Forumite Members › General Topics › Tech › Security Talk › The Fireeyes and SolarWinds – ‘Nation-State!’ Hack
- This topic has 3 replies, 2 voices, and was last updated 4 years, 5 months ago by
Ed P.
-
AuthorPosts
-
December 15, 2020 at 10:44 am #64617
US Government hacked via SolarWinds Compromise by a supposed Nation State. link
When you read the CVEs that Solarwinds had issued to them back in August, you really have to wonder whether the ‘Nation State’ might have been just script kiddies as the vulnerabilities had been there for many months before!
CVE-2020-25620: SolarWinds Support Account with Default Credentials
CVE-2020-25621: Local Database does nlinkot require Authentication (N-Central Backend Server)
CVE-2020-25618: Local Privilege Escalation from nable User to root (N-Central Backend Server)
So when you read that this compromised Fireeyes and most of the US state systems, you should not immediately leap to the conclusion that Russia/China/North Korea or any other bogeyman was behind it. However to be fair, the actual exploit that was written to abuse these poorly administered security holes was much more sophisticated:
Unfortunately you will not hear the last of this as Donald Trump has now picked up that the software chain leads through Fireeyes to the Dominion Voting machines used during the Presidential Election.
General Flynn
@GenFlynn
This means the US SolarWinds product is compromised across the USG. Likely China w/ back doors to every dept, agency & activity in the USG. Not good. @realDonaldTrump
this is a grave natl scty threat, esp at this moment. Demand answers ASAP! Know you will.” :wacko:December 16, 2020 at 4:46 pm #64655It gets worse. A public Github repo leaked the unencrypted FTP credentials of Solarwind for the last 2+ years. What could possibly go wrong!
December 16, 2020 at 10:11 pm #64684Behind all these is usually incompetence or an IT team stretched to breaking by lack of budget. Some COO’s are still in the if it ain’t broke don’t fix it mode of patching.
Thankfully I’ve always worked for on the ball organisations like BAE where the Security Team has governance over the IT teams in these matters i.e. if Security say do it then it’s done. That’s not to say testing doesn’t happen (these guys are also very IT savvy) but in some circumstances the risk outweighs the potential pain from breaking something that can ultimately be fixed. You also cultivate your links into Microsoft, Oracle, AV provider etc.
It’s not difficult, it was one of my duties to patch 95% of the 25,000 PC estate within a week of Patch Tuesday and that includes going through stringent change control procedures. You get a process going where everyone knows their role and is supported by senior management and it becomes routine.
I knew of another account where each patch had to be individually tested on every variation of their gold builds before they could be rolled out. My mate got hold of an old server he turned into a massive VM host but even then it’d be bumping into the next Patch Tuesday before he got anything done.
I can think of only a single occasion when our method got caught out by a nasty patch, but the way you start small and ramp up meant that <2% of the PCs had been affected.
October 1, 2021 at 10:22 am #68816Sorry for the necropost, but it looks like the Solarwinds hack most likely was China/N.Korea rather than Russia. My reasoning goes, that there is probably a close relationship between Kaspersky and the Kremlin, yet Kaspersky has just revealed a previously unknown Active Directory attack (Foggyweb) being used by the gang that hit Solarwinds and the US Government (including the US Justice Dept – remember the Huawei exec extradition!).
-
AuthorPosts
- You must be logged in to reply to this topic.