https://venturebeat.com/2020/12/18/m...n-its-systems/
Get ready to patch your MS products.
So it's uncle Putin that get to control everyone via vaccine after all as Uncle Bill may have lost the key.
https://venturebeat.com/2020/12/18/m...n-its-systems/
Get ready to patch your MS products.
So it's uncle Putin that get to control everyone via vaccine after all as Uncle Bill may have lost the key.
ugh I thought we were safe since we dont use Solarwinds in our environment. have to watch this closely now.
This hack looks to be really bad. Something like 60% of Fortune 500 companies use SolarWinds software, not to mention all the government agencies around the world.
I have a feeling we will be seeing impacts of this for years to come.
This is way more then just Solar Winds and MS - various SMTP servers went down as well - and others.
Hey, at least the US didn't reallocate money from their cyber security budget to build a wall instead. Oh wait.
Trump may be an idiot but do you really think that would have made a difference here?This quote is hidden because you are ignoring this member. Show Quote
Originally posted by SEANBANERJEE
I have gone above and beyond what I should rightfully have to do to protect my good name
In preventing it? No. But in trying to investigate the damage and actually doing something about it? Perhaps. Then again the Trump administration has been completely silent about it even though it's clear what country is suspected of the attacks.This quote is hidden because you are ignoring this member. Show Quote
So it wasn't just a coincidence just about every app on my phone wanted to update this morning?
They already figured out that Cozy Bear was responsible 1 day after, so that doesn’t fit the narrative either.This quote is hidden because you are ignoring this member. Show Quote
Originally posted by SEANBANERJEE
I have gone above and beyond what I should rightfully have to do to protect my good name
https://www.theguardian.com/technolo...security-theftThis quote is hidden because you are ignoring this member. Show Quote
There is going to be more to come now this tool chest is in the open.FireEye says its hacking tool chest has been plundered meaning that the thieves now have a potent collection of new techniques to draw upon.
That tool set is for rookies, Russians got this shit figured outThis quote is hidden because you are ignoring this member. Show Quote
Recently my company got hit as well, and we worked with CrowdStrike to do a full investigation, and almost immediately they blamed the Russians as well, ended up being "true", at least to the extent that the IPs used for communication were in Russia. But if it looks like it's Russia, it's probably not Russia, if these guys were in these systems for 6-9 months undetected, you would think they would know how to cover their tracks.
The way I see it, if they say it's the Russians, it's probably the Chinese, if they say it's the Chinese, it's probably the North Koreans, and if they say it's the North Koreans, it's probably the Russians. That's my opinion on the matter. But you got to hand it to them Russians, they sure can hack.
P.S. The forensic disk capture tools used by CrowdStike were freeware downloads, we had a big instruction book on how to download them to send disk images for analysis. So not all of these tools are super duper fancy hacker stuff. We also use Solarwinds, luckely we were on 2019 pre-patch 4 release haha, pays to not pay attention to Solarwinds
Last edited by eblend; 12-18-2020 at 09:27 PM.
Im of the opinion that many of these public breaches are just messages the intel agencies and/or global factions are just sending each other. The ones you never hear about are the ones that actually fuck things up for top secret matters.
The public networked infrastructure is much more vulnerable that is commonly known. Surprised a major outage hasn't taken place already.
Waaaaaaaaay more going on here - and way above my pay grade.
1. Somehow SolarWinds code was changed - at the code level, prior to the dll build so it would be signed with a valid certificate. Either it was an inside job. Or external hackers leveraged the weak password, hacked their way around inside SolarWinds to find the build system, made themselves master of the build system so they could inject the code. Either way, code was modified twice - once to insert an empty framework, then a second time to populate the framework and add the calling code to make the exploit active. And the framework and calling code was written using similar naming conventions as SolarWinds original code. My sense is it would be easier to have an insider make the changes, but maybe we'll find out in due course.2. Once the exploit was in place, the code was stealthy - it ran in a thread parallel with valid SolarWinds functions, so it wouldn't suddenly start hogging large amounts of resources and stand out.
