[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security breach at multiple Federal agencies via SolarWinds
- To: BerkeleyLUG <berkeleylug@googlegroups.com>
- Subject: Re: Security breach at multiple Federal agencies via SolarWinds
- From: Rick Moen <rick@linuxmafia.com>
- Date: Thu, 17 Dec 2020 11:15:40 -0800
- Arc-authentication-results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of rick@linuxmafia.com designates 96.95.217.99 as permitted sender) smtp.mailfrom=rick@linuxmafia.com
- Arc-authentication-results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of rick@linuxmafia.com designates 96.95.217.99 as permitted sender) smtp.mailfrom=rick@linuxmafia.com
- Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:user-agent:organization :in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:to:from:date:sender :dkim-signature; bh=fyfWcFYXHIXLWP3fHnrMsFnA4RQzbceOzqO5zXZw3uE=; b=hzjY51Ptw75dAR6Zs1ttSq4PrY5JbgRM1b/aD4yjC7DZGLBMGeEeOC/44xkT6PXY45 PbJtnh+cY+C+fqPQ0Nj0xQheL8XYndj1p9bkcD01NfvF/9hHwTyeSh+Q1Xh3+Xff3RUu RaF+UsRD0ns0TsNTethRqqpXQHhfvMdIWTVhn7zlqXP1N2q2DFGhOa+6zTdZQBTRffuE CbhLIiPFhUUNjwDsFn3XG9pbW/48kW61Ohlr25LuXs9htNPVjCyO7scfZL4hiFVQvyOR APK2nV3RuRYjtRUxmVta4BZZKje4bFurwzbb4AoxjRHZXt1K79dstSUeQJ+Sf6Nu4XEa MuZQ==
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:organization:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:to :from:date; bh=uSAvC6Qi/m6nqa49oDq2pzby4v7i0YyO525CY//lJnY=; b=GKBiGidjE8TtUDbUisLboE690Siy/RpasYaJednWbs0APMtKlI0TPd1loE780dK1yJ uS757Kde7fUsIbF6oDXM4GTbvxOKMG2V1u19Qv8ArVOU3XcmJUoQYw062ATl2S5T6N95 WQaCn7hfoa+8o66zplcLoCmPQt1N/dLoXcyRWtFuQYkC4qCBLxT81xtY8eArNLsBs6he 0DIxc2oFucfKp2K6lcgY4YXrWxEZBzAU31DrwksnDsV6orMPHwSqLX8UA4XP2WVi7nVd Dc8huvZpmBqlwznAs42+FFu6qzjGtxJge78p+JjRBrdatOajBWV30WJS6mML8qHn/8lo FJqg==
- Arc-seal: i=2; a=rsa-sha256; t=1608232542; cv=pass; d=google.com; s=arc-20160816; b=mVBXETWNmznDdwNpCtxyY1uuU0G2ZIH64nZfeZQkPy4TH5LzZzLUtpkLBMXRKKm17d VNWPb8mUCcJrs8nycS0WNu6Ol+WJiAvvyYACJuBI9X01o5PROjzxEU/Ky++Za2Mzi1Jn qZ+s2J9qBFFBXRyEDM2vqg1gM7hQI2SEKnmx8Gp6xoVm4PjVS2HSOHJMtq9J1RZtTHRL gUsVYXUgIVxTeIpujMhqsM8kqUc3Hmzvi/YoyOUxoh0Ah0xCAikFFQwj4jsoTZMgAHJI zbl9ELcScrKKTkF5PG0CWBtLE+r/2h6bBXBjujtytsn4Utf6AkdUPVo/XAP1FzqsLjlL ygZQ==
- Arc-seal: i=1; a=rsa-sha256; t=1608232541; cv=none; d=google.com; s=arc-20160816; b=BWN74BvAikjf38TZtS7iF6oq0yOgWg/hzqrlUj/8gWdmdKaEWItiFcQjfjcgtwtYDT HonO2d+NCB+GI8484y8YvRSwEy+6oF/Qp3kd30GBEZv9zAO/NBSMDObQRdbMhbcwdKjI 9x9HoscCajaS3XSiBaa5lbEdCYba19UBN+9qxGusHA4HpGRhX69KVgciYv/DHaxQpP2r Z4z9fmdMqM+JdKKFYyFiL/3TGmdBuc2Yse3kQ67xLuESYpuj2ChjPOFzBkxZ9XnxGfXA 0ZvOARouYAa2RTynhyYEnrsj6MH7UjBlR7axZ7JXDMoVHKUUgMstxe4rQSSsO7MvaBn7 DDUg==
- Delivered-to: historian@entropia.netisland.net
