[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security breach at multiple Federal agencies via SolarWinds
- To: BerkeleyLUG <berkeleylug@googlegroups.com>
- Subject: Re: Security breach at multiple Federal agencies via SolarWinds
- From: Rick Moen <rick@linuxmafia.com>
- Date: Thu, 17 Dec 2020 17:21:41 -0800
- Arc-authentication-results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of rick@linuxmafia.com designates 96.95.217.99 as permitted sender) smtp.mailfrom=rick@linuxmafia.com
- Arc-authentication-results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of rick@linuxmafia.com designates 96.95.217.99 as permitted sender) smtp.mailfrom=rick@linuxmafia.com
- Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:user-agent:organization :in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:to:from:date:sender :dkim-signature; bh=rIx+1GZbmxQpGJ1CEtv7GszO/LRnENZNLl8pTBSfIVI=; b=jfOqfpuic8HUS+IySsuvER2Lafw1nLJQujI9orTvlxaDKMKZbfxj8uvuvDqgcw5hBh QmJ4vBUIhbY1mHi2lXvD2qvxJh1fo7cVFdzs494qtUGl/nu6Icfin3imfu0cd3miI7mr BY02NoGiTrc52RtxpKAoQGPkWJ5Ph8LAW5xs5pG+crGXI5DHzauaUv63tbdHdd0pJxuI mrcJV04eBjqdpVa6SuAj6iVWH1RoCDR0p69DBlKm2kL90IjXg2CpkI8GK2IpZXB7JxYH GAV6QowrCW71iOf/MY1cvUqZfzJ4Cz/varMwB7T2hqD5L/QfDEard1S9oXWWqfqrrTvR UNLQ==
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:organization:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:to :from:date; bh=tJkFnY3m2/GcgCxcMQNLYdP3bpQ4MC1REUbcG795iW4=; b=OjZDyYsxbCns9aelUc1NwrzlyTTKqCyUvAiFb73rrYmu6j7l+wrcSALlnbaySntd4S Zfpk70cnpNiu5J98G8GmT2AejLjbGPUv3/Za302nCxnPUBArjJylluyyxNhNjsFiMN2M ZmMyUF1R+/YNOz1BWZrsuZRvrokDPkf3/7GulFWT/XqxHvop136Z67xrP+q57m8ZHSaN j1CluYulL9m9BaUGhkl2+rmmDrpcwVsotdbZ7eTe3czzTbGwHOvN97nQvzj6Ma7sXq2a U1SBtMlya2aqJuDlT8uYcBtucWKnt46VApVPmimRN8tVTzkxbFjBbyuePAtNP3KmE6oM 9N/g==
- Arc-seal: i=2; a=rsa-sha256; t=1608254504; cv=pass; d=google.com; s=arc-20160816; b=m2fUrNc6zIXrygFHj0DknhePWY3ikeZz9RRffigqVTAe1/u85KvpFvcY1VMYTSodUX JpVOindnWg1ZbmOnxHXVRAbRjxDVp3ZJsE9QoZ4nEe/3bYDwjo/C3v57MUhntqicfQtv Nzzx8djhd+rS5xXTMxpXmRC4WCD7lU7eEEHnKnzguEHxkIE99x+0PTZJAT8nP6irwmD8 N6wW0DKDye26LDxo/rnDPUhDo8kVEOx+S7LtRMSvHTinwlK+E2rvG22yC20jipy/XYnL 8oRxPuiZ5enQMkLntD1no0oDDHw43YeXw8K6bKCt5p3KTD4lpHF3vfOwEHijWXH5nNlx hwig==
- Arc-seal: i=1; a=rsa-sha256; t=1608254503; cv=none; d=google.com; s=arc-20160816; b=kBHcP8Fuy7IGgogxXHyxe+uxJwq/plz0c2S3r7nOm/mtz9VOKRLYYi2XGbHRZeRgJy TSfz5D1ExCbJNR8wXP5hm9rK9QpjBxMnwBtKhslM+7zEU9RxSJUMizlvBjHCCEx2hoj1 3lgMuC5Ag5V8YyfmxqYqis7UzkdpEdUqxTZFS6gtqgq4Jw6UqnGb2nqzdKJVopbSROQY yS1qG08AAAD3YF8lbWGHcOiDKdeE4HvPbV/jDHq9/tBa12eSsAo0sLbxbtw4s/xK8ise sTdskaZML0wDegE6jnlH5rBZB5vkh5F6Z9x0tjsLNxf4GVQLtBe902p1yCq505BSsn4k Ed2w==
- Delivered-to: historian@entropia.netisland.net
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:date:from:to:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :organization:user-agent:x-original-sender :x-original-authentication-results:reply-to:precedence:mailing-list :list-id:list-post:list-help:list-archive:list-subscribe :list-unsubscribe; bh=rIx+1GZbmxQpGJ1CEtv7GszO/LRnENZNLl8pTBSfIVI=; b=DeweedM6NkvI7Ju36cDA1jc0T7wJOOipbUIabc0xvQZRhcShMD+nycpappm59RzKN4 luHG23oxvE5zY7RZzgObNoBAxIA5738xQnRd9vpma7IXIq0la1HHGgESZJy98rtHJAlS pzPFns12+aiuwMUal3COKmQi13Svbd9l6hjIjkBmchK8lwwUVlXJujNsrUB5176aSJKG C2eI4GlvLpgcTcJENqDxp75jHXYeKXhcV1QxaqLngJ4z/DkJ0Zc8538RxqywGyBE2J/1 2jQuWvW/bNBU+BdwKmBhKq7yhBTnQG7V5l2q6i271o2iD91MCZ/eLe3BcYCRXTrACkMn m88g==
- In-reply-to: <d09145ca-6392-4db8-8e55-11f352d847c6n@googlegroups.com>
- List-archive: <https://groups.google.com/group/berkeleylu>
- List-help: <https://groups.google.com/support/>, <mailto:berkeleylug+help@googlegroups.com>
- List-id: <berkeleylug.googlegroups.com>
- List-post: <https://groups.google.com/group/berkeleylug/post>, <mailto:berkeleylug@googlegroups.com>