3. The exploit code connected to a network of URL's - unique to the exploited SolarWinds user, and those URL's would vary. Some of the URL's were recycled - someone purchased old addresses and used them for this. The initial data it sent enabled the person/group running this to select their targets and download already known exploits specific to the user's network that allowed them to further exploit the system. So it's not all SolarWinds users who downloaded the apparently valid updates, it was a targeted group.
4. The beauty of the scheme is that SolarWinds is God Mode - it sees all/knows all - users, equipment and software within the organization. Once it is exploited, the exploiters had the keys to the kingdom.
If the initial breach of SolarWinds occurred because of weak passwords and sloppy security, then OK maybe that isn't all that impressive.
However, gaining access to their build system and modifying their code is a step above.
Creating and running a disposable set of URL's for the command network sounds like it requires some planning and setup prior to attempting the exploit.
Having an in place control system would take a coordinated effort to build that software infrastructure and maintain a code base for those nefarious purposes. I could see that type of code being available on hacker sites, but it would still require work to make sure it actually functioned in a real world situation.
So, some aspects of the exploit could be attributed to a limited operation, but how the network was set up and how the targets were picked gives it the appearance of a more coordinated and purposeful operation. And I'm sure lots of countries and organizations have this capability.
4 key facts.
1# the use of syswow64 as a privilege written into the exploit
2# not a single zeroday exploit was used
3# the c2 domain was used for the vps on the attackers side
4# the repo used to serve the update, runs a cron tab to md5 and sha checksum the packages every 15 minutes.
This leads to one answer. It was not an external hack. Someone involved with the repo servers pushed the package onto the server. Updated the checksum ref file witch is normally a text file 533 read/write, read, read and should be placed in a chroot environment.
As for the exploit. Once you reach root privilege, next is to matain access. The fact the wow64 exploit takes a hardware snapshot. Its most likely they used a new exploit kit that takes the hardware data, then compiles custom firmware that is exploited, then installs the backdoor in the victims machine, then fuses the firmware chip by setting the fuse digit on the microcontroller used. Permently exploiting the machine at the hardware side of the stack. Aka can not be removed.
The last part is the most trubbling. The way it was able the move latterly in the network has not been explained or made public. More than likely a backdoor Microsoft has in the os. Like back orifice seen in windows 98 that was released by the cult of the dead cows or CDC. Yes that hacking group Beto was involved with.
I can go much deeper, but let's not forget, fireeye them selves got hacked and had the pen tools stolen form them. And even used against their own clients. I would not trust anything that comes from them.
Almost forgot, the best clue. So the outbound packets from the target machine were chipped using a simple Xor chipper. Not encrypted. Since both the chip or rip can be encrypted with a simple 1 line of code. You have to ask why go through the trubble? Also they used unencrypted http vs https for the exploit protocol.
Anwser- because encrypted packets can not pass through the garte firewall without some rewraping. Also all osi layer data from the attackers has time and date code encoded. With that info it is simple to find the region the attackers were working from. Most hackers miss that and keep their machine time local instead of Z time.
Backdoor secret password found: zerodium
All you had to do to execute code was to use that password. LOL.
0.5 gram microsd delivered by 12,000 pound combustion vehicle and driver.
Solarwinds kept their code in a Github repository that they marked public, so the hackers just brute forced a password. I would suspect any company dumb enough to make their repository public made all their users admins, so the hackers probably turned off notifications when code was pushed (if they even had notifications on) and turned it back on after they were doing pushing their changes. If they squashed commits (a horrible practice but one that many do for some idiotic reason) then it would be somewhat difficult to wade through the hacker's changes with their own.
What gets me is: Why did it take so long to brute force a 8 alphabet non-capitalized keycode. I mean, it would take literally seconds with any sort of processing power?
I guess it wasn't in a traditional spot popup box where you would normally try to input a password and then click an OK box. But still...
0.5 gram microsd delivered by 12,000 pound combustion vehicle and driver.
That had nothing to do with Solarwinds, that was something put in a commit into the PHP code base.