elainegrey (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
elainegrey) wrote2020-12-19 12:13 pm
elainegrey) wrote2020-12-19 12:13 pm
Entry tags:
(354, dark halo attack)
I am really quite disconcerted by the major "hack" and what seems to be insufficient reporting about the whole mess. I am happy to answer questions.
* SolarWinds - a company that sells software that installed on corporate and governmental networks so that the company can more easily monitor how the network is being used (and databases, and, and, and.)
* Orion is the name of the program that was "trojaned"
* "Trojan" is using the metaphor of the trojan horse: the application looks like one thing, but has a hidden threat. In this case, the threat was a "back door," access into the monitored network that would be hard to observe. Generically i will call this the Solarwinds exploit: ie, the thing that was exploited by the bad actor.
* SolarWinds, at my last reading, had identified that the exploit was added in the "build process." That means it wasn't in the software that was written by their developers, but it was -- to oversimplify -- added to the list of parts of code written by SolarWinds and all the other "off the shelf" parts used to make the application called Orion.
* While the access to SolarWinds network that they accidentally leaked to the open web -- the password "solarwinds123" -- wasn't what was used to insert the exploit, it doesn't inspire confidence.
* 18000 companies downloaded and may have installed the software with the exploit, and when they did, the exploit "phoned home" and notified the bad actor that another instance of the exploit was available for exploration.
To refer to this as an "attack on the US" is inaccurate. From the attacks Microsoft can observe (presumably because the customers are using Microsoft's cloud services) Microsoft sees that "Of the victims, 80% are located in the U.S. while the others are in seven other countries: Canada, Mexico, the U.K., Belgium, Spain, Israel and the United Arab Emirates." However, if a SolarWinds customer uses a different system for identity management, say Okta, Microsoft can't know anything about them.
My private notes on the
2020 Massive Hack (UNC2452, Dark Halo)
avsvmcloud[.]com taken down on Dec 15 [7]
Semantec said that it discovered the SUNBURST malware on the internal networks of 100 of its customers, but it did not see any evidence of second-stage payloads or network escalation activity. [7] A second stage payload, a backdoor called Teardrop, is deployed against a targets of interest to the attackers. Symantec has observed two variants of Teardrop, both of which behave similarly and are used to deliver a further payload – the Cobalt Strike commodity malware. [9]
SolarWinds “supply chain compromise is not the only initial infection vector” that was used to get into federal systems.[1]
convening what’s known as a Cyber Unified Coordination Group, which makes it easier to involve private companies like telecommunications firms and big tech providers in the government’s response.[5]
Financial Services Information Sharing and Analysis Center, known as FS-ISAC, said in a phone call with senior leadership and executives on Wednesday that members expressed concern that the alleged Russian hackers might be able to steal anything sent to the government.... the group wasn’t impacted by the SolarWinds backdoor.[5]
Microsoft says 40, mostly private, mostly security/IT; Of the victims, 80% are located in the U.S. while the others are in seven other countries: Canada, Mexico, the U.K., Belgium, Spain, Israel and the United Arab Emirates. [1,5] Microsoft denies they themselves hacked despite Reuters report [1] Bloomberg reasserts [5] Clarification - had trojan, saw no use of network [8]
Solarwinds says "We have currently identified 18,000 customers potentially affected by this security vulnerability."
Duo MFA bypassed, not Duo's fault [4]
FireEye [3] 8 Dec
US-based think tank per Volexity "The primary goal of the Dark Halo threat actor was to obtain the e-mails of specific individuals at the think tank. This included a handful of select executives, policy experts, and the IT staff at the organization. " [4]
U.S. Department of Treasury [2] 13 Dec
U.S. Department of Commerce [2] 13 Dec
Energy Department and its National Nuclear Security Administration, business networks only [1,5] 18 Dec
the city network in Austin, Texas [5]
Department of Homeland Security [5, 7]
?? IRS used Orion [6]
The US Department of Commerce's National Telecommunications and Information Administration (NTIA) [7]
The Department of Health's National Institutes of Health (NIH) [7]
The Cybersecurity and Infrastructure Agency (CISA) [7]
The Department of Homeland Security (DHS) [7]
The US Department of State [7]
“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” the alert said. [1]
“We have forgotten the lessons of 9/11,” Mr. Smith said. “It has not been a great week for information sharing and it turns companies like Microsoft into a sheep dog trying to get these federal agencies to come together into a single place and share what they know.” [1]
[1] Sanger, David E., and Nicole Perlroth. “More Hacking Attacks Found as Officials Warn of ‘Grave Risk’ to U.S. Government.” The New York Times, December 17, 2020, sec. U.S. https://www.nytimes.com/2020/12/17/us/politics/russia-cyber-hack-trump.html.
