SolarWinds hasn't bothered to revoke their certs or remove the package<p><a href="https://twitter.com/KyleHanslovan/status/1338360093767823362" rel="nofollow">https://twitter.com/KyleHanslovan/status/1338360093767823362</a><p>Back in 2019 apparently their FTP server credentials were exposed on GitHub, allowing automated updates being pushed<p><a href="https://twitter.com/vinodsparrow/status/1338431183588188160/photo/1" rel="nofollow">https://twitter.com/vinodsparrow/status/1338431183588188160/...</a><p>Edit: If updates failed due to signature not matching, SolarWinds recommended downloading the package and installing it manually, LOL<p><a href="https://twitter.com/KyleHanslovan/status/1338419999665508354/photo/1" rel="nofollow">https://twitter.com/KyleHanslovan/status/1338419999665508354...</a>
A couple of quick notes:<p>1) The OPM hack and now this all illustrate - if govt gives itself the big backdoors into everything, it's likely they will give it to russia, criminals, ex-boyfriends stalking ex-girlfriends etc.<p>2) My own impression of govt IT is largely security theatre in the area I was involved. In particular such massive complexity that agency staff think going around the rules is normal, because it's the only way to actually get work done. And then such glaring weaknesses that no one cares to fix. With google I've had one password for 20 years (my google account) which allows a hardware key for 2FA or google authenticator with what I imagine is sensible monitoring, new device authentication etc (I find this pretty secure).<p>Govt you are forced to write down these insanely long passwords with super complexity that cannot be cut and pasted that change very 30 or 60 days.<p>Because lost passwords are so common in these settings, the password reset process is usually a MASSIVE weakspot. I've seen it just be a phone call to a third party, you give them your username, they give you a new temp password - that's literally it. And the passwords end up everywhere. In lots of documents that float around, emailed around etc etc. And lots of password sharing when you get locked out of a tool and it will take a long time to get a new account setup (months). Pretty soon the procedures manual also gets you root access to everything.
More details: <a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" rel="nofollow">https://www.fireeye.com/blog/threat-research/2020/12/evasive...</a><p>“SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.”<p>“ Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website. The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe. After a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com.”<p>“This actor prefers to maintain a light malware footprint, instead preferring legitimate credentials and remote access for access into a victim’s environment.”<p>“In observed [trojan] traffic these HTTP response bodies attempt to appear like benign XML related to .NET assemblies” “Command data is spread across multiple strings that are disguised as GUID and HEX strings.”<p>Edit: Silly me, that was the first article on hn, see thread: <a href="https://news.ycombinator.com/item?id=25413053" rel="nofollow">https://news.ycombinator.com/item?id=25413053</a>
> Malicious code added to an Orion software update may have gone undetected by antivirus software and other security tools on host systems thanks in part to guidance from SolarWinds itself. In this support advisory, SolarWinds says its products may not work properly unless their file directories are exempted from antivirus scans and group policy object restrictions.<p>Ouch!
So far I've seen ZERO EVIDENCE. Reuters and the Washington Post have breathless claims of Russian hackers "according to officials familiar with the matter." Uh huh.<p>Saying "APT29" or "CozyBear" doesn't make the accusation any more credible.<p>If multiple US agencies are trumpeting the same story, you really must ask yourself "Why? Why this? Why now?"<p>It's pretty amusing, in a depressing way, to see how quickly so many otherwise intelligent people can be made to snap to attention and fight the Russian Menace with a few anonymous government claims.
Seems like a good time to plug an excellent book:<p><i>Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon</i> [0]<p>The US Government has spent two decades and hundreds of millions of dollars building tools to undermine the security of systems around the world, and withholding information from "Industry" that would help harden those systems.<p>I have no idea who "did" this, I don't really care. The NSA has been loading this footgun for decades.<p>[0] <a href="https://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital-ebook/dp/B00KEPLC08/ref=tmm_kin_swatch_0?_encoding=UTF8&qid=&sr=" rel="nofollow">https://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital-eb...</a>
Since this is a supply chain attack on software downloads, I think it's interesting to consider the implications for the security posture of a cloud-native organization.