- List-subscribe: <https://groups.google.com/group/berkeleylug/subscribe>, <mailto:berkeleylug+subscribe@googlegroups.com>
- List-unsubscribe: <mailto:googlegroups-manage+61884646931+unsubscribe@googlegroups.com>, <https://groups.google.com/group/berkeleylug/subscribe>
- Mailing-list: list berkeleylug@googlegroups.com; contact berkeleylug+owners@googlegroups.com
- Organization: If you lived here, you'd be $HOME already.
- References: <d09145ca-6392-4db8-8e55-11f352d847c6n@googlegroups.com>
- Reply-to: berkeleylug@googlegroups.com
- Sender: berkeleylug@googlegroups.com
- User-agent: Mutt/1.5.20 (2009-06-14)
Some comments about links Aaron posted, composing these in-passim as I
read the articles in question:
Quoting goossbears (acohen36@gmail.com):
> - Gizmodo's 'Feds Still Trying to Determine How Screwed They Are After
> Massive SolarWinds Hack',
> https://gizmodo.com/feds-still-trying-to-determine-how-screwed-they-are-aft-1845888076
A cyberattack that began by targeting an IT firm used by numerous
federal government agencies, Fortune 500 companies, and other high-value
targets is shaping up to be a historic event.
It appears so, partly because of the wide scope of SolarWinds, Inc.
users of the Orion Platform software who got shot in the foot, and
partly because of the sensitive nature of what Orion Platform does,
i.e., network monitoring, which I gather requires that the software
run with high privilege and access to networks and remote systems.
As with other articles I've seen, here, Gizmodo reporter Tom McKay
doesn't appear to properly grapple with just how grossly negligent
SolarWinds, Inc. was revealed to have been. Anyone old enough will
remember how much flak Ford Motors took over supposedly exploding gas
tanks on Pintos (which turned out to be a greatly exaggerated story, but
that's not the point). Somehow, a major software company publishes
software that, when intalled at client sites, destroys client companys'
IT security, and all everyone can talk about is how freaked out the
customers are, i.e., hardly anyone's pointing an appropriate degree
of blame at the negligent party.
This astonishes me. It's like the botulism scandal over cans of Bon Vivant
vichyssoise, except with all the coverage being over the suffering of
victims and nobody saying anything about, looking at, or thinking about
the manufacturer -- and their attitude was just 'Well, sure, some cans
of soup poison and kill people, but, hey, stuff happens.'
Those responsible built a backdoor into Orion, an IT management
software produced by SolarWinds, possibly by breaking into Microsoft
email accounts and other systems, according to the Wall Street Journal.
[link] They then used it to contaminate software updates provided by the
company with malware in March and June 2020. In addition to U.S.
government agencies, the attackers also hit security firm FireEye;
senior vice president and chief technical officer, Charles Carmakal,
told Bloomberg [link] the firm was subsequently able to trace the intrusion
back to SolarWinds before it notified authorities.
The WSJ surmise was as follows: "How the hackers gained access to
SolarWinds systems to introduce the malicious code is still uncertain.
The company said that its Microsoft email accounts had been compromised
and that this access may have been used to glean more data from the
company’s Office productivity tools."
That's nothing like a complete picture on the vital "How did compromise
and privilege escalation occur?" question (not to mention obviously
involving speculation), but suggests a fatal laxness at SolarWinds, Inc.
Companies (and projects, like Debian) that take code-signing seriously
treat custody of the signing keys (and the production code repo) like
the crown jewels. There should have been _no_ path to get to them via
things like phishing and other dumb probes against Microsoft Exchange /
Microsoft Office.
