State-sponsored actors allegedly working for Russia have targeted the US Treasury and other agencies

Dharma

Dharma

OT Supporter
Sep 24, 2004
22,013
State-sponsored actors allegedly working for Russia have targeted the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to monitor internal email traffic as part of a widespread cyberespionage campaign.

FireEye, which is tracking the ongoing intrusion campaign under the moniker "UNC2452," said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST.


SolarWinds' networking and security products are used by more than 300,000 customers worldwide, including Fortune 500 companies, government agencies, and education institutions.


It also serves the major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.

solarwinds-backdoor.jpg


Security Advisory | SolarWinds

This page covers the SolarWinds response to both SUNBURST and SUPERNOVA, and the steps we are taking in response to these incidents.
www.solarwinds.com

thehackernews.com

US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor

The U.S. government Agencies and cybersecurity firm FireEye were hacked using SolarWinds software supply chain attack
thehackernews.com thehackernews.com
 
TS
TS
Dharma

Dharma

OT Supporter
Sep 24, 2004
22,013
Capt. Hammer said:
Thanks for the heads up. Goddamn all these companies that are supposed to be top-tier getting their stuff compromised. Scary shit.
Click to expand...

there's no such thing as ''un hackable'' other than an internet based on quantum physics.

Read an mit story how scientists transmit pairs of photons across fiber-optic cables in a way that absolutely protects the information encoded in them.
 
wizurd

wizurd

OT Supporter
Mar 7, 2002
164,935
Dharma said:
there's no such thing as ''un hackable'' other than an internet based on quantum physics.

Read an mit story how scientists transmit pairs of photons across fiber-optic cables in a way that absolutely protects the information encoded in them.
Click to expand...

Fuck ya feel my photons all over you
 
Cashishift

Cashishift

Well-Known Member
Dec 12, 2000
54,844
Omaha, NE
Capt. Hammer said:
Thanks for the heads up. Goddamn all these companies that are supposed to be top-tier getting their stuff compromised. Scary shit.
Click to expand...

ditto - we use solarwinds extensively. Upgraded to HF1 a few weeks ago. Looks like Iā€™ll be on the horn with our security folks in the morning.. as I manage Solarwinds right now :o
 
  • Wow
Reactions: Dharma
phatšŸ„

phatšŸ„

#meltdowns are NOT based off post count
Oct 9, 2002
43,796
Los Angeles, CA
:eek3: :eek3: :eek3: :eek3:

the supply chain was compromised :eek3::eek3::eek3:

Delivery and Installation
Authorized system administrators fetch and install updates to SolarWinds Orion via packages distributed by SolarWindsā€™s website. The update package CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp (02af7cec58b9a5da1c542b5a32151ba1) contains the SolarWinds.Orion.Core.BusinessLayer.dll described in this report. After installation, the Orion software framework executes the .NET program SolarWinds.BusinessLayerHost.exe to load plugins, including SolarWinds.Orion.Core.BusinessLayer.dll. This plugin contains many legitimate namespaces, classes, and routines that implement functionality within the Orion framework. Hidden in plain sight, the class SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer implements an HTTP-based backdoor. Code within the logically unrelated routine SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager.RefreshInternal invokes the backdoor code when the Inventory Manager plugin is loaded.

SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020.
 
  • Wow
Reactions: vr6vdub
FDT

FDT

dynamic island
Jan 3, 2006
51,920
PNW
Dharma said:
there's no such thing as ''un hackable'' other than an internet based on quantum physics.

Read an mit story how scientists transmit pairs of photons across fiber-optic cables in a way that absolutely protects the information encoded in them.
Click to expand...
1607930646107.gif
 
  • Haha
Reactions: intro_vert13
emanuel

emanuel

baby girl, how do I look in my durag?
OT Supporter
Oct 28, 2005
24,841
Los Angeles
phatšŸ„ said:
:eek3: :eek3: :eek3: :eek3:

the supply chain was compromised :eek3::eek3::eek3:

Delivery and Installation
Authorized system administrators fetch and install updates to SolarWinds Orion via packages distributed by SolarWindsā€™s website. The update package CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp (02af7cec58b9a5da1c542b5a32151ba1) contains the SolarWinds.Orion.Core.BusinessLayer.dll described in this report. After installation, the Orion software framework executes the .NET program SolarWinds.BusinessLayerHost.exe to load plugins, including SolarWinds.Orion.Core.BusinessLayer.dll. This plugin contains many legitimate namespaces, classes, and routines that implement functionality within the Orion framework. Hidden in plain sight, the class SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer implements an HTTP-based backdoor. Code within the logically unrelated routine SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager.RefreshInternal invokes the backdoor code when the Inventory Manager plugin is loaded.

SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020.
Click to expand...
What does this mean
 
intro_vert13

intro_vert13

fuck them kids
OT Supporter
Feb 26, 2005
34,080
an offshore haven somewhere
phatšŸ„ said:
:eek3: :eek3: :eek3: :eek3:

the supply chain was compromised :eek3::eek3::eek3:

Delivery and Installation
Authorized system administrators fetch and install updates to SolarWinds Orion via packages distributed by SolarWindsā€™s website. The update package CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp (02af7cec58b9a5da1c542b5a32151ba1) contains the SolarWinds.Orion.Core.BusinessLayer.dll described in this report. After installation, the Orion software framework executes the .NET program SolarWinds.BusinessLayerHost.exe to load plugins, including SolarWinds.Orion.Core.BusinessLayer.dll. This plugin contains many legitimate namespaces, classes, and routines that implement functionality within the Orion framework. Hidden in plain sight, the class SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer implements an HTTP-based backdoor. Code within the logically unrelated routine SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager.RefreshInternal invokes the backdoor code when the Inventory Manager plugin is loaded.

SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020.
Click to expand...
WRQBXSCnEFJIuxktnw.gif
 
  • Like
  • Haha
Reactions: stevezissou and Carrera
TS
TS
Dharma

Dharma

OT Supporter
Sep 24, 2004
22,013
Cashishift said:

Good lord
Click to expand...


Affected agencies shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain. Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available. Additionally:


a. Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.
 
Last edited:
  • Wow
Reactions: Carrera
You must log in or register to reply here.

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)

About Us

  • Please do not post anything that violates any Local, State, Federal or International Laws. Your privacy is protected. You have the right to be forgotten. Site funded by advertising, link monetization and member support.
OT v15.13.2 Copyright Ā© 2000-2023 Offtopic.com
Served by fx.offtopic.com

Online statistics

Members online
364
Guests online
155
Total visitors
519
Totals may include hidden visitors.

Forum statistics

Threads
79,569
Messages
7,756,222
Members
87,082
Latest member
rinabilly158
Top Bottom