While cloud-native is commonly recognized as less secure (because the cloud provider could be hacked!), there are a few categories of attacks exclusive to onprem software deployments:<p>1. You misconfigure the onprem software, making it more insecure than the alternatives. This does not occur with SaaS products.<p>2. The software delivery system is tampered with, and you download and run malicious code on your systems with high privileges. If you don't run it, this can't happen.<p>Cloud deployments aren't obviously safer, but they have clear advantages unless you are willing to pay top people to work on and secure each onprem deployment full-time.<p>NB: I don't actually believe "the cloud" is fundamentally more or less secure than onprem deployments.
Rather, I frequently hear people argue that a website being hacked - or the potential for it - justifies a movement to onprem, and I think this is (usually) false.
So, am I reading this right? the Russian government had the ability to impersonate the credentials of ANYONE in the marjoity of the fortune 500, the US Government, the US DOD, and our telecomm infrastructure... and they likely had this access for a while.<p>How is this NOT an act of war?
Sigh.<p>"Engineers are expensive, so don't build, buy!"<p>How about... the middle way? Let your own engineers deploy open source, something you can verify, even audit, if you ever have to.<p>Ah, I forgot. Those usually don't come with fat envelopes from the provider to the people making the decisions.
Just to add, 15 mins ago Chris Bing from Reuters and other journalists confirmed the U.S. Department of Homeland Security to be the 3rd agency to be impacted [1].<p>I suspect there will likely be further agencies and of course private companies to come forward in the upcoming weeks/months.<p>[1] <a href="https://twitter.com/Bing_Chris/status/1338552048342753288" rel="nofollow">https://twitter.com/Bing_Chris/status/1338552048342753288</a>
The major earlier threads on this ongoing story are:<p><a href="https://news.ycombinator.com/item?id=25413053" rel="nofollow">https://news.ycombinator.com/item?id=25413053</a><p><a href="https://news.ycombinator.com/item?id=25409416" rel="nofollow">https://news.ycombinator.com/item?id=25409416</a>
This is why all this bullshit about "let's add a backdoor to all encryption just for the government" is just that: bullshit. A year or so after it is added, it will be available to every government on earth this way, and a year after, on your favourite warez site...
"SolarWinds says it has over 300,000 customers including:<p>-more than 425 of the U.S. Fortune 500<p>-all ten of the top ten US telecommunications companies<p>-all five branches of the U.S. military<p>-all five of the top five U.S. accounting firms<p>-the Pentagon<p>-the State Department<p>-the National Security Agency<p>-the Department of Justice<p>-The White House"<p>Purely from a risk management perspective, it's a <i>terrible</i> idea to have a single point of failure for <i>all of the above</i>
Russia's hacking/software capabilities have always fascinated me. I might be out of the loop, but it very much feels like this "online cold-war" is very one-sided towards Russia, which is ridiculous given US capabilities. Though, this could be attributed to the US simply not getting caught.<p>Nonetheless, everything I've read points to Solarwinds conduct being borderline negligent. For example, they not only told customers to ignore inaccurate checksums but they also failed basic server security.
Wow the hackers had free rein over basically any company that they wanted.<p>SolarWinds says it has over 300,000 customers including:<p>-more than 425 of the U.S. Fortune 500<p>-all ten of the top ten US telecommunications companies<p>-all five branches of the U.S. military<p>-all five of the top five U.S. accounting firms<p>-the Pentagon<p>-the State Department<p>-the National Security Agency<p>-the Department of Justice<p>-The White House
Is this the same SolarWinds that owns Pingdom?<p><a href="https://www.solarwinds.com/pingdom" rel="nofollow">https://www.solarwinds.com/pingdom</a>
For the last 15 years, I keep pushing information about Multi Level Secure Systems every time another incident like this happens. The fact that we haven't been using them since the 1970s everywhere drives me nuts!<p><a href="https://en.wikipedia.org/wiki/Multilevel_security" rel="nofollow">https://en.wikipedia.org/wiki/Multilevel_security</a><p>Their are Operating Systems in existence which could prevent this and almost every other breach. However, most technical people aren't even aware of the fact that they CAN exist, and actively believe the opposite.<p>Hopefully Genode.org will have something useable for the average programmer like me, in a year or two, and I can use that as an existence proof.<p>Also, there are Data Diodes to help restrict what goes where.<p><a href="https://en.wikipedia.org/wiki/Unidirectional_network" rel="nofollow">https://en.wikipedia.org/wiki/Unidirectional_network</a><p>I think we'll finally get our act together in 2025 or so, 50 years after the first Multi Level Systems were finished.