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:date:from:to:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :organization:user-agent:x-original-sender :x-original-authentication-results:reply-to:precedence:mailing-list :list-id:list-post:list-help:list-archive:list-subscribe :list-unsubscribe; bh=fyfWcFYXHIXLWP3fHnrMsFnA4RQzbceOzqO5zXZw3uE=; b=bXI1NSUXHVo4o0cSXtFTICZYIVYKgcccZxopL/O7/+IDiO2aAFg6HnhYBfxA1Sa6lo AhPEz52JuOrclEjs/M9oZOw9N+2RG0L/cy3N6ZwPk3qi1dg+5sM9CajBVGvzoQ60sSJu K7GCQ0OYwvjP9W2xvAOFoAUsSxJCejtXWJ0D/H6eDy2Sf0ACUP7g0ILQjtbL8vICEYj1 nx0Leaa9vEG4ToyksZBVGsxI6WMEFP1OMDmWgw9dC+Wd8Xex/dn6oJkl9vAGOmiGYtm4 RVqhsURTbTnQ5+Gkpo6fVagi+dbRxjxPZPPlFL6Q9URb3edcZ9PpkKgOE5/F/C2fkrvq t12Q==
- In-reply-to: <d09145ca-6392-4db8-8e55-11f352d847c6n@googlegroups.com>
- List-archive: <https://groups.google.com/group/berkeleylu>
- List-help: <https://groups.google.com/support/>, <mailto:berkeleylug+help@googlegroups.com>
- List-id: <berkeleylug.googlegroups.com>
- List-post: <https://groups.google.com/group/berkeleylug/post>, <mailto:berkeleylug@googlegroups.com>
- List-subscribe: <https://groups.google.com/group/berkeleylug/subscribe>, <mailto:berkeleylug+subscribe@googlegroups.com>
- List-unsubscribe: <mailto:googlegroups-manage+61884646931+unsubscribe@googlegroups.com>, <https://groups.google.com/group/berkeleylug/subscribe>
- Mailing-list: list berkeleylug@googlegroups.com; contact berkeleylug+owners@googlegroups.com
- Organization: If you lived here, you'd be $HOME already.
- References: <d09145ca-6392-4db8-8e55-11f352d847c6n@googlegroups.com>
- Reply-to: berkeleylug@googlegroups.com
- Sender: berkeleylug@googlegroups.com
- User-agent: Mutt/1.5.20 (2009-06-14)
Quoting goossbears (acohen36@gmail.com):
> Further thoughts and insights on this from Michael P, Rick M, Thomas L, and
> anyone else here?
I'll pass on my late-night posting to CABAL's mailing list. As an
additional comment, cybersecurity firm FireEye, cited below as one of
the victims of the software-chain infiltration, i.e., one of
SolarWinds's customers who bought and ran the trojaned Orion Platform
network-management software, was also a _key good guy_. FireEye
figured out that their retail copies of Orion were up to no good (had
briefly breached FireEye corporate security from inside the firm's own
networks) and alerted Department of Homeland Security (and alerted
SolarWinds).
https://www.bloomberg.com/news/articles/2020-12-15/fireeye-stumbled-across-solarwinds-breach-while-probing-own-hack
My point is that Texas-based proprietary software company SolarWinds, Inc.
had been utterly clueless about having had their entire software
production chain taken over for months, and had to be informed of their
stunning incompetence and its catastrophic effects by a customer.
