@@joedonzi9552 The stuff in the article is pretty much open-source. If you don't believe them, you just have to dig out the public record of stock trades. IF it was fake, Solarwinds would have demanded retraction immediately.
On the SaaS point - the very first path listed on the "Known Paths" slide is 'N-Able Technologies' - a well known Managed Services platform for small to medium MSPs SolarWinds acquired a few years ago, and available as SaaS and local, which makes this a bigger footprint than the 18k companies that are Orion users... And NTM is also a listed path, which is not Orion specific...
I think this incident also has implication on Huawei and 5G that was hot topic a year ago, or so. Just imagine what someone having control of 5G equipment might do...
Umm...trigger nano transmitters attached to the exoskeleton of a virus perhaps? Creating rapid replication & lethal cytokine storms ? Something like that? Professor Lieber. Harvard. Wuhan. Arrested.
Certificate has to be revoked, surely? Wash-up effort maybe, but the platform was pwnd, so "assume breach" means "assume attackers have a valid code-signing certificate". That same cert used with Evilgrade could be a viable vector against multiple software platforms - even if SVR choose to leak or share it rather than make direct use themselves.
Could one is the reasons for MS being blocked be that they want to fly under their radar and not be identified there? To give hackers a longer runway to execute in stealth mode?
I guess they have more intelligence than the CISA. We won't know the truth unless the hackers decide to tell us so. I wish they would leak what they know now. Firewalls give false security.
I'm thinking that they excluded the MSFT IP ranges because access to O365 & Azure customers was very, very valuable to them, and they wanted to maintain access to those systems as long as possible. They wanted MSFT to see their access as normal customer access, not a breach.
Why isnt there a way for your connected devices to confirm the source of command? There should be a generated code required for each computer that changes each time the server attempts access/commands. Im fixing to sell all my shares of this company....just a lack of due diligence
OK, so you have a deployment test bed, your sandbox, and you see nothing happens, so you deploy it to production. After you deploy to production, don't dismantle the sandbox for re-use elsewhere. Keep the sandbox around FOREVER. Monitor the sandbox for beaconing forever. It should NEVER beacon! But if it does, it doesn't matter whether it lay dormant for fourteen days, a month, a hundred days or years. When it finally does beacon, that will suffice to set off alarm bells.
Thanks for being so transparent. Hopefully other software like WSUS or other 3rd party patching software wasn't/isn't also affected by different supply chain breaches.
The common question in all these videos analyzing the breech and hack seems to be; "How was Solarwinds (itself) breeched?". To me the answer is obvious ... an employee or contracted developer. Who else would know where to "plant" the corrupted .dll in a upgrade/maintenance/fix package?
Curious. First breach is indicated as occurring back in March 2020? When our first imposed quarantine began. Makes sense. That's when many, many, systems experienced breaches as a result of lacking continuity and response due to Coronavirus. Coronavirus made for the perfect playing field and distraction. While everyone was busy trying to get their stuff together and figure it out, attackers were finding ways to make bank.
For those that didn’t use solar winds to write configurations, (and I hope that was a lot of their clients) SW could have been easily setup and ACL’d to ping, read-only WMI, read-only SNMP, and receive inbound only Netflow packets. If you’re not limiting your monitoring reporting system behind a firewall in this way, I recommend it strongly regardless of the brand of NMS you use.
Can be attributed to Russian SVR but the information hasn’t been shared publicly? What makes one so certain? I would hope they would be more transparent on that aspect.
Security Advisory: (Updated 12/24/20) SolarWinds asks ALL ORION PLATFORM CUSTOMERS to update their Orion Platform software as soon as possible to help ensure the security of your environment. More information is available in our Security Advisory and FAQ pages.
If they are attributing this to an APT then check to see if they are hanging out in the Registry and/or using network management tools such as PowerShell to obfuscate themselves. May need to simply turn the power off as well to remove them from the registry.
So, what really happened to Google? Though they claimed it was an Authentication Server issue, the fact that Google itself chose brevity in its communication was very out of character. Was the Authentication server brought down to observe their break-glass procedure? Or was it brought down as part of a phase operation?
@24:00 Yikes - since the attackers knew the build system well enough to piggyback beyond the basic source build process means that they were there quite a bit of time before the actual software upgrade (malware) was made available.
