State-sponsored actors allegedly working for Russia have targeted the US Treasury and other agencies

Dharma

OT Supporter
Sep 24, 2004
22,013
State-sponsored actors allegedly working for Russia have targeted the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to monitor internal email traffic as part of a widespread cyberespionage campaign.

FireEye, which is tracking the ongoing intrusion campaign under the moniker "UNC2452," said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST.


SolarWinds' networking and security products are used by more than 300,000 customers worldwide, including Fortune 500 companies, government agencies, and education institutions.


It also serves the major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.

solarwinds-backdoor.jpg



 
TS
TS
Dharma

Dharma

OT Supporter
Sep 24, 2004
22,013
Thanks for the heads up. Goddamn all these companies that are supposed to be top-tier getting their stuff compromised. Scary shit.

there's no such thing as ''un hackable'' other than an internet based on quantum physics.

Read an mit story how scientists transmit pairs of photons across fiber-optic cables in a way that absolutely protects the information encoded in them.
 

wizurd

OT Supporter
Mar 7, 2002
164,935
there's no such thing as ''un hackable'' other than an internet based on quantum physics.

Read an mit story how scientists transmit pairs of photons across fiber-optic cables in a way that absolutely protects the information encoded in them.

Fuck ya feel my photons all over you
 

Cashishift

Well-Known Member
Dec 12, 2000
54,844
Omaha, NE
Thanks for the heads up. Goddamn all these companies that are supposed to be top-tier getting their stuff compromised. Scary shit.

ditto - we use solarwinds extensively. Upgraded to HF1 a few weeks ago. Looks like I’ll be on the horn with our security folks in the morning.. as I manage Solarwinds right now :o
 
  • Wow
Reactions: Dharma

phat🐄

#meltdowns are NOT based off post count
Oct 9, 2002
43,796
Los Angeles, CA
:eek3: :eek3: :eek3: :eek3:

the supply chain was compromised :eek3::eek3::eek3:

Delivery and Installation
Authorized system administrators fetch and install updates to SolarWinds Orion via packages distributed by SolarWinds’s website. The update package CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp (02af7cec58b9a5da1c542b5a32151ba1) contains the SolarWinds.Orion.Core.BusinessLayer.dll described in this report. After installation, the Orion software framework executes the .NET program SolarWinds.BusinessLayerHost.exe to load plugins, including SolarWinds.Orion.Core.BusinessLayer.dll. This plugin contains many legitimate namespaces, classes, and routines that implement functionality within the Orion framework. Hidden in plain sight, the class SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer implements an HTTP-based backdoor. Code within the logically unrelated routine SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager.RefreshInternal invokes the backdoor code when the Inventory Manager plugin is loaded.

SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020.
 
  • Wow
Reactions: vr6vdub

FDT

dynamic island
Jan 3, 2006
51,920
PNW
there's no such thing as ''un hackable'' other than an internet based on quantum physics.

Read an mit story how scientists transmit pairs of photons across fiber-optic cables in a way that absolutely protects the information encoded in them.
1607930646107.gif
 
  • Haha
Reactions: intro_vert13

emanuel

baby girl, how do I look in my durag?
OT Supporter
Oct 28, 2005
24,841
Los Angeles
:eek3: :eek3: :eek3: :eek3:

the supply chain was compromised :eek3::eek3::eek3:

Delivery and Installation
Authorized system administrators fetch and install updates to SolarWinds Orion via packages distributed by SolarWinds’s website. The update package CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp (02af7cec58b9a5da1c542b5a32151ba1) contains the SolarWinds.Orion.Core.BusinessLayer.dll described in this report. After installation, the Orion software framework executes the .NET program SolarWinds.BusinessLayerHost.exe to load plugins, including SolarWinds.Orion.Core.BusinessLayer.dll. This plugin contains many legitimate namespaces, classes, and routines that implement functionality within the Orion framework. Hidden in plain sight, the class SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer implements an HTTP-based backdoor. Code within the logically unrelated routine SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager.RefreshInternal invokes the backdoor code when the Inventory Manager plugin is loaded.

SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020.
What does this mean
 

intro_vert13

fuck them kids
OT Supporter
Feb 26, 2005
34,080
an offshore haven somewhere
:eek3: :eek3: :eek3: :eek3:

the supply chain was compromised :eek3::eek3::eek3:

Delivery and Installation
Authorized system administrators fetch and install updates to SolarWinds Orion via packages distributed by SolarWinds’s website. The update package CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp (02af7cec58b9a5da1c542b5a32151ba1) contains the SolarWinds.Orion.Core.BusinessLayer.dll described in this report. After installation, the Orion software framework executes the .NET program SolarWinds.BusinessLayerHost.exe to load plugins, including SolarWinds.Orion.Core.BusinessLayer.dll. This plugin contains many legitimate namespaces, classes, and routines that implement functionality within the Orion framework. Hidden in plain sight, the class SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer implements an HTTP-based backdoor. Code within the logically unrelated routine SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager.RefreshInternal invokes the backdoor code when the Inventory Manager plugin is loaded.

SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020.
WRQBXSCnEFJIuxktnw.gif
 
TS
TS
Dharma

Dharma

OT Supporter
Sep 24, 2004
22,013


Affected agencies shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain. Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available. Additionally:


a. Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.
 
Last edited:
  • Wow
Reactions: Carrera

Users who are viewing this thread

About Us

  • Please do not post anything that violates any Local, State, Federal or International Laws. Your privacy is protected. You have the right to be forgotten. Site funded by advertising, link monetization and member support.
OT v15.13.2 Copyright © 2000-2023 Offtopic.com
Served by fx.offtopic.com

Online statistics

Members online
364
Guests online
155
Total visitors
519

Forum statistics

Threads
79,569
Messages
7,756,222
Members
87,082
Latest member
rinabilly158