Jump to content

SolarWinds Orion


bitflipper

Recommended Posts

Last week I noticed a news report that there'd been a widespread hack into government networks. It didn't set off any alarms in my head, since stealing data has been an international hobby for years.

Then I watched the SANS Emergency Webcast from a couple days ago. And holy sh*t, this is big. When you think "hack" you picture some script-kiddie in his mom's basement trying to alter his high school grades. This ain't that. This is a highly sophisticated act of cyberwarfare.

Caveat: the above-linked webcast will be very obtuse to most folks, as the intended audience is computer-security propellerheads. But I know there are a few here that will at least get the gist of it, even if you have to look up a few acronyms along the way.

  • Like 3
Link to comment
Share on other sites

it looks like it's not so much the product but the updates being hacked because the download mechanisms are not as secure as they should be. basically when an admin goes to retrieve the updates, they typically use FTP (an unsecure protocol) and apparently the hackers changed some of the product code on the update site to allow some logging of user logon activities, and then use that info to logon as a user. takes months of work to do this because of the small amounts of info collected and the backdoor access needed to retrieve it and use it. all the usual main scream media types are "russia russia russia" but there is no definitive signatures except that many of the admin people deploying this software are of asian origin... go figure...

Link to comment
Share on other sites

And then there's this from TechDirt and Reuters

"No doubt the company [SolarWinds] claims to take security seriously. But while users are being subjected to password requirements that demand them to utilize most of the alphabet and multiple shift key presses, internal security isn't nearly as restrictive. Here's the "OMFG are you ***** kidding me" news via Reuters, which first broke the news of the malicious hacking.

Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”.

https://www.techdirt.com/articles/20201215/13203045893/security-researcher-reveals-solarwinds-update-server-was-secured-with-password-solarwinds123.shtml

https://www.reuters.com/article/global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8

Link to comment
Share on other sites

Oh, yeh. Voxengo SPAN was definitely a trojan horse, a back door that led to me blithely installing many useful plugins DIRECTLY FROM RUSSIA!

 

(btw, this is a joke. AFAIK the Russians have no interest in tricking the NSA into compromising their sample rate conversions or master bus limiting.)

 

  • Like 1
Link to comment
Share on other sites

And now there's this (Reuters is all over this):

Second hacking team was targeting SolarWinds at time of big breach

A second hacking group, different from the suspected Russian team now associated with the major SolarWinds data breach, also targeted the company’s products earlier this year, according to a security research blog by Microsoft. “The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,” the blog said.

Security experts told Reuters this second effort is known as “SUPERNOVA.” It is a piece of malware that imitates SolarWinds’ Orion product but it is not “digitally signed” like the other attack, suggesting this second group of hackers did not share access to the network management company’s internal systems.

https://www.reuters.com/article/us-usa-cyber-solarwinds/second-hacking-team-was-targeting-solarwinds-at-time-of-big-breach-idUSKBN28T0U1

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...