@@ianvulm4542 yes they are why did Kris Kreps take a position at solar winds when he was the one in charge of making sure shit like that didn’t happen.
Stop call it a supply chain attack. Unless the malware was uploaded into the Orion code from a supplier. Blame the use on password authentication of NMS . Blame the lack of integrity check.
From the Solarwinds website; "We’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker."
As the former engineering manager for the SevOne NMS I know the risks for this type of software. I think you missed one key point here: The compromise of SolarWinds.Orion.Core.BusinessLayer.dll, or any component built by a software vendor for high-risk environments, is very sloppy. Standard practice is to always build from source in secure, or air-gapped, environment and have multiple people review every commit to the codebase. Signing code after the source / build is compromised has no value.
Russia???? Where is your proof and methodology to make ANY threat actor attribution? We would all love to hear (threat actor attribution=fraud) Now apt29? This is a joke. Right? It takes a village? WHAT?
I remember now where I heard of solarwinds, a hidden application was running on two of my business PC s. When I told professional IT company means a compromised machine, he told me no because if its just for monitoring things it's harmless. Even when I reminded him absolutely nobody here nor there is using any software from them. We use different MSP software. What an idiot he was, I removed it and fired them
it was more simple than complex. it involved MS Dos and Cobel as well as the coronal index. Once you latch onto the index its just a matter of injecting malware as long as its binary in nature. hope that helps.
It’s an emergency massive cyber attack, all of the many services we use on a daily basis (user accounts, bank accounts, passwords, etc) MIGHT be in greater risk because whoever launched Sunburst and all other viruses into Solarwinds can cause the hackers to steal sensitive government information AND our own information like emails, passwords, and many
I would have to disagree that supply chain attacks are not common, as stated at the 3:00 mark...according to Symantec, supply chain attacks almost doubled between 2018 and 2019, increasing by 78%...2018 Ponemon Institute study found that 56% of organizations suffered a breach caused by one of their vendors...having a hard time reconciling those numbers with the comment that supply chain attacks are "not common".
Yep. I can vouch for that. My company had a breach by Tableau not too long ago. Compromised credentials that gave the attacker access to our data. Didn't hear that in the news, right? A lot of things do not get publicized.
Let’s not be silly. A hacker like this would either be a group of motivated people or it would just be them, proving to each other and us that we need to upgrade. Hopefully they will make everyone, including the devilish people who have been running this country show their identification before logging back in to whatever bullshit content they hold on those servers.
Attribution to Russia is dependent on how much we trust Fireye. Do you? I don't! As far as I am concerned Fireye could be NSA. Please provide evidence.
Don't forget to mention that the owners of SolarWinds dumped a lot of stock before the hack was made public.
After the Executive VP dumped around 45-54 million dollars, then two Chinese connected companies bought into the company in October and November.
Thanks Max , i did not know that - as with 9-11 the main stream media is loathe to simply "follow the money."
www.washingtonpost.com/technology/2020/12/15/solarwinds-russia-breach-stock-trades/
@@phungo1028 Washington Post is 100% Pure Deep State "propaganda" - zero journalistic credibility !
@@joedonzi9552 The stuff in the article is pretty much open-source. If you don't believe them, you just have to dig out the public record of stock trades. IF it was fake, Solarwinds would have demanded retraction immediately.
On the SaaS point - the very first path listed on the "Known Paths" slide is 'N-Able Technologies' - a well known Managed Services platform for small to medium MSPs SolarWinds acquired a few years ago, and available as SaaS and local, which makes this a bigger footprint than the 18k companies that are Orion users... And NTM is also a listed path, which is not Orion specific...
Sans Undertale
lol hi
Very informative...I can't wait to listen to the updates on this hacking incident
I cant wait for them to leak
Can’t believe sans did this after the pacifist timeline
What are the other two state governments attacked other than Arizona?
Thanks, everyone! Will be sharing this with friends and family. It's too important to miss.
Great presentation Jake.
Thanks for hosting SANS.
Solarwinds stock will take a big hit as all the Government customers dump their products.
I sure hope so!
Was panic sold in September according to what I read earlier (by those in the know & at a wonderful price obviously)
We just denied a renewal of one of their products. We'll probably start specing out a replacement product. I work at NASA.
