|
If this turns out to be something preventable with MFA vs, I dunno, a true zero day exploit chain...wow.
|
#
?
Dec 14, 2020 18:18
|
|
|
|
| # ? May 26, 2024 00:48 |
|
|
Yeah I hope he's wrong cuz oof. "The attackers utilized state of the art techniques once inside of our system to use our product to spread malware to our clients and infiltrate their systems" Thanks for the info, but how did they get into your systems initially though? "Password was password ¯\_(ツ)_/¯ "
|
|
#
?
Dec 14, 2020 18:28
|
|
|
Somewhere, in a galaxy far far away, Dark Helmet is laughing. "Admin123" is the leading guess.
|
|
#
?
Dec 14, 2020 18:52
|
|
|
Please, they have SOME standards  It was @dmin123!
|
|
#
?
Dec 14, 2020 19:24
|
|
|
I figured was Solar123
|
|
#
?
Dec 14, 2020 19:31
|
|
|
This aged poorly.
|
|
#
?
Dec 14, 2020 19:32
|
|
|
P@ssw0rd!
|
|
#
?
Dec 14, 2020 19:36
|
|
|
tagesschau posted:This aged poorly. It really did, didn't it? Yeah, I reached out to a bunch of my clients, outside of applying the Hotfix 1 and tomorrow's Hotfix 2, and resetting the credentials on the box or that have touched the box, unless you actually see the IOCs like the hash'ed DLL and the planted service DLL, just patch and monitor. quote:a. [SolarWinds.Orion.Core.BusinessLayer.dll] with a file hash of [b91ce2fa41029f6955bff20079468448] https://cyber.dhs.gov/ed/21-01/ CommieGIR fucked around with this message at 20:44 on Dec 14, 2020 |
|
#
?
Dec 14, 2020 20:34
|
|
|
ghostinmyshell posted:I might be your boss. tagesschau posted:This aged poorly.
|
|
#
?
Dec 14, 2020 20:56
|
|
|
evil_bunnY posted:It really hasn't. for each solarwind there's dozens of random dweebs getting popped because of low hanging fruit. True, but it was posted in context to the Fireeye Breach which turns out to be directly related to the Solarwinds backdoor, and in that way it has. Target wise: Gov affected is up to Treasury, Commerce, DHS, and Booze Allen Hamilton got hit too.
|
|
#
?
Dec 14, 2020 21:13
|
|
|
Maybe the government shouldn't trust the security of its software to the lowest bidder.
|
|
#
?
Dec 14, 2020 21:20
|
|
|
CommieGIR posted:True, but it was posted in context to the Fireeye Breach which turns out to be directly related to the Solarwinds backdoor, and in that way it has.
|
|
#
?
Dec 14, 2020 21:23
|
|
|
my domain is contoso.com and the shared enterprise admin account is ntP@ssw0rd!
|
|
#
?
Dec 14, 2020 21:30
|
|
|
Wiggly Wayne DDS posted:you don't have to be sophisticated to put a backdoor into low hanging fruit You do to actually need some level of sophistication to stay hidden while its being deployed, which is why Supply Side attacks are rare. Its a pretty good feat to stay hidden inside the build environment for 6 months.
|
|
#
?
Dec 14, 2020 21:31
|
|
|
There are reports now of several SolarWinds execs dumping their stock options right before this blew up. They loving knew.quote:Now comes news that SolarWinds Co. Director Aurora Co-Invest L.P. Slp sold 2,079,823 shares of the business’s stock in a transaction last Monday, December 7th. Farking Bastage fucked around with this message at 21:53 on Dec 14, 2020 |
|
#
?
Dec 14, 2020 21:48
|
|
|
Farking Bastage posted:There are reports now of several SolarWinds execs dumping their stock options right before this blew up. They loving knew. The Execs are always the first to know, of course.
|
|
#
?
Dec 14, 2020 21:55
|
|
|
CLAM DOWN posted:my domain is contoso.com and the shared enterprise admin account is ntP@ssw0rd! Thats my domain too!
|
|
#
?
Dec 14, 2020 21:56
|
|
|
Defenestrategy posted:Thats my domain too! I thought I asked kindly for you to not steal my ideas 
|
|
#
?
Dec 14, 2020 22:10
|
|
|
CommieGIR posted:The Execs are always the first to know, of course. It means they sat on it long enough to get their golden parachutes
|
|
#
?
Dec 14, 2020 22:21
|
|
|
This fucks with other rich people, so they might actually get a slap on the wrist for that one.
|
|
#
?
Dec 14, 2020 22:51
|
|
|
SANS live webcast re:Solarwinds https://www.youtube.com/watch?v=4tmlZCk2gCg
|
|
#
?
Dec 14, 2020 23:04
|
|
|
Farking Bastage posted:There are reports now of several SolarWinds execs dumping their stock options right before this blew up. They loving knew. If you’re a director of a public company you’re almost certainly trading under a 10b5-1 plan, and had to schedule that trade (or its parameters based on public info) 6+ months ago.
|
|
#
?
Dec 14, 2020 23:06
|
|
|
Subjunctive posted:If you’re a director of a public company you’re almost certainly trading under a 10b5-1 plan, and had to schedule that trade (or its parameters based on public info) 6+ months ago. Like they'd face any real punishment for not doing so.
|
|
#
?