The "Russia" allegation sounds like an extremely weak & repetitive claim made by people on a certain political side to divert attention away from their bad press for criminal behavior (to include all of the Chinese compromises that were recently revealed).<p>They're playing a VERY dangerous game, as if they would rather the entire world be destroyed before facing the possibilities of justice (Gitmo, military court tribunals, and everything else that the EO from 9/18 outlined).<p>The bottom line: the MSM has been full of $&@T for quite some time, and this claim in Reuters is most likely more of the same.
I wonder scanning their own uploads and validating checksums via cron job would have prevented or at least would give an early alert<p>Shameless disclosure: i was doing something similar (I do not have a plan to maintain long time) but would love to hear better solutions:
<a href="https://github.com/getsumio/getsum" rel="nofollow">https://github.com/getsumio/getsum</a>
I tried the shareware version of Solar Winds back in the '90s. I guess I should be glad I didn't buy the full version.<p><a href="https://en.wikipedia.org/wiki/Solar_Winds" rel="nofollow">https://en.wikipedia.org/wiki/Solar_Winds</a>
I wonder if this unintended transparency actually makes for a safer world. The cold war might have been shorter if both sides would have been able to see that their enemy does not intend to escalate the situation.
For a minute I misparsed the title and thought that the US Treeasury and Commerce departments' staff hacked their way around a SolarWinds compromise. That would have been cooler.
duplicate: <a href="https://news.ycombinator.com/item?id=25413053" rel="nofollow">https://news.ycombinator.com/item?id=25413053</a> and a few others more
Let's assume this is a case of state sponsored attack.
If I was in charge of organising such an attack, I would make sure my employer would be on top of the list of victims. Would not do any actual damage to steal my own information and would tremendously help with attributing the attack to my enemy.
These breaches will continue to happen, and happen...and happen until our limp-dick federal government gives a shit and starts to punish companies for their malicious malfeasance regarding IT security.
So was the election hacked too? I'm a little confused how Biden can get 80 million votes, and almost no one watched his acceptance speech today. 40k views on youtube.<p>The 6k vote flipping in Michigan was claimed to be some sort of computer error. But why were the logs deleted? that seems like a hacker thing to do to delete the logs. A judge just released the audit report.<p><a href="https://www.freep.com/story/news/politics/elections/2020/12/14/michigan-company-officials-dispute-report-antrim-county-voting/6538325002/" rel="nofollow">https://www.freep.com/story/news/politics/elections/2020/12/...</a>
So basically, Russians had the highest level of access to every large company and most government agencies in the US? (Including defense, DOD, pentagon)<p>If so, this is on scale with the OPM hack in 2015. This is huge.<p>Smart to use the election timing while authorities were focused elsewhere.
This also came out today:<p><a href="https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/" rel="nofollow">https://mattermost.com/blog/coordinated-disclosure-go-xml-vu...</a><p>It seems pretty likely that SolarWinds' SAML authentication was bypassed or escalated by this issue with Go's encoding/xml, and then used that to generate and distribute the trojaned SolarWind's updates.
When will people realize that slapping yet another startup's tech stack onto yours isn't going to magically fix anything and in fact just adds complexity and points of failure.<p>I've always done my best to err on the side of "let's try not to add yet another level of complexity" and this strategy has yet to fail me.