Just like they dump all the Microsoft apps when those are found vulnerable.
@@rocketman5167 I'm already worried about NASA security if people in their IT are advertising that they do on a public forum.
Symantec belongs to Norton Life Lock, correct?
They use Chinese customer service that drops the call when you ask for American customer service
I think this incident also has implication on Huawei and 5G that was hot topic a year ago, or so. Just imagine what someone having control of 5G equipment might do...
Umm...trigger nano transmitters attached to the exoskeleton of a virus perhaps?
Creating rapid replication & lethal cytokine storms ?
Something like that?
Professor Lieber. Harvard. Wuhan. Arrested.
Certificate has to be revoked, surely?
Wash-up effort maybe, but the platform was pwnd, so "assume breach" means "assume attackers have a valid code-signing certificate".
That same cert used with Evilgrade could be a viable vector against multiple software platforms - even if SVR choose to leak or share it rather than make direct use themselves.
Could one is the reasons for MS being blocked be that they want to fly under their radar and not be identified there? To give hackers a longer runway to execute in stealth mode?
FireEye breach hits the public airwaves. SolarWinds hack detected by FireEye relieving pressure from FireEye. Hmmmm.... such odd timing.
Roger that Captain... next up is Alpha Vector.
@@judaspreistvlct Apps, cellphones tvs...?
And some companies want me to buy those systems which allow me to lock and unlock my house doors through my cellphone 🤣. NEVER EVER.
Why was it found only by FireEye? Why other organizations didn't detect that attack ? In particular the US security agencies ?
I guess they have more intelligence than the CISA. We won't know the truth unless the hackers decide to tell us so. I wish they would leak what they know now. Firewalls give false security.
I'm thinking that they excluded the MSFT IP ranges because access to O365 & Azure customers was very, very valuable to them, and they wanted to maintain access to those systems as long as possible. They wanted MSFT to see their access as normal customer access, not a breach.
The 'actor' inserted code into GIT repository - became part of the build process?
Why wouldn't you put the nms device and all solarwinds tools into its own firewalled segment with granular controls
I would not rely on their finding that this is done by Russia.
Why isnt there a way for your connected devices to confirm the source of command? There should be a generated code required for each computer that changes each time the server attempts access/commands. Im fixing to sell all my shares of this company....just a lack of due diligence
They are all hackable
OK, so you have a deployment test bed, your sandbox, and you see nothing happens, so you deploy it to production. After you deploy to production, don't dismantle the sandbox for re-use elsewhere. Keep the sandbox around FOREVER. Monitor the sandbox for beaconing forever. It should NEVER beacon! But if it does, it doesn't matter whether it lay dormant for fourteen days, a month, a hundred days or years. When it finally does beacon, that will suffice to set off alarm bells.
@@douganderson7002 ha ha
Thanks for being so transparent. Hopefully other software like WSUS or other 3rd party patching software wasn't/isn't also affected by different supply chain breaches.
One time some coyotes got inside the goat pen here in SE OK. Is this hacking something like that?
The common question in all these videos analyzing the breech and hack seems to be; "How was Solarwinds (itself) breeched?". To me the answer is obvious ... an employee or contracted developer. Who else would know where to "plant" the corrupted .dll in a upgrade/maintenance/fix package?
Is there a vaccine for this ?
Hahaha
Only if you give up more freedom.
Thanks Jake and SANS for this exquisite presentation. This was informative and straightforward
Who has configured a network device so that an NMS can make changes and resolve issues? Possible, but not likely.
Curious. First breach is indicated as occurring back in March 2020? When our first imposed quarantine began. Makes sense. That's when many, many, systems experienced breaches as a result of lacking continuity and response due to Coronavirus. Coronavirus made for the perfect playing field and distraction. While everyone was busy trying to get their stuff together and figure it out, attackers were finding ways to make bank.
For those that didn’t use solar winds to write configurations, (and I hope that was a lot of their clients) SW could have been easily setup and ACL’d to ping, read-only WMI, read-only SNMP, and receive inbound only Netflow packets. If you’re not limiting your monitoring reporting system behind a firewall in this way, I recommend it strongly regardless of the brand of NMS you use.
Can be attributed to Russian SVR but the information hasn’t been shared publicly? What makes one so certain? I would hope they would be more transparent on that aspect.
Manuals are in what language?
Not going to happen, spoon fed narrative
Security Advisory: (Updated 12/24/20) SolarWinds asks ALL ORION PLATFORM CUSTOMERS to update their Orion Platform software as soon as possible to help ensure the security of your environment. More information is available in our Security Advisory and FAQ pages.
Why are our leaders not speaking about this?
Some know about it, some may benefit
I heard the hacked the grid.
Can they shut it down?
Thank you SANS and thank you FireEye!
If they are attributing this to an APT then check to see if they are hanging out in the Registry and/or using network management tools such as PowerShell to obfuscate themselves. May need to simply turn the power off as well to remove them from the registry.
@MalwareJake Thank you for an excellent presentation; distilling critsit content into easily digestible bytes. 👍🏼
So, what really happened to Google? Though they claimed it was an Authentication Server issue, the fact that Google itself chose brevity in its communication was very out of character.
Was the Authentication server brought down to observe their break-glass procedure? Or was it brought down as part of a phase operation?
Best YT video I've seen since . . I don't know when.
Fantastic presentation, thank you!
@24:00 Yikes - since the attackers knew the build system well enough to piggyback beyond the basic source build process means that they were there quite a bit of time before the actual software upgrade (malware) was made available.
Just skip to 27:25
👍
Appreciate it
Thank you!
Why is not pinned to top comments?
Stay tactical my friends. I recently interviewed a cyberwar expert on my channel....scary!
Thank you Gary I really needed this. Xi and the Democrats are up to something nafarious.
@@ianvulm4542 yes they are why did Kris Kreps take a position at solar winds when he was the one in charge of making sure shit like that didn’t happen.
Wonder if has anything to do with manipulations in social media
You mean like Dominion Voting Systems?
3 state governments involved one is Arizona.
excellent presentation.
Stop call it a supply chain attack. Unless the malware was uploaded into the Orion code from a supplier. Blame the use on password authentication of NMS . Blame the lack of integrity check.
Super thanks for this.
The supply chain is always attacked .... in fact the supply chain is always the first thing to attack in military any operation ....
Thank you Patriots!
I second that!!!
About twice as many words spoken as necessary. Tends to bury the valuable stuff.
He would be not in the position he's in if he made a lot sense.
I have made this letter longer than usual, only because I have not had the time to make it shorter.
~Blaise Pascal
Thank you
From the Solarwinds website; "We’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker."
With inside help
@@jenalatz3589 I believe (too) that this was an inside job within SolarWinds. How else would someone know which .dll module to replace?
Wouldn't it be quicker to limit the network to just the systems you need to monitor? ACL(s) for the Win....
Awesome webinar guys, well done!
Sans?
Hehheheheheheheheeheheheeheheheheh
Saneeees
Thank God people like this stuff..I just fell asleep somewhere around 7:50.
Thank you. good job
As the former engineering manager for the SevOne NMS I know the risks for this type of software. I think you missed one key point here: The compromise of SolarWinds.Orion.Core.BusinessLayer.dll, or any component built by a software vendor for high-risk environments, is very sloppy. Standard practice is to always build from source in secure, or air-gapped, environment and have multiple people review every commit to the codebase. Signing code after the source / build is compromised has no value.
You don't put information you want kept secret on a computer
Nobody:
Dark Army: Its time for Stage 3
Exactly my thinking hahah
im surprised how the comment isnt flooded with sans from undertale
Thanks for the Informative Session.
I am pretty sure didn't even understodo half of the things he said.
@@deathmakesmoresense5354 yes Bill Gates is a physician now and journalist are IT experts.
This is where it gets difficult . And NO none of this has anything to do with civil war . Pass The Word
Oooooh ... Russia! Russia! Russia! How many times can the national security state draw from that well?
Isn't automation the main hole here
Thanks MalwareJake
Speaker should stick to his strengths and steer clear of politics.
Russia???? Where is your proof and methodology to make ANY threat actor attribution? We would all love to hear (threat actor attribution=fraud) Now apt29? This is a joke. Right? It takes a village? WHAT?
It's their go to
I remember now where I heard of solarwinds, a hidden application was running on two of my business PC s. When I told professional IT company means a compromised machine, he told me no because if its just for monitoring things it's harmless. Even when I reminded him absolutely nobody here nor there is using any software from them. We use different MSP software. What an idiot he was, I removed it and fired them
The amounts payed for ransoms by public service providers in past 6 years has to be astronomical
And WHY NOT CHINA?????
China is a person of color. Unless you want to be a racist, fine go ahead.
@@ianvulm4542 China is a CIVILIZATION.
@@ianvulm4542 everyone knows what they are talking about, language police
@@ianvulm4542 you didn't answer the question but went straight to identify politics, very telling
ty for the important info !!!!!!
Hello Sans,
I really want to know how they actually injected malicious code in the software. Basically how they came inside solarwinds.
it was more simple than complex. it involved MS Dos and Cobel as well as the coronal index. Once you latch onto the index its just a matter of injecting malware as long as its binary in nature. hope that helps.
He is driving me NUTS with ending so many statements with the superfluous "right?" Stop saying that!!! grrrrrr...
Why am I just learning about this? On 12-15
It’s an emergency massive cyber attack, all of the many services we use on a daily basis (user accounts, bank accounts, passwords, etc) MIGHT be in greater risk because whoever launched Sunburst and all other viruses into Solarwinds can cause the hackers to steal sensitive government information AND our own information like emails, passwords, and many
Like we don’t know if our youtube accounts are in danger
Because MSM and big tech decide what is heard. Those that control the narrative have the power.
I bet bitcoin was hacked and the value artificially elevated. Noticed bitcoin's value skyrocketed after this major hack.
This is amazing intel. Very sobering and professional.
I would have to disagree that supply chain attacks are not common, as stated at the 3:00 mark...according to Symantec, supply chain attacks almost doubled between 2018 and 2019, increasing by 78%...2018 Ponemon Institute study found that 56% of organizations suffered a breach caused by one of their vendors...having a hard time reconciling those numbers with the comment that supply chain attacks are "not common".
Yep. I can vouch for that. My company had a breach by Tableau not too long ago. Compromised credentials that gave the attacker access to our data. Didn't hear that in the news, right? A lot of things do not get publicized.
It makes sense that russia and china are attributed.
However if there’s a CME there will be no broadcasting over the Internet
perhaps
Whelp, my son's middle name is Orion. It feels personal.
THE RUSSIANS AGAIN!!!! This is getting old. I'm sick of this globalists' game.
Usa deserves it
It would help to think of corporations as the same as the nation-states here. They hire their own goons with their own loyalties.
Omg. You actually used the Texas FBI.
Oh Russia, eh? Suuuuuure. 🙄
North Korea
These comments sus af, THANKS JAKE AND SANS like naw, botments exist for a reason
Thank you Robert for your comment. I highly recommend a monthly subscription to the Washington Post. Your friend always.
Patch to HF2 - saved you an hour, which you're going to need as the SW upgrade tool is a pile of poop
I think your assessment of friendliness of one administration to another may need a little work.
51:57 Get your magical Pokémon SaaS immunity card. 🐤⚡️
Talk about backdoors
Spinning??? Russia??? Nice try. SMH
Let’s not be silly. A hacker like this would either be a group of motivated people or it would just be them, proving to each other and us that we need to upgrade. Hopefully they will make everyone, including the devilish people who have been running this country show their identification before logging back in to whatever bullshit content they hold on those servers.
Thanks ...
our security folks were useless at actual computer security. too political influenced by mahogany row.
DHS should be extinguished.
Clutch, thanks SANS!
Solar winds is connected to Amazon, looks like Jeff might go to gitmo
Probably not. He's offered up the sacrificial lamb that starts the currency reset. Its all part of the plan.
Can anyone give me a TLDR?
Russian Hackers :-\
Don't put sensitive data on any Microsoft product.
Irish Catholics love Commie China. Many such cases.
Orlando Bravo put it there obviously. Duh!
Not once did this guy mention Israel ......why?
I stopped watching at 40:00 I'm pretty sure I don't need to watch anymore
Attribution to Russia is dependent on how much we trust Fireye. Do you? I don't! As far as I am concerned Fireye could be NSA. Please provide evidence.