Evidently MFA isn’t foolproof. https://arstechnica.com/information-technology/2020/12/solarwinds-hackers-have-a-clever-way-to-bypass-multi-factor-authentication/
From: AF <[email protected]> On Behalf Of Steve Jones Sent: Wednesday, December 16, 2020 12:58 AM To: AnimalFarm Microwave Users Group <[email protected]> Subject: Re: [AFMUG] Fireye Yeah I read about the cname updates and all that. I dont think its malicious, I just think it's odd that microsoft, or any single private company has an authority that technically no nation was supposed to have. I assume somewhere in the bylaws was a mechanism to corral a troublesome domain. I have no faith this was Russia because fire eye says it was, they cant even identify suspicious traffic leaving their own network, and that's literally their purpose in life. We will never know the depth of this thing. Saw another article that solarwinds update server was identified exposed last year with an account password of solarwinds123. The article alluded that that was likely the time of the initial hijack. It's crazy to think the billions invested among the 18000 impacted organizations on security and it was that thin of a wall between "us" and "them". A critical component with single factor authentication and no password complexity policy. Even my Casey's app wants multifactor authentication now (sending the code to the same device logging in always seems funny to me). Ope On Wed, Dec 16, 2020, 12:24 AM Ken Hohhof <[email protected] <mailto:[email protected]> > wrote: I think they’re saying what they do is go to a court or a government security agency. The domain points to an IP address that is the command and control server for the malware. They know the IP address, but I assume it’s important to take over the domain name so they can’t just change the IP address. Many huge botnets have been shut down by taking over the domain name used for the C&C servers. Those operations are almost always months long projects with government security agencies working with big companies like Microsoft. You don’t always have to assume evil motives. They aren’t trying to use the malware to snoop on people, they are trying to ID the compromised systems and notify the owners so they can do mitigation. Don’t expect them to unearth a treasure trove of documents, it’s the Russians who probably got those. You were hoping for Hillary’s emails, weren’t you. And Jaime was hoping for Trump’s tax returns. From: AF <[email protected] <mailto:[email protected]> > On Behalf Of Steve Jones Sent: Tuesday, December 15, 2020 11:34 PM To: AnimalFarm Microwave Users Group <[email protected] <mailto:[email protected]> > Subject: Re: [AFMUG] Fireye I still dont understand how a private company gets the authority. It's good that someone does, but it defeats the concept of no direct ownership of dns. I take great exception to microsoft or any firm being able to collect any info that isnt immediately shared, victim identifying info excluded. On Tue, Dec 15, 2020, 9:52 PM Ken Hohhof <[email protected] <mailto:[email protected]> > wrote: This article discusses the domain takeover. https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/ From: AF <[email protected] <mailto:[email protected]> > On Behalf Of Steve Jones Sent: Tuesday, December 15, 2020 9:34 PM To: AnimalFarm Microwave Users Group <[email protected] <mailto:[email protected]> > Subject: Re: [AFMUG] Fireye How does Microsoft wield the authority to take over domains? On Mon, Dec 14, 2020, 9:58 PM Steve Jones <[email protected] <mailto:[email protected]> > wrote: Wow I wonder if Orion allowed disabling the quality improvement. I always disable it on anything that let's me. I'm not quite sure why fire eye still is leading this charge, it's kind of like letting a leper check your prostate https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html On Mon, Dec 14, 2020, 2:35 PM Steve Jones <[email protected] <mailto:[email protected]> > wrote: Lol, doublecheck for what though? So now fireye says it was solar wind hacking that breached them https://www.usatoday.com/story/tech/2020/12/14/fireeye-solarwinds-hack-breach-cybersecurity-attack/6538645002/ Granted I doubt USA today "journalists" know much about what they're writing about. This makes the "russia did it" claims on fireye part even more suspect, since they dont have the forensics of solar wind, unless they are the security of solar wind. This is going to be a fascinating thing to watch play out. I dont think most in the media realize this isnt a read only thing. The Orion components we were looking at required write access and administrative credentials. And that's a tiny podunk wisp. On Mon, Dec 14, 2020, 2:08 PM Ryan Ray <[email protected] <mailto:[email protected]> > wrote: Lots of stuff runs under Orion. Application Centric Monitor (ACM) Database Performance Analyzer Integration Module (DPAIM) Enterprise Operations Console (EOC) High Availability (HA) IP Address Manager (IPAM) Log Analyzer (LA) Network Automation Manager (NAM) Network Configuration Manager (NCM) Network Operations Manager (NOM) Network Performance Monitor (NPM) Network Traffic Analyzer (NTA) Server & Application Monitor (SAM) Server Configuration Monitor (SCM) Storage Resource Monitor (SCM) User Device Tracker (UDT) Virtualization Manager (VMAN) VoIP & Network Quality Manager (VNQM) Web Performance Monitor (WPM) If you're running any of those, double check your network asap. On Mon, Dec 14, 2020 at 12:02 PM Steve Jones <[email protected] <mailto:[email protected]> > wrote: Their sales folks are definitely aggressive. At least its currently only limited (known) to two Orion platforms. Im really concerned about this: "...and intended to be a narrow, extremely targeted, and manually executed attack..." what does manually executed mean? Like some dude stuck a USB key in the DOS box running their whole operation? SolarWinds asks customers with any of the below products for Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment. This version is currently available at <https://customerportal.solarwinds.com/> customerportal.solarwinds.com. SolarWinds asks customers with any of