The phrase 'You had _one_ job!' comes to mind.
https://www.youtube.com/watch?v=zHCzlCoDBCI
One obvious lesson for Linux users is that it's a reminder that blithely
running some chump corporation's proprietary software exposes you to
risks that you would avoid if you said 'I'll pass' -- and that
code-signing can be just another way to go wrong with confidence...
as three million users of Google Chrome and Microsoft Edge are finding
out:
https://arstechnica.com/information-technology/2020/12/up-to-3-million-devices-infected-by-malware-laced-chrome-and-edge-add-ons/
"How could the Vimeo Video Downloader extension have been unsafe? It was
signed by the [Google|Microsoft] online store!"
I suspect I'll write about the latter story on CABAL's mailing list.
Date: Tue, 15 Dec 2020 22:52:30 -0800
From: Rick Moen <rick@linuxmafia.com>
To: conspire@linuxmafia.com
Subject: Security breach @ multiple Federal agencies via SolarWinds Orion software
Organization: If you lived here, you'd be $HOME already.
In this posting, I'll be trying in real time to figure out the
substantive reality behind a current news story. Example:
https://gizmodo.com/feds-still-trying-to-determine-how-screwed-they-are-aft-1845888076
Headline is:
Feds Still Trying to Determine How Screwed They Are After Massive SolarWinds Hack
by Tom McKay
RM: There are recurring problems with IT press coverage of security
items, especially security breaches. 1. Where, as is frequently the
case, somebody messed up, the details go underreported because the
people who know don't want to talk about it. 2. IT reporters usually
don't understand security very well, and tend to uncritically crib from
press releases.
A cyberattack that began by targeting an IT firm used by numerous
federal government agencies, Fortune 500 companies, and other high-value
targets is shaping up to be a historic event.
The U.S. government is still reeling after the detection of a massive
foreign intrusion into federal computer systems at agencies including—at
a minimum—the Department of Homeland Security, the Treasury, and the
Commerce Department; [...]
Those responsible built a backdoor into Orion, an IT management
software produced by SolarWinds, possibly by breaking into Microsoft
email accounts and other systems, according to the Wall Street Journal
[link]. They then used it to contaminate software updates provided by
the company with malware in March and June 2020.
To unpack that: Private US company SolarWinds, Inc. publishes
proprietary MS-Windows software for businesses to help manage their
networks, systems, and information technology infrastructure. For
obvious reasons, any such software is itself security-sensitive and runs
with elevated privilege. In Spring 2020, the Russian Federation Foreign
Intelligence Service ('SVR'), specifically its APT29 aka Cozy Bear team,
managed to break into the crown jewels at SolarWinds, Inc., gaining
control of a software signing key for the production software chain,
which was then used to gain 'tokens' for other highly privileged roles
at SolarWinds, and among other thing insert remote-backdoor software
into a binary software library (SolarWinds.Orion.Core.BusinessLayer.dll)
used in future releases of SolarWinds's Orion Platform software product.
So, the 'malicious' code in question then went out signed by
SolarWinds's release-code key, and so went out automatically to
customers as supposedly authentic code.
This root-level compromise of a piece of widely used commercial
off-the-shelf (COTS) software snagged _lots_ of victims. Those who've
admitted getting suckered include:
o NATO
o US Treasury Dept.
o US Commerce Dept. National Telecommunications & Information Administration
o US Dept. of Homeland Security
o EU Parliament
o UK Health Service
o UK Home Office
o cybersecurity firm FireEye (!)
o pharmaceutical and biopharmaceutical company AstraZeneca (probably)
How did SolarWinds, Inc. get H4X0Red? Maybe, by being really
mind-bogglingly stupid?
https://www.msn.com/en-us/news/politics/notorious-hacker-fxmsp-sold-access-to-solarwinds-machines-report/ar-BB1bXZwj
[...]
Vinoth Kumar, a security researcher, told the outlet that he warned
SolarWinds that their update server could have been accessed by "any
attacker" with ease last year because the password was set to
"solarwinds123." Kumar first notified the company of the issue on
November 19, 2019 and the company responded three days later, according
to emails he supplied to Newsweek.
Kumar believes the vulnerability may have been present as far back as
June 2018.
[...]
Or maybe not?
The recent breach, allegedly by Russian hackers, is also unlikely to
be directly related to the password vulnerability since it took place
months after the issue was remedied.
Doesn't seem reassuring, anyway.
SolarWinds, Inc. asks customers to un-fsck themselves as follows:
SolarWinds asks customers currently using Orion Platform v2020.2 with
no hotfix installed or 2020.2 HF 1 to upgrade to Orion Platform version
2020.2.1 HF 2 as soon as possible to ensure the security of your
environment.
https://www.solarwinds.com/securityadvisory/faq
If I were a customer, I'd want the answer to the question 'What
happened, guys, and why should I feel reassured that it cannot ever
happen again?' Is that addressed in their security advisory FAQ, you
ask?
Why didn’t SolarWinds catch this vulnerability before it happened?
This attack was very complex and sophisticated. The vulnerability was
crafted to evade detection and only run when detection was unlikely.
Um, guys?
How do you know the new build is secure?
We have limited access rights to our build environment to only those
necessary and added additional controls to limit access further. As an
added precaution, we are using a new code signing certificate for our
new builds.
Um, _guys_? Why did this fail the first time?
With these processes in place how was your code compromised?
We are not aware that the SolarWinds code base was compromised.[...]
You're kidding.
[...]Our initial investigations point to an issue in the supply chain
resulting in a compromise of our product that inserted a vulnerability
within its Orion monitoring products which, if present and activated,
could potentially allow an attacker to compromise the server on which
the Orion products run.
'An issue in the supply chain'?
Here's the thing: If you do code-signing competently, you can no longer
pass the buck to 'the supply chain', because any (hypothetical)
tampering downstream from your crown-jewels signing machine would result
in the modified software no longer validating as signed by the signing
key of record.
So, the logical inference is that the above is poppycock, that
SolarWinds's code-signing infrastructure, the crown jewels, was indeed
compromised. And, by implication, SolarWinds, Inc. is either in denial
about this fact and is delusional, or is clumsily lying. The latter
interpretation would be a little more reassuring than the former, IMO.
Let's see what CSO Online says:
https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html
SolarWinds stated that its customers included 425 of the US Fortune
500, the top ten US telecommunications companies, the top five US
accounting firms, all branches of the US Military, the Pentagon, the
State Department, as well as hundreds of universities and colleges
worldwide.
The SolarWinds software supply chain attack also allowed hackers to
access the network of US cybersecurity firm FireEye [...]
/me reads many more paragraphs.
Nope, no useful insights from CSO Online.
Brian Krebs (https://krebsonsecurity.com/) has started to cover the
story, but in fairness it's quite new. (I expect he will have useful
things to say, and recommend his site.)
There's a subReddit to follow the story:
https://www.reddit.com/r/Solarwinds/
I'm going to have to close out this posting without any pretence of
having reached grand conclusions: Possibly, more will come out.
However, if I had to guess, based on available evidence, the root cause
will turn out to involve SolarWinds, Inc. security incompetence --
made worse by the shortage of transparency that is typical with
proprietary software companies.
You might wonder: Could something similar happen with, for example, the
Debian Project? The simple answer is 'yes', but there is competent
management of key-signing both at the ftp-master build machines and
among the individual maintainers of Debian packages. Basically,
the all-volunteer Debian Project routinely does _way_ better than this
major-name software company did.
--
You received this message because you are subscribed to the Google Groups "BerkeleyLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to berkeleylug+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/berkeleylug/20201217191540.GI28791%40linuxmafia.com.