SolarWinds hack may have compromised UK Public Sector systems
Thread Starter
SolarWinds hack may have compromised UK Public Sector systems
https://www.theregister.com/2020/12/...public_sector/
Concern is gathering over the effects of the backdoor inserted into SolarWinds' network monitoring software on Britain's public sector – as tight-lipped government departments refuse to say whether UK institutions were accessed by Russian spies.
As reported in the small hours of this morning by The Register, it appears the downloads page for SolarWinds' Orion Windows monitoring platform was altered by Kremlin hackers – known as APT29, aka Cozy Bear – so that victims fetched and installed a tampered-with version that included a remote-control backdoor.
This malicious code was detailed by FireEye, which itself said it was earlier hacked by state-level miscreants. Said victims of the Orion job are said to include the Treasury and the Dept of Commerce at the US government. It's not clear at this stage whether FireEye was also hacked via a dodgy Orion install.
Research by The Register has shown that SolarWinds' Orion is used widely across the British public sector, ranging from the Home Office and Ministry of Defence through NHS hospitals and trusts, right down to local city councils.
A job advert for the MoD's Corsham tech bunker lists SolarWinds as one of the tools used by a third-line software support engineer; similarly, a network design engineer job with the MoD's Defence Equipment and Support agency posted in May also listed SolarWinds proficiency as a "nice-to-have" skill.
SolarWinds' products are in regular use in the Royal Navy and Royal Air Force, with the agency also counting GCHQ, the Cabinet Office, and the Ministry of Justice among its customers. Most concerningly, a company brochure [PDF] also stated that the MoD's Defence Equipment and Support agency was a SolarWinds customer. DE&S is the agency that maintains Britain's high-tech fighter jets, submarines, and warships.
Analysis:
https://www.theregister.com/2020/12/..._winds_update/As the debris from the explosive SolarWinds hack continues to fly, it has been a busy 48 hours as everyone scrambles to find out if, like various US government bodies, they're been caught in the blast. So, where are we at?
In terms of the news flow, it started in the middle of last week with FireEye. The specialist IT security firm brought in by multinationals when they suffer high-profile hacks found itself admitting last week it had itself been hacked.
Not only that but miscreants, strongly suspected to be Kremlin-backed Russian hackers, had penetrated FireEye's servers and made off with its crown jewels: the tools it uses to test other companies’ defenses. Armed with those penetration tools, hackers could potentially identify which of their methods will pass FireEye's gaze undetected.
Anticipating the stolen tools leaking into the wrong hands, FireEye put out a range of materials to help others detect if its testing software is being used in the wild. It then investigated how its network defenses were breached.
Fast forward to the weekend, and various US government organizations discovered they too had been hacked, with Russia's APT29 aka Cozy Bear team suspected. The Department of Commerce, Treasury, and Homeland Security said their systems, including email, have been compromised in what may well be the most massive and consequential publicly known hack of American government data networks in history...
Concern is gathering over the effects of the backdoor inserted into SolarWinds' network monitoring software on Britain's public sector – as tight-lipped government departments refuse to say whether UK institutions were accessed by Russian spies.
As reported in the small hours of this morning by The Register, it appears the downloads page for SolarWinds' Orion Windows monitoring platform was altered by Kremlin hackers – known as APT29, aka Cozy Bear – so that victims fetched and installed a tampered-with version that included a remote-control backdoor.
This malicious code was detailed by FireEye, which itself said it was earlier hacked by state-level miscreants. Said victims of the Orion job are said to include the Treasury and the Dept of Commerce at the US government. It's not clear at this stage whether FireEye was also hacked via a dodgy Orion install.
Research by The Register has shown that SolarWinds' Orion is used widely across the British public sector, ranging from the Home Office and Ministry of Defence through NHS hospitals and trusts, right down to local city councils.
A job advert for the MoD's Corsham tech bunker lists SolarWinds as one of the tools used by a third-line software support engineer; similarly, a network design engineer job with the MoD's Defence Equipment and Support agency posted in May also listed SolarWinds proficiency as a "nice-to-have" skill.
SolarWinds' products are in regular use in the Royal Navy and Royal Air Force, with the agency also counting GCHQ, the Cabinet Office, and the Ministry of Justice among its customers. Most concerningly, a company brochure [PDF] also stated that the MoD's Defence Equipment and Support agency was a SolarWinds customer. DE&S is the agency that maintains Britain's high-tech fighter jets, submarines, and warships.
Analysis:
https://www.theregister.com/2020/12/..._winds_update/As the debris from the explosive SolarWinds hack continues to fly, it has been a busy 48 hours as everyone scrambles to find out if, like various US government bodies, they're been caught in the blast. So, where are we at?
In terms of the news flow, it started in the middle of last week with FireEye. The specialist IT security firm brought in by multinationals when they suffer high-profile hacks found itself admitting last week it had itself been hacked.
