State-sponsored actors allegedly working for Russia have targeted the US Treasury and other agencies

Dharma

OT Supporter
Sep 24, 2004
22,618
State-sponsored actors allegedly working for Russia have targeted the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to monitor internal email traffic as part of a widespread cyberespionage campaign.

FireEye, which is tracking the ongoing intrusion campaign under the moniker "UNC2452," said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST.


SolarWinds' networking and security products are used by more than 300,000 customers worldwide, including Fortune 500 companies, government agencies, and education institutions.


It also serves the major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.

solarwinds-backdoor.jpg



 
TS
TS
Dharma

Dharma

OT Supporter
Sep 24, 2004
22,618
Thanks for the heads up. Goddamn all these companies that are supposed to be top-tier getting their stuff compromised. Scary shit.

there's no such thing as ''un hackable'' other than an internet based on quantum physics.

Read an mit story how scientists transmit pairs of photons across fiber-optic cables in a way that absolutely protects the information encoded in them.
 

wizurd

Engorged Member
OT Supporter
Mar 7, 2002
161,952
Las Vegas
there's no such thing as ''un hackable'' other than an internet based on quantum physics.

Read an mit story how scientists transmit pairs of photons across fiber-optic cables in a way that absolutely protects the information encoded in them.

Fuck ya feel my photons all over you
 

Cashishift

Well-Known Member
Dec 12, 2000
60,031
Omaha, NE
Thanks for the heads up. Goddamn all these companies that are supposed to be top-tier getting their stuff compromised. Scary shit.

ditto - we use solarwinds extensively. Upgraded to HF1 a few weeks ago. Looks like I’ll be on the horn with our security folks in the morning.. as I manage Solarwinds right now :o
 
  • Wow
Reactions: Dharma

phat🐄

#meltdowns are NOT based off post count
Oct 9, 2002
55,629
Los Angeles, CA
:eek3: :eek3: :eek3: :eek3:

the supply chain was compromised :eek3::eek3::eek3:

Delivery and Installation
Authorized system administrators fetch and install updates to SolarWinds Orion via packages distributed by SolarWinds’s website. The update package CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp (02af7cec58b9a5da1c542b5a32151ba1) contains the SolarWinds.Orion.Core.BusinessLayer.dll described in this report. After installation, the Orion software framework executes the .NET program SolarWinds.BusinessLayerHost.exe to load plugins, including SolarWinds.Orion.Core.BusinessLayer.dll. This plugin contains many legitimate namespaces, classes, and routines that implement functionality within the Orion framework. Hidden in plain sight, the class SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer implements an HTTP-based backdoor. Code within the logically unrelated routine SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager.RefreshInternal invokes the backdoor code when the Inventory Manager plugin is loaded.

SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020.
 
  • Wow
Reactions: vr6vdub

FDT

no custer shit
OT Supporter
Jan 3, 2006
54,909
PNW
there's no such thing as ''un hackable'' other than an internet based on quantum physics.

Read an mit story how scientists transmit pairs of photons across fiber-optic cables in a way that absolutely protects the information encoded in them.
1607930646107.gif
 
  • Haha
Reactions: intro_vert13

emanuel

baby girl, how do I look in my durag?
Oct 28, 2005
25,187
SoCal
:eek3: :eek3: :eek3: :eek3:

the supply chain was compromised :eek3::eek3::eek3:

Delivery and Installation
Authorized system administrators fetch and install updates to SolarWinds Orion via packages distributed by SolarWinds’s website. The update package CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp (02af7cec58b9a5da1c542b5a32151ba1) contains the SolarWinds.Orion.Core.BusinessLayer.dll described in this report. After installation, the Orion software framework executes the .NET program SolarWinds.BusinessLayerHost.exe to load plugins, including SolarWinds.Orion.Core.BusinessLayer.dll. This plugin contains many legitimate namespaces, classes, and routines that implement functionality within the Orion framework. Hidden in plain sight, the class SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer implements an HTTP-based backdoor. Code within the logically unrelated routine SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager.RefreshInternal invokes the backdoor code when the Inventory Manager plugin is loaded.

SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020.
What does this mean
 

intro_vert13

∞/21M
OT Supporter
Feb 26, 2005
35,840
an offshore haven somewhere
:eek3: :eek3: :eek3: :eek3:

the supply chain was compromised :eek3::eek3::eek3:

Delivery and Installation
Authorized system administrators fetch and install updates to SolarWinds Orion via packages distributed by SolarWinds’s website. The update package CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp (02af7cec58b9a5da1c542b5a32151ba1) contains the SolarWinds.Orion.Core.BusinessLayer.dll described in this report. After installation, the Orion software framework executes the .NET program SolarWinds.BusinessLayerHost.exe to load plugins, including SolarWinds.Orion.Core.BusinessLayer.dll. This plugin contains many legitimate namespaces, classes, and routines that implement functionality within the Orion framework. Hidden in plain sight, the class SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer implements an HTTP-based backdoor. Code within the logically unrelated routine SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager.RefreshInternal invokes the backdoor code when the Inventory Manager plugin is loaded.

SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020.
WRQBXSCnEFJIuxktnw.gif
 
TS
TS
Dharma

Dharma

OT Supporter
Sep 24, 2004
22,618

Good lord


Affected agencies shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain. Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available. Additionally:


a. Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.
 
Last edited:
  • Wow
Reactions: Carrera

Users who are viewing this thread

About Us

  • Please do not post anything that violates any Local, State, Federal or International Laws. Your privacy is protected. You have the right to be forgotten. Site funded by advertising, link monetization and member support.
OT v15.8.1 Copyright © 2000-2022 Offtopic.com
Served by fu.offtopic.com

Online statistics

Members online
135
Guests online
31
Total visitors
166

Forum statistics

Threads
369,610
Messages
16,900,075
Members
86,875
Latest member
Theodor