> - CNN's Politics' article 'Massive hack of US government launches search
> for answers as Russia named top suspect',
> https://www.cnn.com/2020/12/16/politics/us-government-agencies-hack-uncertainty/index.html
This is what you get when you have an IT story covered by competent
political reports instead of competent IT reporters: You get an article
about _who_, when the question mainly of interest is _how_.
> - CNN's Business article 'Why the US government hack is literally keeping
> security experts awake at night',
> https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html
Despite URL, this generally meritorious article likewise didn't explain
the Orion hack, except in the sense of saying "It was done via
SolarWinds's Orion Platform software, where the bad guys had full
control for over six months (BBC, below, says eight months) and
piggybacked their code to infiltrate customers via SolarWinds's signed
code for its retail software products."
> - The BBC News' Tech article 'SolarWinds Orion: More US government
> agencies hacked', https://www.bbc.com/news/technology-55318815
Reasonable layman's overview, adds some deserved praise for the response
of cybersecurity firm FireEyes.
> - The BBC News' Tech article 'SolarWinds: Why the Sunburst hack is so
> serious', https://www.bbc.com/news/technology-55321643
This is a piece by a different BBC reporter who makes quite a lot of
basic errors, which I probably shouldn't waste time listing. I have
some sympathy for IT/'tech' reporters, always expected to provide good
coverage on impossible deadlines. This article is mostly about
ramifications, and shows that the reporter called up a bunch of contacts
in relevant fields, and relied heavily on what they said. (That is not
a bad thing. I'm just saying it's that type of article.)
Bruce Schneier is reporting on the reporting.
https://www.schneier.com/blog/archives/2020/12/another-massive-russian-hack-of-us-government-networks.html
https://www.schneier.com/blog/archives/2020/12/how-the-solarwinds-hackers-bypassed-duo-multi-factor-authentication.html
https://www.schneier.com/blog/archives/2020/12/more-on-the-solarwinds-breach.html
Schneier makes the point -- obvious to me, but maybe not to most readers
-- that just replacing the trojaned software installed via SolarWinds's
oopsie with a non-trojaned version is not _nearly_ good enough: that
any/all of SolarWinds's ten of thousands of affected customers are going
to have to do _major_ work to rule out and correct persistent, ongoing
penetration of their networks and systems. Just removing or upgrading
the trojaned Orion Platform software is closing the barn door after the
horse escaped.
SolarWinds, Inc. retroactively deleted the public list of its customers
from its public-facing Web site shortly after the scandal hit, but,
well, too late, fellahs!
https://web.archive.org/web/20201214143046/https://www.solarwinds.com/company/customers
(As noted in the comments on Schneier's blog, Internet Archive is not a
foolproof repository of things that moneyed interests want to make go
away, in that they sometimes take down their mirror copies in response
to pressure.)
Another commenter says that the customer list captured by Internet
Archive / Wayback Machine is a "very small subset of the SolarWinds
clients".
Found via the second of the above-cited Schneier links:
https://arstechnica.com/information-technology/2020/12/solarwinds-hackers-have-a-clever-way-to-bypass-multi-factor-authentication/
ADVANCED PERSISTENT THREAT —
SolarWinds hackers have a clever way to bypass multi-factor
authentication
Hackers who hit SolarWinds compromised a think tank three separate
times.
DAN GOODIN - 12/14/2020
Oh? _That's_ interesting.
Article cites researchers at a security firm named Volexity who say
they'd encountered late last year / eartly this year the same attackers
who compromised SolarWinds, and noticed that they'd used a clever trick
to neuter multi-factor authentication on the attacked network of a
think-tank organisation. However, this hack required that the intruders
first possess 'Administrator' access on the target MS-Windows network,
i.e., root privilege. The target company used a two-factor
authentication system published by Duo Security. Having Administrator
access, they simply stole a Duo Security token file from the target
company's Outlook Web Access server, used that to generate a special
'cookie' file, and then figuratively waved that around like Doctor
Who's psychic paper to fake out authentication servers in a 'Oh, you
don't need the second factor in addition to my stolen username and
password' sense.
So, this isn't actually very surprising -- but it does underline the
point that, if subject to a comprehensive breach, the recovering
organisation must asssume that _all_ of the existing security
infrastructure is untrustworthy, including everyone's passwords and
system-internal security tokens.
It should be noted that both Volexity and FireEye are being careful
about the attacker's identity -- in distinction to many in the press who
are saying APT29 / Cosy Bear. Volexity merely calls the attacker Dark
Halo, and FireEye calls them UNC2452 - both names invented for the
purpose.
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
--
You received this message because you are subscribed to the Google Groups "BerkeleyLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to berkeleylug+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/berkeleylug/20201218012141.GJ28791%40linuxmafia.com.