[2] S. Curry, “The SolarWinds Supply Chain Attack and the Limits of Cyber Hygiene.” https://www.cybereason.com/blog/the-solarwinds-supply-chain-attack-and-the-limits-of-cyber-hygiene (accessed Dec. 18, 2020). -- good outline of what was known when as of 14 Dec
[3] K. Mandia, “FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community,” FireEye, Dec. 08, 2020. https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html (accessed Dec. 18, 2020).
[4] Volexity Threat Research, “Dark Halo Leverages SolarWinds Compromise to Breach Organizations | Volexity,” Dec. 14, 2020. https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ (accessed Dec. 18, 2020).
[5] “Russia-Linked SolarWinds Hack Snags Widening List of Victims,” Bloomberg.com, Dec. 18, 2020.
[6] D. Goodin, “SolarWinds hack that breached gov networks poses a ‘grave risk’ to the nation,” Ars Technica, Dec. 17, 2020. https://arstechnica.com/information-technology/2020/12/feds-warn-that-solarwinds-hackers-likely-used-other-ways-to-breach-networks/ (accessed Dec. 18, 2020).
[7] Cimpanu, Catalin. “Microsoft and Industry Partners Seize Key Domain Used in SolarWinds Hack.” ZDNet. Accessed December 19, 2020. https://www.zdnet.com/article/microsoft-and-industry-partners-seize-key-domain-used-in-solarwinds-hack/.
[8] Cimpanu, Catalin. “Microsoft Confirms It Was Also Breached in Recent SolarWinds Supply Chain Hack.” ZDNet. Accessed December 19, 2020. https://www.zdnet.com/article/microsoft-was-also-breached-in-recent-solarwinds-supply-chain-hack-report/.
* SolarWinds - a company that sells software that installed on corporate and governmental networks so that the company can more easily monitor how the network is being used (and databases, and, and, and.)
* Orion is the name of the program that was "trojaned"
* "Trojan" is using the metaphor of the trojan horse: the application looks like one thing, but has a hidden threat. In this case, the threat was a "back door," access into the monitored network that would be hard to observe. Generically i will call this the Solarwinds exploit: ie, the thing that was exploited by the bad actor.
* SolarWinds, at my last reading, had identified that the exploit was added in the "build process." That means it wasn't in the software that was written by their developers, but it was -- to oversimplify -- added to the list of parts of code written by SolarWinds and all the other "off the shelf" parts used to make the application called Orion.
* While the access to SolarWinds network that they accidentally leaked to the open web -- the password "solarwinds123" -- wasn't what was used to insert the exploit, it doesn't inspire confidence.
* 18000 companies downloaded and may have installed the software with the exploit, and when they did, the exploit "phoned home" and notified the bad actor that another instance of the exploit was available for exploration.
To refer to this as an "attack on the US" is inaccurate. From the attacks Microsoft can observe (presumably because the customers are using Microsoft's cloud services) Microsoft sees that "Of the victims, 80% are located in the U.S. while the others are in seven other countries: Canada, Mexico, the U.K., Belgium, Spain, Israel and the United Arab Emirates." However, if a SolarWinds customer uses a different system for identity management, say Okta, Microsoft can't know anything about them.
