[HN Gopher] SolarWinds: The more we learn, the worse it looks
___________________________________________________________________
SolarWinds: The more we learn, the worse it looks
Author : LinuxBender
Score : 87 points
Date : 2021-01-04 20:42 UTC (2 hours ago)
(HTM) web link (www.zdnet.com)
(TXT) w3m dump (www.zdnet.com)
| djsumdog wrote:
| I'm glad there are others who are challenging the Russian
| narrative in here. I'm sure many of us watched the original SANS
| broadcast (which wasn't for public release; youtube-dl is a great
| tool. I download everything before I start watching it now before
| it disappears).
|
| In the SANS report a research tries to discredit people who claim
| this is CIA or a US state sponsored operation, yet also claim
| there is clear evidence of a "signature" from "Cozy Bear" ...
| what is this signature? Shell code? A known compiler flag?
| FireEye and SANS have released zero information on this or
| anything that connects things to Cozy Bear.
|
| Also from that report, there were excluded IP ranges that were
| all Microsoft IPs (not all of the Microsoft IPs, but all the
| ranges belonged to Microsoft).
|
| Vault 7 shows the NSA and CIA are involved in domestic operations
| (and if you go back far enough Church Committee) and there is a
| chance this was a US based State Actor. Let's not forget about
| STUX.
|
| The level of this attack was incredibly sophisticated. It had
| built-in delays for several days to avoid network sandboxing
| tests in the CI/CD pipeline. It was signed and released from
| Solarwinds CI/CD pipleine as well.
|
| Let's not dismiss Snowden so easily and not realize this could
| have been an American state actor as well (or even the UK, the EU
| or any other "allay" or enemy).
| lemonspat wrote:
| So your theory is, because they didn't release the Cozy Bear
| signatures, that it must be CIA/NSA? That's a huge stretch to
| the opposite side of the conspiracy. How do you explain the
| hacking of the Treasury and other government agencies in your
| scenario?
| djsumdog wrote:
| I'm just wondering what the hell a "signature" is in this
| context? You think Cozy Bear is leaving their name in the
| binary? It's just a lot of security-by-obscurity hand waving.
| It's FireEye spewing out stuff as "facts" with very little
| evidence.
| fay59 wrote:
| Do you think that if FireEye shared with the public how they
| attributed it to Russia, Russia would make the same
| attributable mistakes again?
| PeterisP wrote:
| It's worth to note that from the perspective of the involved
| companies all this incident was much ado about nothing and no
| incentive to change anything.
|
| Sure, some of their customers or customers' customers got exposed
| to attackers, and some government secrets may have been lost, and
| some of their tech employees had to do a bit of overtime and
| "reputation was harmed", but so what, why should they care? Is
| there any material impact on the company finances? Currently it
| does not seem that it's going to destroy their future sales and
| ongoing licencing revenue, and it does not seem that they are
| going to have any huge liabilities for negligence.
|
| If anything, the consequences (or lack of them) to SolarWind and
| other historical breaches are a good illustration that in the
| current business environment intentionally cutting corners on
| security is a smart move as it saves you money but if you get
| used to harm many others then you just shrug, do some apologetic
| PR and move on, and the impact of reputation damage is small and
| fleeting.
| hpoe wrote:
| I've started realizing this since the Exquifax breach. There is
| no point for companies to take security seriously because what
| the flip does it matter for them? They'll bohoo about how bad
| it was, fire their security people bring in new ones and
| nothing will change.
|
| In short if you are in the security field at this point you
| aren't being brought in to secure or stop anything you're there
| for upper management to point the blame at when the attack does
| occur. Because spending money on security cuts into revenue and
| profits and unlike not investing in paying off technical debt
| this has no material consequences.
| intern4tional wrote:
| The article makes many jumps and some false claims.
|
| Example: _" Russia, we now know, used SolarWinds' hacked program
| to infiltrate at least 18,000 government and private networks.
