Quantcast
Microsoft and US gov exploited via Solarwinds - Beyond.ca - Car Forums
Results 1 to 13 of 13

Thread: Microsoft and US gov exploited via Solarwinds

  1. #1
    Join Date
    Jan 2004
    Location
    Calgary, Alberta
    My Ride
    GLC43
    Posts
    8,513
    Rep Power
    22

    Default Microsoft and US gov exploited via Solarwinds

    https://venturebeat.com/2020/12/18/m...n-its-systems/

    Get ready to patch your MS products.


    So it's uncle Putin that get to control everyone via vaccine after all as Uncle Bill may have lost the key.

  2. #2
    Join Date
    Oct 2009
    Location
    Calgary
    My Ride
    rally pig
    Posts
    2,377
    Rep Power
    9

    Default

    ugh I thought we were safe since we dont use Solarwinds in our environment. have to watch this closely now.

  3. #3
    Join Date
    Apr 2004
    Location
    Calgary
    My Ride
    2013 Q5
    Posts
    1,862
    Rep Power
    18

    Default

    This hack looks to be really bad. Something like 60% of Fortune 500 companies use SolarWinds software, not to mention all the government agencies around the world.

    I have a feeling we will be seeing impacts of this for years to come.

  4. #4
    Join Date
    Apr 2008
    Location
    calgary
    My Ride
    CLK 55 / 2g Eclipse / EP3
    Posts
    4,380
    Rep Power
    15

    Default

    This is way more then just Solar Winds and MS - various SMTP servers went down as well - and others.

  5. #5
    Join Date
    Mar 2010
    Location
    Calgary
    My Ride
    Fiesta ST
    Posts
    967
    Rep Power
    13

    Default

    Hey, at least the US didn't reallocate money from their cyber security budget to build a wall instead. Oh wait.
    Nolan

  6. #6
    Join Date
    Jan 1970
    Location
    YYC
    My Ride
    2 x E Class Benz
    Posts
    22,091
    Rep Power
    48

    Default

    Quote Originally Posted by pheoxs View Post
    This quote is hidden because you are ignoring this member. Show Quote
    Hey, at least the US didn't reallocate money from their cyber security budget to build a wall instead. Oh wait.
    Trump may be an idiot but do you really think that would have made a difference here?
    Originally posted by SEANBANERJEE
    I have gone above and beyond what I should rightfully have to do to protect my good name

  7. #7
    Join Date
    Mar 2010
    Location
    Calgary
    My Ride
    Fiesta ST
    Posts
    967
    Rep Power
    13

    Default

    Quote Originally Posted by rage2 View Post
    This quote is hidden because you are ignoring this member. Show Quote
    Trump may be an idiot but do you really think that would have made a difference here?
    In preventing it? No. But in trying to investigate the damage and actually doing something about it? Perhaps. Then again the Trump administration has been completely silent about it even though it's clear what country is suspected of the attacks.
    Nolan

  8. #8
    Join Date
    May 2006
    Location
    calgary ab
    My Ride
    4x4
    Posts
    2,249
    Rep Power
    13

    Default

    So it wasn't just a coincidence just about every app on my phone wanted to update this morning?

  9. #9
    Join Date
    Jan 1970
    Location
    YYC
    My Ride
    2 x E Class Benz
    Posts
    22,091
    Rep Power
    48

    Default

    Quote Originally Posted by pheoxs View Post
    This quote is hidden because you are ignoring this member. Show Quote
    In preventing it? No. But in trying to investigate the damage and actually doing something about it? Perhaps. Then again the Trump administration has been completely silent about it even though it's clear what country is suspected of the attacks.
    They already figured out that Cozy Bear was responsible 1 day after, so that doesn’t fit the narrative either.
    Originally posted by SEANBANERJEE
    I have gone above and beyond what I should rightfully have to do to protect my good name

  10. #10
    Join Date
    Jan 2004
    Location
    Calgary, Alberta
    My Ride
    GLC43
    Posts
    8,513
    Rep Power
    22

    Default

    Quote Originally Posted by AndyL View Post
    This quote is hidden because you are ignoring this member. Show Quote
    So it wasn't just a coincidence just about every app on my phone wanted to update this morning?
    https://www.theguardian.com/technolo...security-theft

    FireEye says its hacking tool chest has been plundered meaning that the thieves now have a potent collection of new techniques to draw upon.
    There is going to be more to come now this tool chest is in the open.

  11. #11
    Join Date
    Mar 2004
    Location
    Calgary AB
    My Ride
    2020 Subaru Forester Sport
    Posts
    2,637
    Rep Power
    12

    Default

    Quote Originally Posted by Xtrema View Post
    This quote is hidden because you are ignoring this member. Show Quote

    There is going to be more to come now this tool chest is in the open.
    That tool set is for rookies, Russians got this shit figured out

    Recently my company got hit as well, and we worked with CrowdStrike to do a full investigation, and almost immediately they blamed the Russians as well, ended up being "true", at least to the extent that the IPs used for communication were in Russia. But if it looks like it's Russia, it's probably not Russia, if these guys were in these systems for 6-9 months undetected, you would think they would know how to cover their tracks.

    The way I see it, if they say it's the Russians, it's probably the Chinese, if they say it's the Chinese, it's probably the North Koreans, and if they say it's the North Koreans, it's probably the Russians. That's my opinion on the matter. But you got to hand it to them Russians, they sure can hack.

    P.S. The forensic disk capture tools used by CrowdStike were freeware downloads, we had a big instruction book on how to download them to send disk images for analysis. So not all of these tools are super duper fancy hacker stuff. We also use Solarwinds, luckely we were on 2019 pre-patch 4 release haha, pays to not pay attention to Solarwinds
    Last edited by eblend; 12-18-2020 at 09:27 PM.