Not only that but miscreants, strongly suspected to be Kremlin-backed Russian hackers, had penetrated FireEye's servers and made off with its crown jewels: the tools it uses to test other companies’ defenses. Armed with those penetration tools, hackers could potentially identify which of their methods will pass FireEye's gaze undetected.
Anticipating the stolen tools leaking into the wrong hands, FireEye put out a range of materials to help others detect if its testing software is being used in the wild. It then investigated how its network defenses were breached.
Fast forward to the weekend, and various US government organizations discovered they too had been hacked, with Russia's APT29 aka Cozy Bear team suspected. The Department of Commerce, Treasury, and Homeland Security said their systems, including email, have been compromised in what may well be the most massive and consequential publicly known hack of American government data networks in history...
Last edited by artee; 15th Dec 2020 at 03:43. Reason: Added analysis.
Join Date: Apr 1998
Location: Mesopotamos
Posts: 5
Likes: 0
Received 0 Likes
on
0 Posts
Part of building any secure computer environment is to employ the clean source principle. It's really simple, first you confirm the site you are downloading from is bonafide, you then download the vendor's software bundle from the internet into a quarantined area, you then download the vendor's checksum for that software bundle, you generate your own checksum for the software bundle you just downloaded, you compare your checksum with the vendor's checksum, if they match you document this step in your logs and move the software bundle out of quarantine ready for installation.
People tamper with file downloads all the time, people also pretend to be authorities/representatives for other vendors. It's not difficult to circumvent all this, all it requires is an investment of an extra 15 minutes.
This is totally inexcusable.
People tamper with file downloads all the time, people also pretend to be authorities/representatives for other vendors. It's not difficult to circumvent all this, all it requires is an investment of an extra 15 minutes.
This is totally inexcusable.
The 'clean source' or 'supply chain' was the amongst the systems compromised. The cross-checks you list above would reveal nothing but normal results as the trust chain was intact. This hack was amazing - at source level, at root trust level; code that remained dormant for 12 to 14 days before taking first steps, code that was aware if it was sandboxed or live, code that was imbedded in otherwise normal external traffic, code seemingly going to normal external addresses, code that paused if actively searched for, code that hid in plain-sight http rather than HTTPS, code that supported normal functionality. This was not your farther's hack; this was mind-bogglingly good. This was unlike anything seen before.
Join Date: Apr 1998
Location: Mesopotamos
Posts: 5
Likes: 0
Received 0 Likes
on
0 Posts
at source level
This was unlike anything seen before.
We use SolarWinds, it got an update early this year, perhaps with the very version described above I'll have to check, not a fan of it (slow/clumsy), although it does contain a lot of internal network topography information it doesn't know everything. We also monitor all external interactions closely.
As someone with a toe quite deep in the cyber security industry, it's quite nice to see the whole industry pulling together and a) praising FireEye for their response and b) their cooperation with other vendors, so updated protection in the form of signatures and things to look for can be rapidly disseminated.
I doubt there would be too many people here in the cyber industry given the main thrust is aviation, but those that are will be talking to their customers (I have been...) to point them in the right direction.
I doubt there would be too many people here in the cyber industry given the main thrust is aviation, but those that are will be talking to their customers (I have been...) to point them in the right direction.
As someone with a toe quite deep in the cyber security industry, it's quite nice to see the whole industry pulling together and a) praising FireEye for their response and b) their cooperation with other vendors, so updated protection in the form of signatures and things to look for can be rapidly disseminated.
I doubt there would be too many people here in the cyber industry given the main thrust is aviation, but those that are will be talking to their customers (I have been...) to point them in the right direction.
I doubt there would be too many people here in the cyber industry given the main thrust is aviation, but those that are will be talking to their customers (I have been...) to point them in the right direction.
Hopefully the customer reaction will be to recognize that the security emperor has no clothes, the service is not worth the enormous cost.
The massive proliferation of classification and the associated 'security efforts' have obviously widened the attack surface so much that it becomes indefensible.
Massive data bases and services spread across thousands of entities, with very uneven maintenance practices, are not easy to keep secure.
Making the accumulation bigger simply reduces security even further.
But the core idea is that secrecy is very short lived, stuff leaks no matter how hard one tries hard to prevent it, whether the A bomb, or the SOSUS or the Keyhole spy satellites or whatever.
Our policies and procedures should be set accordingly.
Making the accumulation bigger simply reduces security even further.
But the core idea is that secrecy is very short lived, stuff leaks no matter how hard one tries hard to prevent it, whether the A bomb, or the SOSUS or the Keyhole spy satellites or whatever.
Our policies and procedures should be set accordingly.
Not sure having your upload server password as solarwinds123 is really safe
Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”.
Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”.
Thread Starter
Maybe after he alerted them they changed it to "solarwinds456"