| The data within these networks, user IDs, passwords, financial
| records, source code, you name it, can be presumed now to be in
| the hands of Russian intelligence agents."_
|
| Reality from the linked source: _" The breach is far broader than
| first believed. Initial estimates were that Russia sent its
| probes only into a few dozen of the 18,000 government and private
| networks they gained access to when they inserted code into
| network management software made by a Texas company named
| SolarWinds. But as businesses like Amazon and Microsoft that
| provide cloud services dig deeper for evidence, it now appears
| Russia exploited multiple layers of the supply chain to gain
| access to as many as 250 networks."_
|
| There's a big difference between 250 and 18000.
|
| Further it claims that the source code access is significant. As
| noted in this thread:
| https://news.ycombinator.com/item?id=25599210 all major
| Governments have had read access to the source code for Microsoft
| products for years.
|
| The hack is extremely serious and for that reason it merits
| accurate claims, response, and technical actions. Fearmongering
| like this article does to push an opinion piece is not it.
| dralley wrote:
| >There's a big difference between 250 and 18000.
|
| 18,000 networks were backdoored, but the Russians only chose to
| actively attack ~250 of the most "interesting" targets.
| Avoiding detection for as long as possible was deemed more
| important than e.g. exfiltrating data from cancer clinics in
| Indiana.
| PeterisP wrote:
| 18000 customers downloaded the backdoored version so the
| attackers got access and could have gone into any and all of
| these networks. As far as we know, they did move forward in 250
| or so and did not proceeed with the others (presumably because
| of resource constraints) - but still all those 18000 networks
| were infiltrated by the malware, and if I was one of these
| 18000 companies then I would not just assume that we got
| skipped - so at the very least that should result in 18000
| careful audits to verify if the potential intrusion happened.
| djsumdog wrote:
| There was a 10~14 day time delay before it connected to its
| CNC. It minimized network traffic and was probably only
| activated for targets deemed worthy. People with a weapon
| like that don't want to be detected unless there is a viable
| target.
| intern4tional wrote:
| The malicious version had items in place that would cause it
| to not activate if certain anti-malware software is present
| or other environmental conditions were not met (like not
| joined to an active directory). This reduces the number from
| 18k to something less (still probably huge) but 18k is the
| max if perfect conditions are present.
|
| As for why the attackers did not proceed, resourcing probably
| had nothing to do with it and more along the lines of many of
| those customers were not interesting. Proceeding to load
| further malware stages in those uninteresting customers
| increases the chance of getting detected and given that the
| attacker was targeting long term persistent access to highly
| valuable targets, the attacker by design more likely simply
| left targets without valuable information alone.
| vehementi wrote:
| https://en.wikipedia.org/wiki/Solar_Winds the correct definition
| of solar winds
| recursive wrote:
| It's also the name of a company. https://www.solarwinds.com/
| lordnacho wrote:
| Kinda apt to name it after a phenomenon that causes
| communications outages
| _trampeltier wrote:
| Maybe Solarwinds is just another Crypto AG? The name a bad
| joke, who knows ;->
| JorgeGT wrote:
| Yes, like people using Icarus as a company/product name in
| the aerospace sector.
| blindm wrote:
| > Russia, we now know, used SolarWinds' hacked program to
| infiltrate at least 18,000 government and private networks.
|
| The question of whether it was Russia is not that interesting.
|
| This thing of countries blaming other countries for attacks is
| getting boring. In cyber, there are no borders. If something is
| vulnerable, it's vulnerable. You don't need the prerequisite of
| APTs or 'sophisticated nation state cyber threat actors' or
| whatever. Attribution is boring these days and so much emphasis
| on Russia as if we don't know already they have their fingers in
| so many American pies.
| naikrovek wrote:
| > This thing of countries blaming other countries for attacks
| is getting boring. In cyber, there are no borders.
|
| Technically correct, and very wrong in all other ways.
|
| Who performs the attack is a very real concern, because unlike
| some of us, the attackers likely have lofty goals in the real
| world which are aided greatly by their successes in "cyber."