  12. #12
    Join Date
    Apr 2008
    Location
    calgary
    My Ride
    CLK 55 / 2g Eclipse / EP3
    Posts
    4,380
    Rep Power
    15

    Default

    Im of the opinion that many of these public breaches are just messages the intel agencies and/or global factions are just sending each other. The ones you never hear about are the ones that actually fuck things up for top secret matters.

    The public networked infrastructure is much more vulnerable that is commonly known. Surprised a major outage hasn't taken place already.

  13. #13
    Join Date
    Apr 2008
    Location
    calgary
    My Ride
    CLK 55 / 2g Eclipse / EP3
    Posts
    4,380
    Rep Power
    15

    Default

    Waaaaaaaaay more going on here - and way above my pay grade.


    1. Somehow SolarWinds code was changed - at the code level, prior to the dll build so it would be signed with a valid certificate. Either it was an inside job. Or external hackers leveraged the weak password, hacked their way around inside SolarWinds to find the build system, made themselves master of the build system so they could inject the code. Either way, code was modified twice - once to insert an empty framework, then a second time to populate the framework and add the calling code to make the exploit active. And the framework and calling code was written using similar naming conventions as SolarWinds original code. My sense is it would be easier to have an insider make the changes, but maybe we'll find out in due course.2. Once the exploit was in place, the code was stealthy - it ran in a thread parallel with valid SolarWinds functions, so it wouldn't suddenly start hogging large amounts of resources and stand out.
    3. The exploit code connected to a network of URL's - unique to the exploited SolarWinds user, and those URL's would vary. Some of the URL's were recycled - someone purchased old addresses and used them for this. The initial data it sent enabled the person/group running this to select their targets and download already known exploits specific to the user's network that allowed them to further exploit the system. So it's not all SolarWinds users who downloaded the apparently valid updates, it was a targeted group.
    4. The beauty of the scheme is that SolarWinds is God Mode - it sees all/knows all - users, equipment and software within the organization. Once it is exploited, the exploiters had the keys to the kingdom.
    If the initial breach of SolarWinds occurred because of weak passwords and sloppy security, then OK maybe that isn't all that impressive.
    However, gaining access to their build system and modifying their code is a step above.
    Creating and running a disposable set of URL's for the command network sounds like it requires some planning and setup prior to attempting the exploit.
    Having an in place control system would take a coordinated effort to build that software infrastructure and maintain a code base for those nefarious purposes. I could see that type of code being available on hacker sites, but it would still require work to make sure it actually functioned in a real world situation.
    So, some aspects of the exploit could be attributed to a limited operation, but how the network was set up and how the targets were picked gives it the appearance of a more coordinated and purposeful operation. And I'm sure lots of countries and organizations have this capability.


    4 key facts.
    1# the use of syswow64 as a privilege written into the exploit
    2# not a single zeroday exploit was used
    3# the c2 domain was used for the vps on the attackers side
    4# the repo used to serve the update, runs a cron tab to md5 and sha checksum the packages every 15 minutes.
    This leads to one answer. It was not an external hack. Someone involved with the repo servers pushed the package onto the server. Updated the checksum ref file witch is normally a text file 533 read/write, read, read and should be placed in a chroot environment.
    As for the exploit. Once you reach root privilege, next is to matain access. The fact the wow64 exploit takes a hardware snapshot. Its most likely they used a new exploit kit that takes the hardware data, then compiles custom firmware that is exploited, then installs the backdoor in the victims machine, then fuses the firmware chip by setting the fuse digit on the microcontroller used. Permently exploiting the machine at the hardware side of the stack. Aka can not be removed.
    The last part is the most trubbling. The way it was able the move latterly in the network has not been explained or made public. More than likely a backdoor Microsoft has in the os. Like back orifice seen in windows 98 that was released by the cult of the dead cows or CDC. Yes that hacking group Beto was involved with.
    I can go much deeper, but let's not forget, fireeye them selves got hacked and had the pen tools stolen form them. And even used against their own clients. I would not trust anything that comes from them.
    Almost forgot, the best clue. So the outbound packets from the target machine were chipped using a simple Xor chipper. Not encrypted. Since both the chip or rip can be encrypted with a simple 1 line of code. You have to ask why go through the trubble? Also they used unencrypted http vs https for the exploit protocol.
    Anwser- because encrypted packets can not pass through the garte firewall without some rewraping. Also all osi layer data from the attackers has time and date code encoded. With that info it is simple to find the region the attackers were working from. Most hackers miss that and keep their machine time local instead of Z time.

Similar Threads

  1. Microsoft USA vs Microsoft Poland

    By TorqueDog in forum Society / Law / Current Events / Politics
    Replies: 45
    Latest Threads: 08-26-2009, 09:33 PM
  2. Xmas 2008 - Foreclosure, estate sales and gov properties

    By barmanjay in forum Real Estate / Finance
    Replies: 11
    Latest Threads: 01-28-2009, 12:39 AM
  3. Microsoft vs Google - Microsoft offers $44.6b for yahoo!

    By rage2 in forum Computers, Consoles, and other Electronics
    Replies: 23
    Latest Threads: 02-01-2008, 08:34 PM
  4. BC: gov't now allowed to sue tobacco companies

    By finboy in forum Society / Law / Current Events / Politics
    Replies: 64
    Latest Threads: 10-03-2005, 10:01 PM
  5. 11 year old Japanese model/singer exploited

    By BebeAphrodite in forum Entertainment
    Replies: 57
    Latest Threads: 08-27-2005, 03:59 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •