Jump to content
DOSBODS
  • Welcome to DOSBODS

     

    DOSBODS is free of any advertising.

    Ads are annoying, and - increasingly - advertising companies limit free speech online. DOSBODS Forums are completely free to use. Please create a free account to be able to access all the features of the DOSBODS community. It only takes 20 seconds!

     

Solar Winds hack


Recommended Posts

I 've been hearing snippets about this for a few days, but still don't really know what happened, who did it, or what the real implications are.

For instance, it seems closely related to the US election fraud issue, but I don't really understand how or why. It does seem like a strange coincidence that it should be revealed now, when it occurred much earlier in 2020...

This NYT article seems to suggest it's a pretty fucking huge national security issue, and that now Russia (hmmmm) probably has access to hundreds or even thousands of networks, both private and federal. Seems like a massive clusterfuck, or are we only being given half the story, as per usual?

https://www.nytimes.com/2020/12/16/opinion/fireeye-solarwinds-russia-hack.html?partner=IFTTT

Anyone here have a good handle on what it's all about? :)

Link to post
Share on other sites
  • Replies 132
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I once fucked up a git commit of mine and pushed the wrong AWS key to a public git home. Literally 5 minutes later I get alarm bells from amazon. Every possible instance my account was allowed over th

The comments on that article... good god... they're completely doolally. Desperate desperate desperate for a war with Russia. No doubt is allowed, no discussion is possible - it's obvious that Russia

bit more info, the hackers gained access to the solarwinds update server, the password was solarwinds123. But there was 2FA enabled, which the hackers also needed to exploit. once in, they embedd

Posted Images

10 minutes ago, LC1 said:

I 've been hearing snippets about this for a few days, but still don't really know what happened, who did it, or what the real implications are.

For instance, it seems closely related to the US election fraud issue, but I don't really understand how or why. It does seem like a strange coincidence that it should be revealed now, when it occurred much earlier in 2020...

This NYT article seems to suggest it's a pretty fucking huge national security issue, and that now Russia (hmmmm) probably has access to hundreds or even thousands of networks, both private and federal. Seems like a massive clusterfuck, or are we only being given half the story, as per usual?

https://www.nytimes.com/2020/12/16/opinion/fireeye-solarwinds-russia-hack.html?partner=IFTTT

Anyone here have a good handle on what it's all about? :)

Im sure i read that solar winds was linked business wise to (owner of?) dominion.  
 

Link to post
Share on other sites

There is not much hard info about what happened other than there was either a security hole in the software, or the software was hacked, that allowed third parties wide-ranging access to supposedly secure IT networks. So much so that the US Government issued an order - not a request - to immediately patch or remove the technology.

Within hours of that the net was flooded with so much guff that it is hard to tell what really happened. The above might be it in simple terms. What we do know:

1. The US Government moved immediately to secure its networks.

2. We had Google go down - whether that was connected or not no one seems to know. If anyone does know, please post the info... and not just a bloke on a blog or in a tweet claiming so.

3. A US secure network went down several days later. Whether this was connected or not is impossible to say. If it took them several days to do so then they would be inept to take so long. Again, lots of guff online about what supposedly happened in this case. (Although, putting on conspiracy hat, it might have been left 'unpatched' for a while in order to monitor who was doing what with whom.).

What Solar Winds does is allow centralised monitoring of an entire IT stack through its Orion product. To do so it would require certain permissions on the network and server level. It would seem that this would have been the target of the hack, or a security flaw was in the software, that allowed third parties to have wide-ranging access.

I could be talking bollox.

 

 

Link to post
Share on other sites
8 minutes ago, The Masked Tulip said:

What Solar Winds does is allow centralised monitoring of an entire IT stack through its Orion product. To do so it would require certain permissions on the network and server level. It would seem that this would have been the target of the hack, or a security flaw was in the software, that allowed third parties to have wide-ranging access.

I could be talking bollox.

 

 

Yes, that's correct.

I can't see any of the networks that had this not being totally compromised even when it is switched off.

I'd know more if I was still in the game, I'll try and find a proper analysis if I can

Keys to the city though basically.

 

Link to post
Share on other sites

information here - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.

 

 

Edited by snaga
Link to post
Share on other sites
1 minute ago, MrLibertyRedux said:

Yes, that's correct.

I can't see any of the networks that had this not being totally compromised even when it is switched off.

I'd know more if I was still in the game, I'll try and find a proper analysis if I can

Keys to the city though basically.

 

 

Yep, I agree. Countless things could have been done from installing trojans to granting yourself countless permissions across X, Y and Z. A would need a complete wipe of the hardware and software - even then you would wonder about what could have been installed on the firmware side.

I bet that lots of networks will install a patch and convince themselves that everything is secure.

Link to post
Share on other sites
6 minutes ago, The Masked Tulip said:

 

Yep, I agree. Countless things could have been done from installing trojans to granting yourself countless permissions across X, Y and Z. A would need a complete wipe of the hardware and software - even then you would wonder about what could have been installed on the firmware side.

I bet that lots of networks will install a patch and convince themselves that everything is secure.

I expect there was a function to look for suspiciously large data transfer, if that was disabled in the update then think of all the copies of various data files that have been made.

Good issue to blame next years financial crash on? 

Link to post
Share on other sites

bit more info, the hackers gained access to the solarwinds update server, the password was solarwinds123. But there was 2FA enabled, which the hackers also needed to exploit.

once in, they embedded malware in to the patches, customers downloaded and installed them, malware wasn't detected as it's recommended practice to exclude SolarWinds own directories.

Edited by snaga
Link to post
Share on other sites

I work for a Large Multinational and today we all had a global panickish email saying we don't know who uses solarwinds in our organisation but if it's you please please get in touch. I assume all large companies doing same.

Bloody Fire Eye are a set of wasters in my opinion. Twice now they have had embarrassing internal hacks (last week, which was somehow connected to or prompted the subsequent solarwinds thing) and really makes you think what is the point of a supposed security delta force who can't even secure their own internal stuff.

Link to post
Share on other sites
2 hours ago, The Masked Tulip said:

There is not much hard info about what happened other than there was either a security hole in the software, or the software was hacked, that allowed third parties wide-ranging access to supposedly secure IT networks. So much so that the US Government issued an order - not a request - to immediately patch or remove the technology.

Within hours of that the net was flooded with so much guff that it is hard to tell what really happened. The above might be it in simple terms. What we do know:

1. The US Government moved immediately to secure its networks.

2. We had Google go down - whether that was connected or not no one seems to know. If anyone does know, please post the info... and not just a bloke on a blog or in a tweet claiming so.

3. A US secure network went down several days later. Whether this was connected or not is impossible to say. If it took them several days to do so then they would be inept to take so long. Again, lots of guff online about what supposedly happened in this case. (Although, putting on conspiracy hat, it might have been left 'unpatched' for a while in order to monitor who was doing what with whom.).

What Solar Winds does is allow centralised monitoring of an entire IT stack through its Orion product. To do so it would require certain permissions on the network and server level. It would seem that this would have been the target of the hack, or a security flaw was in the software, that allowed third parties to have wide-ranging access.

I could be talking bollox.

 

 

What is the purpose of "centralised monitoring of an entire IT stack"? Is it to check performance, to check what software is installed where or is it to spy on your own employees? Very funny if the latter.

@MrLibertyRedux  you say the hackers had full access. So they have hacked solarwinds, used it to install malware on their customers' networks and accessed everything there also? it can't be put back in the box without a great deal of effort and info sharing. So lots of companies and agencies are fucked?

Any idea who the culprit is? Russia, China, another nation or a group of individuals?

Link to post
Share on other sites
12 minutes ago, Yadda yadda yadda said:

What is the purpose of "centralised monitoring of an entire IT stack"? Is it to check performance, to check what software is installed where or is it to spy on your own employees? Very funny if the latter.

@MrLibertyRedux  you say the hackers had full access. So they have hacked solarwinds, used it to install malware on their customers' networks and accessed everything there also? it can't be put back in the box without a great deal of effort and info sharing. So lots of companies and agencies are fucked?

Any idea who the culprit is? Russia, China, another nation or a group of individuals?

Employees are companies' biggest threat.

Cameras catch more croupiers than punters in casinos...

Edited by Stuey
Link to post
Share on other sites
3 hours ago, LC1 said:

I 've been hearing snippets about this for a few days, but still don't really know what happened, who did it, or what the real implications are.

For instance, it seems closely related to the US election fraud issue, but I don't really understand how or why. It does seem like a strange coincidence that it should be revealed now, when it occurred much earlier in 2020...

This NYT article seems to suggest it's a pretty fucking huge national security issue, and that now Russia (hmmmm) probably has access to hundreds or even thousands of networks, both private and federal. Seems like a massive clusterfuck, or are we only being given half the story, as per usual?

https://www.nytimes.com/2020/12/16/opinion/fireeye-solarwinds-russia-hack.html?partner=IFTTT

Anyone here have a good handle on what it's all about? :)

Here are the trial versions of various Solar Winds products, gives an idea of what they do:

https://www.solarwinds.com/downloads

The CEO of Dominion said under oath that they didn't use "Solar Winds Orion" so I presume [he wants everyone to believe] that's what was breached. But Orion is a platform; who knows what if anything he was hiding?

