I half bean descovard. I bee here no more.

I'm not a big fan of Solar Winds. I ran across the product when I worked at HP, and I can tell you that if you don't configure it properly, it's a huge network security threat. It was difficult to protect administrative credentials.

Having said that, this was not really related to configuration issues and more related to what appears to be a watering hole attack variant, where a patch was pushed out to all their clients and if you installed it, you were powned.

Tools used in the attack were reported to carry signatures from the Mandiant FireEye tools, which were stolen in a hack last week organized by Trump's BFF Putin.

Expect Biden to patiently wait for an opportunity (Biden his time, as it were) and then I hope he hits them right in their gonads. I don't think Trump would have had the backbone to disable any of Putin's critical infrastructure or banking systems because he was too busy sucking up to him. But I DO remember when Obama had our military unleash an exploit that pretty much shut down the Russian electrical grid for a period (I don't remember but I believe it was weeks).

I'm glad those days are back. The Russians are not our friends.

Orange Man almost gone. Shocka Khan VERY happy.

I was reading that this attack has been going on for months. How does the FireEye tool stolen last week play in?

Actually it was the best thing that could’ve happened. It caused FireEye to probe their own house and they happened to find it. The clean energy sector has been slept on as a target for too long.

Cozy Bear strikes again.

It gave them an opportunity to hack into a lot of other systems. Fortunately, FireEye published (and otherwise communicated) information about the digital signatures of their tools so that the signatures can be detected by cyber tools (advanced firewalls, virus and malware detection software and so forth). I'm sure that Palo Alto (intelligent firewalls), McAfee and other virus/malware detection vendors have incorporated the signature detection software into their daily updates provided to their customers, allowing them to quarantine payloads. However, if your IT department is held together with chewing gum and bailing wire (definitely not Pfizer I'm talking mom and pop business network, municipalities using small IT providers and the like) you will be at risk.

What I don't understand is why Solar Winds did not digitally sign their patches. If they had signed their patches, and if the payload was installed later (which it had to be in my opinion), people applying the patching would have known there was something wrong, as the digital signature would have been altered.

Microsoft took some actions to limit the blast area, including blackholing the command and control servers used to run the software and other measures to block and eliminate the Russian's ability to continue to break into systems using this specific attack vector. However, if backdoor tools were installed, the hackers still have other routes into infected systems, but evidently the responsibility of plugging those holes is being placed on Solar Winds (and those affected) client's internal incident response teams.

Another thing that is being done is that any IT vendor (or maybe I should say any ethical IT vendor) running Solar Winds is reaching out to their customer base(s) and notifying them they got powned, this allows the vendor's customers to enact tactical solutions to prevent further spread of back-door software (like root kits). And most all large companies that have not been impacted I'm sure have their procurement and cyber teams working overtime to make sure that they have identified those impacted vendors.

well, perhaps that's you in that picture. After all, you defend the orange dufus who fired his cybersecurity chief recently when he told him something dufus did not want to hear. And then there's all the ass-kissing going on from dufus to Putin. And all the 'festivus for the rest of us' ranting about the election and not being focused on the bigger picture - i.e. running this country, which is the primary reason he lost and you locked yourself in your bedroom, all butt-hurt.

At least Biden will do something to retaliate. Your guy just keeps ranting about elections and has a deer-in-the-headlights look to him these days. Trust me, if the Russians got into our secured networks and moved laterally, we will have a hell of a lot more to be concerned about other than losing elections. Your tax dollars will be dumped down a black hole to cut off, and at a later point, rebuild networks and connections.

It's "pwned" ... there's no o in the word.

I would know. I'm 1337.

Good gravy, do you _really_ think a publicly held network infrastructure software company doesn't digitally sign its patches?

When I worked at a large tech company, we had a download site (sort of like the google app store). Some of my associates did a review of the software on the landing page and found that more than half of them lacked digital signatures. And when you see where Google or Apple have removed X number of apps from their stores.....same story. About half the time those apps get removed because they are not digitally signed. That was a high-rated issue because our customers put their trust into our promise not to put software downloads on that site that weren't digitally signed. If we had infected our customers servers, computing devices or networks it would have been a huge reputational risk.

This was about 4 or 5 years ago, but yes, if we could do it, I'm sure Solar Winds could do it as well. It's called lack of adherence to standards aka 'cutting corners because someone wanted something quickly or someone got lazy and didn't check all the boxes.'

Oh, and one more point.....I'm reading that they compromised the server that created the updates, so they might have put the payload in before they digitally signed it. If they did that, checking the signature to try to find it would be useless.

I'm in the process of trying to find out where the point of compromise occurred, I can share it with you offline if you're interested, or if you're a research junkie on stuff like this (like I am) you will probably find out through Krebs or someone else.

This isn't even in the same stratosphere as a 3rd party app on a consumer-facing app-store. There is absolutely zero way SolarWinds would intentionally release a patch to this software without it being digitally signed. That can't even happen by accident, as their signing structure would be fully automated.

This happened because:

1) The hackers inserted the trojan horse before it was digitally signed, or

2) They were able to install root certs on lots of insecure clients and committed an SSL Proxy attack, and then faked a digital signature using their root cert, or

3) Something else (e.g. the patch was fake, not signed, and they just relied on Admins installing an unsigned patch that appeared to be from SolarWinds).

If a patch was created by SolarWinds, it was signed -- spend your time looking at a different attack vector than a patch without a digital signature.

Yes that's option 1 above. That actually makes sense.

Not unless it's particularly novel.

You are 100% correct... coming from a retired h4x0r

Team Fortress Classic (untouchable, bunny-hopping/conc'ing scout)
Counter-Strike (headshot city while all the n00bz QQ'd)



Back when the Internet was only used for porn, gaming, and chatting instead of dividing countries. In other words... the good ol' days.

You think Hiden Joe is going to retaliate on anyone for anything???? LOL!!!! That is rich. The guy who helped sell our soul to Iran? The guy who bows to China at every whim? Right...I cannot stop laughing...

For non-technical people, this is the equivalent of believing that GM executives and factory workers might have conspired to cut costs by not installing any airbag sensors in their flagship line of airbag equipped cars.

And then arguing it's realistic because you worked at a two-bit used car lot where the owner didn't report used cars with known faulty airbags to the state, per law, because he didn't want to get stuck with a lemon.