OK, maybe the subject line is overkill, but one of the points to make here is that
it may be difficult to find information about large scale attacks because the
information gets fragmented. (Come to think of it, that's another security lesson
from CoVID-19: initially, to get all the information, you had to look for stories
about pneumonia, novel coronavirus, SARS-CoV-2, and so forth, before anyone
was talking about CoVID-19 or pandemic.)
Over on the ISC2 "community" (
https://community.isc2.org/ ) there is a fair
amount of discussion about the attack, but it is rather fragmented. There is
discussion of possible privacy implications:
https://community.isc2.org/t5/P/F/m-p/41658and a question about whether the "supply chain" aspect of this attack means it's a
bad idea to "whitelist" applications:
https://community.isc2.org/t5/T/S/m-p/41766(Definitely an important question. Whitelisting should be done carefully,
particularly with applications which require pervasive permissions, and, in this
case, it still would have been extremely difficult to detect the attack, since it was
properly signed and authenticated.) Some other discussions on the "community"
have been amalgamated, which might be seen as a good idea, except that they were
amalgamated under the topic title "FireEye Hacked,"
https://community.isc2.org/t5/Industry-News/FireEye-Hacked/m-p/41468which rather hides the fact that some of them were originally titled SolarWinds
(although nobody mentions Orion), or the fact that it's a developing story about
the Treasury, or attacks by a foreign government. (This is not assisted by the fact
that if you reply to a posting in the "community," your reply does not take the
title of the overall topic, but the specific posting you replied to.)
A few points to make about this specific attack. The first is that it is most likely
part of a much larger campaign. All indications are that the attack is carried out
by a nation-state level attacker, most likely Russia. The importance of it being
part of a larger campaign is that any system found to be affected by this specific
attack must be suspected of having been compromised in other, unknown, ways.
The facts known about the current attack suggest very careful attention to hiding
the existence of the compromise, which, undoubtedly, would also be applied to
other malware or intrusions by the same attacker.
There are, by now, many possible sources of information about this attack, many
very detailed and accurate. Possibly one of the best sources is from the US
government, who have been most concerned with and about the attack:
https://us-cert.cisa.gov/ncas/alerts/aa20-352a and
https://cyber.dhs.gov/ed/21-01/As a very brief precis of the situation, the attacker managed to obtain credentials
to sign and promote an "update" to the SolarWinds Orion network management
tool. Since Orion requires a high level of access in order to diagnose and manage
network issues, this effectively makes it a Remote Administration Tool (RAT)
which the attackers turned into a Remote Access Trojan (RAT). You will notice
the similarity in the acronyms, which is quite deliberate. Any tool powerful
enough to help you out is also powerful enough to seriously mess you up. Remote
access, even for technical or management support, is a convenience, and
"convenience" is one of the major ways that malware gets introduced and can
operate most effectively.
SolarWinds has about 300,000 customers, but initial indications are that only
about 18,000 systems were seriously impacted. (This still does not guarantee that
the others are safe.) The attackers did appear to be targetting US government
systems. Oh, and FireEye, where they seem to have stolen some attack tools.
Some quick indicators to check for:
- the existence of a file C:\WINDOWS\SysWOW64\netsetupsvc.dll
- any network connections or traffic to a site avsvmcloud.com (This seems to
happen once, and then other connections are negotiated, so you may have to
check traffic back to March of 2020.)
If you are a SolarWinds customer, they are working on updates to remove the
malicious code.
====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
It appears that these hollow toys defied the babies'
expectations, as if they were thinking: There should be something
in there. Which means babies make the mental link between
intentional movement and the requirement for insides. They
already know that this life takes guts.
- Scientific American podcast by Christie Nicholson
victoria.tc.ca/techrev/rms.htm
http://twitter.com/rsladehttp://blogs.securiteam.com/index.php/archives/author/p1/https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413
............
Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
