failure", also known as "the mother (lode) of all targets".

    • by AmiMoJo ( 196126 ) on Tuesday December 07, 2021 @07:27AM (#62055077) Homepage Journal

      Perhaps you could enlighten us as to what the alternative is. Say you have a company with 1000 machines, various laptops and desktops, plus a bunch of phones. The usual array of printers and scanners. You need to run lots of niche software, some of it unique to your organization. Standard stuff.

      Obviously your users are clueless and regularly do things like forget passwords. You can't trust them not to open malicious emails etc. You need some kind of automated backup solution because the users won't do it themselves.

      What is your preferred solution?

  • by phantomfive ( 622387 ) on Monday December 06, 2021 @11:08PM (#62054465) Journal

    If you care at all about security, and you haven't moved away from Solarwinds (or made plans to move away from Solarwinds), then you don't actually care about security.

    • by sjames ( 1099 )

      I would say if you haven't abandoned the idea of a centralized admin tool. Solarwinds was the problem THIS time. Next time, something else gets compromised and hands over the gold key to the kingdom.

      The problem is, corporations love those tools because it lets them get away with less admins and less skillful admins. Until the tool gets compromised or somebody fat fingers something and the party's over.

    • by micheas ( 231635 )

      If you care at all about security, and you haven't moved away from Solarwinds (or made plans to move away from Solarwinds), then you don't actually care about security.

      And Active Directory

  • Since when?

    Sorry, but this is distraction from the fact that business models like solar winds, where we put all of our secrets in the hands of others, is a STUPID FUCKING IDEA.

    • Since when?

      Sorry, but this is distraction from the fact that business models like solar winds, where we put all of our secrets in the hands of others, is a STUPID FUCKING IDEA.

      You sound young.

      It's a six of one, half dozen of the other, scenario. Sure you can use six different products instead of one, but then you have six different products with six sets of update schedules, that may or may not work together, and six long lists vulnerabilities. Conversely you can you one larger product with a single update schedule, but it still has a large number of vulnerabilities, but hey at least they work together. Don't think that writing it in-house is any better, then you're just movi

Single tasking: Just Say No.

Working...