SolarWinds Hack Could Affect 18K Customers

Forums › IT Pro and developers › SolarWinds Hack Could Affect 18K Customers

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#280456 16-Dec-2020 10:00

"SolarWinds Hack Could Affect 18K Customers"

https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/

CERT NZ has sent out two advisories this week (original one and a revision).

The still-unfolding breach at network management software firm SolarWinds may have resulted in malicious code being pushed to nearly 18,000 customers, the company said in a legal filing on Monday. Meanwhile, Microsoft should soon have some idea which and how many SolarWinds customers were affected, as it recently took possession of a key domain name used by the intruders to control infected systems.

The initial breach disclosure from SolarWinds came five days after cybersecurity incident response firm FireEye announced it had suffered an intrusion that resulted in the theft of some 300 proprietary software tools the company provides to clients to help secure their IT operations.

Dynamic

3867 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2622449 16-Dec-2020 10:14

This will certainly make security-related software developers sit up and take notice. To have a security-related company's development environment compromised and malicious code make it through QA into production is a massive failure, but possibly a common blind spot for developers? Checks and balances to prevent this happening again may add significant overhead to the development process.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

Dratsab

3946 posts

Uber Geek

Trusted

Lifetime subscriber

#2622538 16-Dec-2020 11:03

Gonna be hard, if not impossible, for the company to weather this one given they were notified over a year ago that the [weak] password for their download server was published in clear text in their github repository.

Predictably, lots of Republican individuals/outlets have been spreading rumours that Dominion Voting Systems (DVS) was compromised blah blah blah... The CEO has come out and stated that DVS does not and has never used the Solarwinds Orion platform.

frankv

5680 posts

Uber Geek

Lifetime subscriber

#2622557 16-Dec-2020 11:26

It doesn't say anyone's development environment was compromised, just that tools were stolen from FireEye. It may be that it was only executable versions of the tools that were lost.

Regarding SolarWinds' Orion product; it was apparently compromised enough to insert malicious code in a DLL that was then deployed. Since that was digitally signed, that might imply that their development environment was compromised. However, it is standard practice for the development environment to be completely separate from the deployment/live environment. Places I have worked have 3 or 4 environments (Dev/Test, UAT/Training, Live/Production) with formal Change Control processes to move to Live (and usually informal to move to UAT). Not having those checks and balances already in place would be extremely inept and reckless. So their processes appear to have failed.

However, their download site was only protected by a simple password (which was visible on GitHub, which SolarWinds was warned about in Nov 2019). Maybe their private key was equally easily found, so someone could forge a signature on any arbitrary code?

Attacking a network management tool company like SolarWinds makes good sense from a cybercriminal's point of view -- only large wealthy organisations need the tool, so it automatically selects good targets.

Whatever, I expect SolarWinds will be sued to death by their 18,000 large and wealthy ex-clients.

Dynamic

3867 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2622580 16-Dec-2020 11:42

frankv: Attacking a network management tool company like SolarWinds makes good sense from a cybercriminal's point of view -- only large wealthy organisations need the tool, so it automatically selects good targets.

I'd estimate the majority of IT companies with more than a couple of staff use tools similar to Orion to help manage/maintain/troubleshoot the computers of their clients, both large and small.

From a cybersecurity perspective, if you want to target a client, start poking at their supply chain. This is not new, though.

https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

https://www.datto.com/blog/msps-are-a-growing-target-for-cyber-attackers

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

networkn

Networkn
32350 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2622632 16-Dec-2020 11:50

This is my absolute worst-case scenario, someone finding a way to our RMM or deployment tools and accessing client sites. For most MSP's it would be an extinction-level event. We take every step we can to ensure we are safe, but we are at the behest of the companies who supply us our software, some of whom don't seem to give a rats backside if they aren't taking due care. The problem is, they are all pretty much as bad as each other, and as time goes on, and each RMM becomes more complex, has more features, and specifically more integrated with other products, the number of surfaces to keep track of protecting becomes nigh impossible. Insurance is crushingly expensive, and day by day more exclusions are added that means there is a never-ending list of ways for them to wriggle out of paying. One thing that we found out recently, hidden in the very very very very very fine print using obfuscated language, that if you have to pay a ransom, you need to pay it yourself, the insurance company won't pay directly. In the event of a decent breach, ransom could be >1M, and I'd be surprised if too many MSP's in NZ could come up with that in cash.

Some of the big security specialists are advising MSP's daily to spend at least as much time preparing for *when* you are breached, as preventing the breach in the first place.

1101

3122 posts

Uber Geek

#2622723 16-Dec-2020 13:55

The plot thickens

https://www.npr.org/2020/12/15/946776718/what-we-know-about-russias-latest-alleged-hack-of-the-u-s-government

Is this just a knee jerk reaction , to blame the Russian Govt ?
Or could it explain why US govt departments were targeted ?

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2693938 16-Apr-2021 18:58

Press release, New Zealand government, GCSB:

New Zealand has today added its voice to the international condemnation of the malicious compromise and exploitation of the SolarWinds Orion platform.

The Minister Responsible for the Government Communications Security Bureau, Andrew Little, says that New Zealand's international partners have analysed the compromise of the SolarWinds Orion platform and attributed this malicious activity to Russian state actors.

"This compromise deployed malware indiscriminately around the world and has caused widespread disruption as many thousands of organisations had to apply security patches and check systems," said Andrew Little.

A significant number of New Zealand organisations use the SolarWinds Orion platform.

The GCSB's National Cyber Security Centre and CERT NZ have provided guidance for organisations to identify if the malicious code has been installed on their systems, and apply the appropriate security patches.

"While we have seen no indication that New Zealand organisations were targeted, the compromise caused disruption in New Zealand as organisations urgently checked their systems, applied security patches, and took action to protect themselves," the Minister said.

New Zealand condemns the unacceptable actions of Russian state actors and calls for all states to behave responsibly online.