Web archives show that Solar Winds was credited as a technology provider on the Dominion site, but that's now been removed. It was front and centre on their login page.

Link to post
Share on other sites

I used Solar Winds software years ago.....it used to be good I seem to recall....

problem with corporates is they will only use 'their own software' and/or 'other corporates' software.....they don't believe in FOSS, why not?

dunno, maybe they're just all 'control freak wankers'....:P

"There are only two types of companies—those that know they've been compromised, and those that don't know."

Edited by 5min OCD speculator
Link to post
Share on other sites

Solarwinds own Pingdom, which I use to tell me if my websites aren't working such as this one. If 'the Russians' were able to hack that at the most basic level they could disable downtime checking and that'd cost companies millions. 

If you want an analogy it'd be like Asda being closed but the head office aren't aware.

Link to post
Share on other sites
20 minutes ago, spunko said:

Pingdom

wow! 'Ping' is a command built into all operating systems....try it yourself.......you don't need to buy some third party crap to use it :o

on the subject of FOSS, hardly any governments, schools etc use it.....presumably cos they'd rather pay millions to cunts like Bill Gates and Apple and get free back handers in the form of iphones......fecking teachers and NHS cocks :P

https://en.wikipedia.org/wiki/Adoption_of_free_and_open-source_software_by_public_institutions

edit: NAGIOS is what you want! I used that years ago, free!!

edit again: christ this might mean that dosbods gets pwned by the russians before long....

 

unnamed.jpg

Edited by 5min OCD speculator
Link to post
Share on other sites
5 hours ago, LC1 said:

I 've been hearing snippets about this for a few days, but still don't really know what happened, who did it, or what the real implications are.

For instance, it seems closely related to the US election fraud issue, but I don't really understand how or why. It does seem like a strange coincidence that it should be revealed now, when it occurred much earlier in 2020...

This NYT article seems to suggest it's a pretty fucking huge national security issue, and that now Russia (hmmmm) probably has access to hundreds or even thousands of networks, both private and federal. Seems like a massive clusterfuck, or are we only being given half the story, as per usual?

https://www.nytimes.com/2020/12/16/opinion/fireeye-solarwinds-russia-hack.html?partner=IFTTT

Anyone here have a good handle on what it's all about? :)

The comments on that article... good god... they're completely doolally. Desperate desperate desperate for a war with Russia. No doubt is allowed, no discussion is possible - it's obvious that Russia has launched a full-scale cyber attack on the USA.

Edited by DeepLurker
Link to post
Share on other sites
20 minutes ago, 5min OCD speculator said:

on the subject of FOSS, hardly any governments, schools etc use it.....presumably cos they'd rather pay millions to cunts like Bill Gates and Apple and get free back handers in the form of iphones......fecking teachers and NHS cocks :P

C'mon, you knwo why FOSS is not used by government or corporates :) you can only climb the corporate ladder if you have someone to blame/sue when things fail.

With FOSS there's no one to sue.

Link to post
Share on other sites
1 hour ago, Yadda yadda yadda said:

What is the purpose of "centralised monitoring of an entire IT stack"? Is it to check performance, to check what software is installed where or is it to spy on your own employees? Very funny if the latter.

@MrLibertyRedux  you say the hackers had full access. So they have hacked solarwinds, used it to install malware on their customers' networks and accessed everything there also? it can't be put back in the box without a great deal of effort and info sharing. So lots of companies and agencies are fucked?

Any idea who the culprit is? Russia, China, another nation or a group of individuals?

Depends on the size of org and network. Most of these types of company's have various suites for different things. Monitoring and managing network kit such as Cisco gear, firewalls, internal and external wi-fi network, server estate, web servers, traffic monitoring the lot.

In a decent size company with hundreds or even thousands of servers either internal or cloud and everything else networked there is a lot to manage that needs to be done mainly remotely.

Bit more detail from Fireeye here.

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

Microsoft.

https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/

Public sector risk in UK at The Register.

https://www.theregister.com/2020/12/14/solarwinds_public_sector/

Sounds like a big one. Glad I'm out.

Edit to add**

Russia the favourite boogeyman usually, but pick from China, Iran, North Korea et cetera

Fuck, could even be the Israelis if they were pissed off about something.

Edited by MrLibertyRedux
Illiteracy
Link to post
Share on other sites
30 minutes ago, DeepLurker said:

you can only climb the corporate ladder if you have someone to blame/sue when things fail.

yeah tis true, I once built a linux server to do some monitoring then when the IT gaffer found out he lost his rag and said come on you know we only do M$ servers....

me: yeah but you told me you were skint at the moment cos you're paying me too much :P

next thing I get thousands to buy rack mounted servers BUT it performed better on the old desktop xD

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.


×
×
  • Create New...