Just to add stupidity to the mix have a look at this piece:
The mind boggles - and probably is having a good belly laugh at the same time:
Coupled with the fact that your CIO is likely already asking if we are amongst their 300k customers creates a great opportunity for a "concentration of power" discussion.
SEC report has the more accurate numbers and possible attack vector listed below.
"SolarWinds values the privacy and security of its over 300,000 customers and is working closely with customers of its Orion products to address this incident. On December 13, 2020, SolarWinds delivered a communication to approximately 33,000 Orion product customers that were active maintenance customers during and after the Relevant Period. SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000..."
"SolarWinds uses Microsoft Office 365 for its email and office productivity tools. SolarWinds was made aware of an attack vector that was used to compromise the Company’s emails and may have provided access to other data contained in the Company’s office productivity tools. SolarWinds, in collaboration with Microsoft, has taken remediation steps to address the compromise and is investigating whether further remediation steps are required, over what period of time this compromise existed and whether this compromise is associated with the attack on its Orion software build system. SolarWinds also is investigating in collaboration with Microsoft as to whether any customer, personnel or other data was exfiltrated as a result of this compromise but has uncovered no evidence at this time of any such exfiltration."
@AndreaMoore Can you combine this thread with the already created thread please?
Sounds like network segmentation within the DOE helped out well here but we'll have to wait and see as this develops. I'd also suspect the age of some of those ICS/SCADA systems within the NNSA helped with segmentation as well.
"At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the department, including the National Nuclear Security Administration," Hynes said in a statement. "When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.”
"Microsoft also had its own products leveraged to attack victims, said people familiar with the matter. The U.S. National Security Agency issued a rare “cybersecurity advisory” Thursday detailing how certain Microsoft Azure cloud services may have been compromised by hackers and directing users to lock down their systems."
@rslade If you think the threads are fragmented in the Community about this topic, imagine what the FBI 'Crazy Wall' looks like right about now lol!
@rsladeThank you for the great post
For me, the best part is a link to the CISA document https://us-cert.cisa.gov/ncas/alerts/aa20-352a
The document has a great table in Appendix A. This table shows the tampered versions of the software and that the current version is not corrupt.
The software 2020.2.1 HF2 2020.2.15300.12901 was released last Tuesday night at 8 PM CST and has been installed globally to update and or rebuild Orion from the ground up.
I take issue with the statement "does not guarantee the software is safe". How does anyone know that any software is safe? The best thing to do is to follow the security guidelines for the software. Here is the PDF
The weak password issue for Solarwinds "solarwinds123" was in November of 2019. On November 11-19-2019 Vinoth Kumar sent SolarWinds an email on the issue. On November 22 Vinoth received a reply that it was remediated. This does not excuse this issue. Every article I read makes it sounds like this was still happening and not a year old.
Looks like a rogue developer set it back in 2019. Most articles on the password issue are clickbaity and lack the facts that this was over a year ago and it was corrected in a timely manner.
Found a recorded conversation and transcript on the Federal News Network discussing the need for System Security Engineers involved in the development process. Pretty much DevSecOps is what Ron Ross, senior fellow at the National Institute of Standards and Technology, is describing. I like how he breaks down Zero Trust with comparing it to a bad guy breaking into a house.
"You can have really strong locks on the front door of your house but if you leave the door open anytime during the day, and as you know, bad guy comes in the house and hides in the closet, you can lock the doors at night, and then the bad guy’s in the house. And so you then can have all of your valuables exposed inside the house or you can put a vault in every room in the house. So even though the bad guys in the house, they’re gonna have to go through every one of those vaults and try to get in and that’s very difficult. You can also hang the keys to the vault or the combinations can be posted somewhere in the house."
Seems like a common theme of DevSecOps and Zero trust throughout the different articles for limiting damage in these kinds of attacks.
A great find, thank you - I can also use the analogy describing Zero Trust Security.
Thank you very much