Dec 14, 2020 23:10
|
|
|
CommieGIR posted:Like they'd face any real punishment for not doing so. You don’t have to, it’s just that a 10b5-1 plan is an affirmative defence against charges of trading while possessing material non-public information. That is hard to avoid as a director, to the extent that trades outside a plan almost certainly fall afoul of it, and directors are the ones with personal liability at the end of the day (D&O insurance won’t cover you). But the trading disclosures have information about when the relevant plan was filed, so it’s easy to check Edgar if you want to.
|
|
#
?
Dec 14, 2020 23:18
|
|
|
https://savebreach.com/solarwinds-credentials-exposure-led-to-us-government-fireye-breach/ Interesting, I don't think I saw this here but maybe I did.
|
|
#
?
Dec 14, 2020 23:49
|
|
|
SANS livestream finished, led by @MalwareJake: Attributing to Russia No obfuscation in the code May be more affected Solarwinds products, but we have no proof either way yet. Nobody is sure what happened past June 2020 yet, waiting more details IOCs were provided, included the domain names they were reaching out to:  
|
|
#
?
Dec 15, 2020 00:07
|
|
|
they probably spent a pretty penny on those domains!
|
|
#
?
Dec 15, 2020 00:54
|
|
|
Subjunctive posted:You don’t have to, it’s just that a 10b5-1 plan is an affirmative defence against charges of trading while possessing material non-public information. That is hard to avoid as a director, to the extent that trades outside a plan almost certainly fall afoul of it, and directors are the ones with personal liability at the end of the day (D&O insurance won’t cover you). But the trading disclosures have information about when the relevant plan was filed, so it’s easy to check Edgar if you want to. https://www.sec.gov/cgi-bin/own-disp?action=getissuer&CIK=0001739942 They got themselves and their buddies out before the hack went public.
|
|
#
?
Dec 15, 2020 02:45
|
|
|
kensei posted:https://savebreach.com/solarwinds-credentials-exposure-led-to-us-government-fireye-breach/ 25 posts ago
|
|
#
?
Dec 15, 2020 13:24
|
|
|
How did they spoof the SAML tokens?
|
|
#
?
Dec 15, 2020 15:45
|
|
|
klosterdev posted:Maybe the government shouldn't trust the security of its software to the lowest bidder. Oh buddy I’m a nurse at a government hospital and let me tell you about our equipment
|
|
#
?
Dec 15, 2020 16:17
|
|
|
Martytoof posted:Please, they have SOME standards Just make sure to post it to the public
|
|
#
?
Dec 15, 2020 18:54
|
|
|
Man I understand that CISA is conservative and will likely narrow their definitions to match everyone elses at some point, but CISA saying "all of Solarwinds 2019.4" is a much broader scope than just the "2019.4 hotfix 5 and later" that everyone else is saying and really causing a lot of confusion to folks. Questions about that seemed to be most of the ones on various calls I was on yesterday. Hopefully they also reconcile the "patch/don't patch" instructions soon too because right now there's just a lot of confusion if you do any work with government.
|
|
#
?
Dec 15, 2020 18:54
|
|
|
Maneki Neko posted:Man I understand that CISA is conservative and will likely narrow their definitions to match everyone elses at some point, but CISA saying "all of Solarwinds 2019.4" is a much broader scope than just the "2019.4 hotfix 5 and later" that everyone else is saying and really causing a lot of confusion to folks. Questions about that seemed to be most of the ones on various calls I was on yesterday. This mess with solar winds isn't getting enough attention to be honest. Its one of the biggest security blunders in infosec history.
|
|
#
?
Dec 15, 2020 19:32
|
|
|
Sickening posted:This mess with solar winds isn't getting enough attention to be honest. Its one of the biggest security blunders in infosec history. even bigger than when a bunch of CIA tools got leaked like two years ago?
|
|
#
?
Dec 15, 2020 19:41
|
|
|
Defenestrategy posted:even bigger than when a bunch of CIA tools got leaked like two years ago? Considering Solarwinds is heavily used in nearly every US Government facility: Yes. The only saving grace here is that they pulled that stunt with Fireeye, which alerted them to the operation, and Fireeye in turn blew the cover off it.
|
|
#
?
Dec 15, 2020 19:58
|
|
|
Yeah. This seems like The Big One
|
|
#
?
Dec 15, 2020 20:12
|
|
|
Ours are shut down until further notice.
|
|
#
?
Dec 15, 2020 22:14
|
|
|
Sickening posted:This mess with solar winds isn't getting enough attention to be honest. Its one of the biggest security blunders in infosec history. Agreed if it turns out that random dude on twitter who claims creds were public isn't full of poo poo.
|
|
#
?
Dec 16, 2020 01:58
|
|
|
|
| # ? May 26, 2024 00:48 |
|
|
More info on how the Solarwinds trojan evaded detection: https://twitter.com/cybercdh/status/1338975171093336067?s=20 And the IOC URLs were pretty big money.... https://twitter.com/blackorbird/status/1338695429496553472
|
|
#
?
Dec 16, 2020 04:04
|
|