|
| (I maintain that anyone who uses the word "cyber" seriously
| today doesn't understand what they're talking about, in
| virtually all cases. It's fine to not understand stuff, by the
| way. Just be open to learning more.)
|
| If Russia is able to find holes in Windows, the OS used by
| nearly every business on the planet, they will use those
| vulnerabilities to their advantage in whatever ways they
| require. They will obtain personal information about people,
| blackmail them, maybe. Who knows. Russia and others WANT to
| take down those who disapprove of them quite strongly. They
| potentially want to bring low anyone who has spoken bad about
| them publicly (if so, I'm screwed) or anyone who could have
| helped them in some way and chose not to. North Korea, Iran,
| Saudi Arabia, Russia (perhaps to a lesser extent) have real
| beefs with the US.
|
| Information gained via incredibly catastrophic breaches like
| this one give real countries with real weapons real leverage
| against others, potentially. _Especially_ if the vulnerability
| opens more doorways that would otherwise not have been
| accessible.
|
| I've been divorced twice. DO NOT UNDERESTIMATE the lengths that
| people will go for revenge for even the smallest slights. Some
| people get absolutely drunk on the slightest bit of power they
| have over others, and they know that, so they accumulate
| leverage against their enemies, real or imagined, continually
| in anticipation of a time when it will be useful.
|
| In short: this is a big deal. It matters who is behind it.
| coding123 wrote:
| Sure it might be boring to find out any specific hack is China
| or Russia, etc... but where that becomes important is the fact
| that whatever secrets that get stolen, the country does in fact
| matter. Think of it this way - if the government of the country
| you live in places a bounty of say ($2000 USD or that country's
| equivalent) for each top secret document - it both places a
| high value target on us, as well as revealing the things that
| they DONT know. I mean, specifically do you know of the latest
| in Fort Knox's security protocols? Do you know the latest in
| high powered microwave weapons that we're developing (and how
| to make them)?
|
| These are things we really don't want additional countries
| knowing how to make.
| bastard_op wrote:
| Most every .gov workshop is a windows shop, and will mandate
| windows software, been here many times. Solarwinds is a good
| microsoft slave, and not horrible for network management
| software, but not so much up on security as selling software. I
| know several Solarwinds shops including 2 current customers
| struggling with whether to crap can it, or rebuild and move
| forward until the next atrocity. Dealing with Solarwinds for some
| 15 years, it's typical Windows software - not so much security,
| but sell more of all our things, get paid.
| x87678r wrote:
| Do we even really know it was Russia? Everything I've seen so far
| seems to assume that rather than have a confirmed link.
| 9wzYQbTYsAIc wrote:
| Not a good read - more like a rant, light on substance, and
| stretches some things.
| burnthrow wrote:
| > It's nice that Microsoft is admitting that the open-source
| approach is the right one for security -- something I and other
| open-source advocates have been saying for decades. But, inner
| source isn't the same thing as open source.
|
| I thought this was common knowledge, but in a previous related
| thread my comment saying the same was downvoted with some replies
| about how MS engineers are security gods or some such.
| Interesting to contrast mainstream tech coverage with HN's RSU
| echo chamber.
| A4ET8a8uTh0 wrote:
| I did notice that the initial coverage of the hack blamed open
| source tools ( which was interesting in itself ). I am not sure
| if I can ascribe it to malice though.
| anigbrowl wrote:
| This is a terrible article. It is just a rehash of information
| that was public 2 weeks ago with a couple of scare quotes. I
| should have known better than to expect news from zdnet though.
| ed25519FUUU wrote:
| > _Russia, we now know, used SolarWinds ' hacked program to
| infiltrate at least 18,000 government and private networks. The
| data within these networks, user IDs, passwords, financial
| records, source code, you name it, can be presumed now to be in
| the hands of Russian intelligence agents._
|
| Yep. I'm SURE it was just Russia. It's not like our government is
| perfectly happy squirreling away CVEs so our own intelligence
| agencies can exploit them themselves.
___________________________________________________________________
(page generated 2021-01-04 23:00 UTC)