The Story of the SolarWinds Hack

<i>Network monitoring software is a key part of the backroom operations we never see. [...] By its very nature, it touches everything — which is why hacking it was genius.</i><p>This is frustrating to read, since plenty of people did in fact warn that these kinds of systems were easy targets.

I think the most important thing the SolarWinds hack has revealed is that the massive pile of paperwork that has to be filled out, full of security controls, to accredit system for government systems, is fairly useless. It&#x27;s the digital equivalent of the Great Wall of China. Designed by bureaucrats, impressive in size, a massive effort, and ultimately not going to stop the Mongols anyways. Security paperwork is not security.<p>More important I think is that the months and months it takes to usher things through the process forces things to be out of date which in itself creates security problems.<p>An actual audit of the source code + running it in an instrumented live test environment to capture behavior is far better.

<i>&quot;The tradecraft was phenomenal&quot;</i><p>Indeed, consider Figure 5 here [1]. A truly diabolical mastermind.<p>But seriously, the article looks like window dressing for common incompetence.<p>[1] <a href="https:&#x2F;&#x2F;www.microsoft.com&#x2F;security&#x2F;blog&#x2F;2020&#x2F;12&#x2F;18&#x2F;analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.microsoft.com&#x2F;security&#x2F;blog&#x2F;2020&#x2F;12&#x2F;18&#x2F;analyzing...</a>

I agree with the parallels with aviation regulation, there needs to be something forcing a supplier&#x27;s hand to solve this. The way to protect against supply chain attacks is to invest in a security-hardened build system (eg don&#x27;t build releases on dev workstations, do them on build farms by build software that is the only thing able to access the release signing keys). This costs too much for most companies, so if they don&#x27;t have the obligation to build it, they&#x27;ll do features instead.

How fortuitous is it that a months long investigation can be published right when the US announces sanctions? Great job National Radio!<p><i>Like razor blades in peanut butter cups</i>, says CrowdStrike.

I&#x27;ve collected many articles about this--currently 2099 articles--covering lots of areas. The highest quality articles are at <a href="https:&#x2F;&#x2F;ciexinc.com&#x2F;blog&#x2F;solarwinds-articles&#x2F;zetter.html" rel="nofollow">https:&#x2F;&#x2F;ciexinc.com&#x2F;blog&#x2F;solarwinds-articles&#x2F;zetter.html</a>.

&gt; But as CrowdStrike&#x27;s decryption program chewed its way through the zeroes and ones, Meyers&#x27; heart sank. The crime scene was a bust. It had been wiped down<p>That&#x27;s a lot of words to say, we don&#x27;t know who did it. I had a quick look but couldn&#x27;t find anything, why are the fingers being pointed at Russia?

&gt; The routine update, it turns out, is no longer so routine<p>Is there the rare case that we shouldn&#x27;t update because the update could contain a malicious payload? If the update gets served over plaintext HTTP I would treat it as suspicious and may even block it from connecting at all. I run the risk of having outdated software, but that can be addressed by storing the software in a machine that&#x27;s not connected to The Internet in any way, so it can&#x27;t really do anything&#x2F;talk to a C2 server (if someone does decide to execute an 0day with the software or inject malicious code via a rogue update).

This is the line that got me:<p>&gt;And so we are fairly broadly deployed software and where we enjoy administrative privileges in customer environments.<p>There is a lot of talk about shoring up security practices by many of the people quoted here. But something that would be hard to admit is that maybe they should not have administrative privileges in customer environments. Maybe they should not install agents on your machine. They would never recommend you to do so with anyone else, except them of course, because you can trust them.

Anyone know how the software update was actually compromised in the first place?

To me the &quot;worst nightmare&quot; was a story in the NYT about a hypothetical concerted attack against healthcare infrastructure, transit and more. Sadly I can&#x27;t seem to find the link but it was a few years ago...

Let me introduce you to PTECH and see if you still think Solarwinds was worse. Warning, a conspiracy rabbit hole lies this way, proceed with caution, lest your view of the world be challenged.<p>A start: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=UuZRMpt_Tas&amp;t=195" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=UuZRMpt_Tas&amp;t=195</a>

This article is a case of [a lot of] Monday morning quarterback[s]. Except for Mandia, I wouldn&#x27;t allow any other exec(s) to speak about this, publicly, as to the why and how. Side note: I bet Bejtlich wishes he was still in that team ;-)

From what I&#x27;ve read so far I haven&#x27;t been able to gather how Solarwinds could have prevented this? In other words what were the critical failures in their defenses? Or is this kept non-public on purpose?

The article vaguely describes the build system being compromised. Have any details been published to indicate what build systems they were running and what the exploits were there?

How might you compartmentalize admin access the whole way down the stack at the enterprise level? What if you were to start from scratch?

I‘m quite sure there are a lot of attacks like that. Most of them just never get noticed.<p>The best backdoors are those, which are never found.

I am curious about &quot;compiler&quot; attack they are mentioning. Looks like they compromized compiler used to build the code. Any more technical info on this aspect?

How much value SolarWinds shareholders have lost because of this? If it is not number one incentive for investors to fix, then there won’t be change in business practices. This is why GDPR in the EU has (some) teeth.

It’s nice how they equivocate over the ease of entry and their security policies:<p>There was another unsettling report about passwords. A security researcher in Bangalore, India, named Vinoth Kumar told NPR that he had found the password to a server with SolarWinds apps and tools on a public message board and the password was: &quot;solarwinds123.&quot; Kumar said he sent a message to SolarWinds in November and got an automated response back thanking him for his help and saying the problem had been fixed.<p>When NPR asked SolarWinds&#x27; vice president of security, Brown, about this, he said that the password &quot;had nothing to do with this event at all, it was a password to a FTP site.&quot; An FTP site is what you use to transfer files over the Internet. He said the password was shared by an intern and it was &quot;not an account that was linked to our active directory.&quot;

“A ‘Worst Nightmare’ cyberattack” that we all... just take in stride? Either the consequences are themselves clandestine, or cyberattacks aren’t as meaningful as our headlines would indicate.