SolarWinds: “monitoring products it released in March and June of this year may have been surreptitiously tampered with in a ‘highly-sophisticated, targeted and manual supply chain attack by a nation state.’”
“two people familiar with the investigation said…connected to a previously announced intrusion at cybersecurity firm FireEye.”
Last Tue 12/8 “FireEye, one of the largest cybersecurity companies in the United States, said on Tuesday that it had been hacked, likely by a government, and that an arsenal of hacking tools used to test the defenses of its clients had been stolen.”
“FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.”
Seems they don’t know who the “supply chain” attacker is who essentially impersonated the legitimate software update.
“SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.”
“The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security”
“This campaign may have begun as early as Spring 2020 and is currently ongoing.” – so things aren’t safe yet?
“Post compromise activity following this supply chain compromise has included lateral movement [they still have access after discovery] and data theft”
Repeat, FireEye is saying they don’t know who did this.
“FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild.”
“post compromise activity leverages multiple techniques to evade detection and obscure their activity”
“This actor prefers to maintain a light malware footprint, instead preferring legitimate credentials and remote access for access into a victim’s environment”
“Hidden in plain sight, the class SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer implements an HTTP-based backdoor. “
Odd tweet from Krebs. He says “odds are you’re not affected” when FireEye says it’s worldwide and highly alarming. Then Krebs says to focus on “Crown Jewels”…
FireEye basically recommends cutting off access from SolarWinds to digital assets on the network (“Crown Jewels”) that are most valuable. Krebs seems to point the attackers to them! (Or is that just me?)
The obvious question is why are we doing the Russia Russia Russia dance again when the attacker is unknown and admittedly “evasive?”
Another obvious question is why the government allows remote access by commercial entities (who serve China) to emails at the White House, DOD, NSA, etc. Seems like carelessness at best, deliberate leaving the door open at worst.