My private notes on the
2020 Massive Hack (UNC2452, Dark Halo)
avsvmcloud[.]com taken down on Dec 15 [7]
Semantec said that it discovered the SUNBURST malware on the internal networks of 100 of its customers, but it did not see any evidence of second-stage payloads or network escalation activity. [7] A second stage payload, a backdoor called Teardrop, is deployed against a targets of interest to the attackers. Symantec has observed two variants of Teardrop, both of which behave similarly and are used to deliver a further payload – the Cobalt Strike commodity malware. [9]
SolarWinds “supply chain compromise is not the only initial infection vector” that was used to get into federal systems.[1]
convening what’s known as a Cyber Unified Coordination Group, which makes it easier to involve private companies like telecommunications firms and big tech providers in the government’s response.[5]
Financial Services Information Sharing and Analysis Center, known as FS-ISAC, said in a phone call with senior leadership and executives on Wednesday that members expressed concern that the alleged Russian hackers might be able to steal anything sent to the government.... the group wasn’t impacted by the SolarWinds backdoor.[5]
Microsoft says 40, mostly private, mostly security/IT; Of the victims, 80% are located in the U.S. while the others are in seven other countries: Canada, Mexico, the U.K., Belgium, Spain, Israel and the United Arab Emirates. [1,5] Microsoft denies they themselves hacked despite Reuters report [1] Bloomberg reasserts [5] Clarification - had trojan, saw no use of network [8]
Solarwinds says "We have currently identified 18,000 customers potentially affected by this security vulnerability."
Duo MFA bypassed, not Duo's fault [4]
FireEye [3] 8 Dec
US-based think tank per Volexity "The primary goal of the Dark Halo threat actor was to obtain the e-mails of specific individuals at the think tank. This included a handful of select executives, policy experts, and the IT staff at the organization. " [4]
U.S. Department of Treasury [2] 13 Dec
U.S. Department of Commerce [2] 13 Dec
Energy Department and its National Nuclear Security Administration, business networks only [1,5] 18 Dec
the city network in Austin, Texas [5]
Department of Homeland Security [5, 7]
?? IRS used Orion [6]
The US Department of Commerce's National Telecommunications and Information Administration (NTIA) [7]
The Department of Health's National Institutes of Health (NIH) [7]
The Cybersecurity and Infrastructure Agency (CISA) [7]
The Department of Homeland Security (DHS) [7]
The US Department of State [7]
“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” the alert said. [1]
“We have forgotten the lessons of 9/11,” Mr. Smith said. “It has not been a great week for information sharing and it turns companies like Microsoft into a sheep dog trying to get these federal agencies to come together into a single place and share what they know.” [1]
[1] Sanger, David E., and Nicole Perlroth. “More Hacking Attacks Found as Officials Warn of ‘Grave Risk’ to U.S. Government.” The New York Times, December 17, 2020, sec. U.S. https://www.nytimes.com/2020/12/17/us/politics/russia-cyber-hack-trump.html.
[2] S. Curry, “The SolarWinds Supply Chain Attack and the Limits of Cyber Hygiene.” https://www.cybereason.com/blog/the-solarwinds-supply-chain-attack-and-the-limits-of-cyber-hygiene (accessed Dec. 18, 2020). -- good outline of what was known when as of 14 Dec
[3] K. Mandia, “FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community,” FireEye, Dec. 08, 2020. https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html (accessed Dec. 18, 2020).
[4] Volexity Threat Research, “Dark Halo Leverages SolarWinds Compromise to Breach Organizations | Volexity,” Dec. 14, 2020. https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ (accessed Dec. 18, 2020).
[5] “Russia-Linked SolarWinds Hack Snags Widening List of Victims,” Bloomberg.com, Dec. 18, 2020.
[6] D. Goodin, “SolarWinds hack that breached gov networks poses a ‘grave risk’ to the nation,” Ars Technica, Dec. 17, 2020. https://arstechnica.com/information-technology/2020/12/feds-warn-that-solarwinds-hackers-likely-used-other-ways-to-breach-networks/ (accessed Dec. 18, 2020).
[7] Cimpanu, Catalin. “Microsoft and Industry Partners Seize Key Domain Used in SolarWinds Hack.” ZDNet. Accessed December 19, 2020. https://www.zdnet.com/article/microsoft-and-industry-partners-seize-key-domain-used-in-solarwinds-hack/.
[8] Cimpanu, Catalin. “Microsoft Confirms It Was Also Breached in Recent SolarWinds Supply Chain Hack.” ZDNet. Accessed December 19, 2020. https://www.zdnet.com/article/microsoft-was-also-breached-in-recent-solarwinds-supply-chain-hack-report/.
no subject