the below products for Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6, which will be available today, December 14, 2020, at <https://customerportal.solarwinds.com/> customerportal.solarwinds.com. No other versions of Orion Platform products are known to be impacted by this security vulnerability. Other non-Orion products are also not known to be impacted by this security vulnerability. On Mon, Dec 14, 2020 at 1:53 PM Ryan Ray <[email protected] <mailto:[email protected]> > wrote: This is a big deal. Solarwinds Orion is a product used in many of the Top 100 companies in the world. Including tons of healthcare. I dislike Solarwinds for many reasons and refused to use them even before this hack. Just add another reason to the list. On Mon, Dec 14, 2020 at 11:49 AM Steve Jones <[email protected] <mailto:[email protected]> > wrote: So Im reading this now that Solar Winds updates have been delivering payloads since june or july. Solar winds having crazy levels of access to interior infrastructures. Im not sure what this is saying, it sounds like what fireye isnt saying outwardly is their toolset was stolen prior to that and that was how they were able to circumvent the solarwinds security infrastructure, as solar winds relied on fireye? Anybody come across any good detail on solar winds impacted software? Like if you downloaded the free subnet calculator, will they be taking your google home account too? Imma be pretty pissed if they mess with my google play playlists. I wonder if the disruptions with office365 and the weird spam filter changes lately are related to cleanup prior to publication. We are a tiny company and got withing a hair of pulling the trigger on various solarwinds offerings over the years. Thats with tiny company tiny budgets. I cant imagine CTO voicemails going down around the world today, depending on budget, you hand the keys over to solarwinds, and by design, each key you hand over makes sense to spend a little more and hand over another key. How would you even begin to clean up your organization when your systems that would provide you your forensics are the systems that did the damage? Is this just mediahype and more russia russia russia, or is this as big of a deal as it seems On Mon, Dec 14, 2020 at 9:01 AM dave <[email protected] <mailto:[email protected]> > wrote: DA HUMANITY!! On 12/14/20 8:58 AM, Ken Hohhof wrote: I had a customer this morning complaining she couldn’t “sign on” to the Internet. I mentioned that Google had an outage this morning, but she responded that she doesn’t use any Google services. Of course her email was from a Gmail address. From: AF <mailto:[email protected]> <[email protected]> On Behalf Of Mike Hammett Sent: Monday, December 14, 2020 6:54 AM To: AnimalFarm Microwave Users Group <mailto:[email protected]> <[email protected]> Subject: Re: [AFMUG] Fireye "I know I'm next, they're coming after my google home mini and my netflix account." aaaaannnndddd Google is broken this morning. ----- Mike Hammett Intelligent Computing Solutions <http://www.ics-il.com/> <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> Midwest Internet Exchange <http://www.midwest-ix.com/> <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> The Brothers WISP <http://www.thebrotherswisp.com/> <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> _____ From: "Steve Jones" <[email protected] <mailto:[email protected]> > To: "AnimalFarm Microwave Users Group" <[email protected] <mailto:[email protected]> > Sent: Sunday, December 13, 2020 9:57:21 PM Subject: Re: [AFMUG] Fireye Nope, per fireye, the toolset had to be released because of it being stolen, was not "in the wild" Going to get really interesting to see what comes of this, two federal agencies just happen to get hit shortly after. You can do plenty when you know how you would have otherwise been caught. And that's all fireye admits to having been breached. I'm gonna go ahead and not take their word on it definitively having been russia either. Convenient timing after iran specifically has stated they're going to retaliate for the dead scientist. China will probably confirm this shortly Pretty sure this is far from over and pretty sure this company is just the first to go public. I know I'm next, they're coming after my google home mini and my netflix account. On Sun, Dec 13, 2020, 9:10 PM Ken Hohhof <[email protected] <mailto:[email protected]> > wrote: Not saying you are wrong. But I think I read somewhere that the Fireye tools that were stolen were a collection of malware already in the wild that they used for testing of client networks. So it was stuff already available, just neatly packaged. The guys who really f’d up were the “Equation Group” (cough, cough, NSA) who lost novel and very powerful hacking tools like Eternal Blue to the Shadow Brokers group. From: AF <[email protected] <mailto:[email protected]> > On Behalf Of Steve Jones Sent: Sunday, December 13, 2020 8:45 PM To: AnimalFarm Microwave Users Group <[email protected] <mailto:[email protected]> > Subject: [AFMUG] Fireye These guys F'd up beyond belief. Inept as jaime would say -- AF mailing list [email protected] <mailto:[email protected]> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list [email protected] <mailto:[email protected]> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list [email protected] <mailto:[email protected]> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list [email protected] <mailto:[email protected]> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list [email protected] <mailto:[email protected]> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list [email protected] <mailto:[email protected]> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list [email protected] <mailto:[email protected]> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list [email protected] <mailto:[email protected]> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list [email protected] <mailto:[email protected]> http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list [email protected] <mailto:[email protected]> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
