State-sponsored actors allegedly working for Russia have targeted the US Treasury and other agencies

Dharma

Dharma

OT Supporter
Sep 24, 2004
22,618
State-sponsored actors allegedly working for Russia have targeted the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to monitor internal email traffic as part of a widespread cyberespionage campaign.

FireEye, which is tracking the ongoing intrusion campaign under the moniker "UNC2452," said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST.


SolarWinds' networking and security products are used by more than 300,000 customers worldwide, including Fortune 500 companies, government agencies, and education institutions.


It also serves the major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.

solarwinds-backdoor.jpg


Security Advisory | SolarWinds

www.solarwinds.com

thehackernews.com

US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor

The U.S. government Agencies and cybersecurity firm FireEye were hacked using SolarWinds software supply chain attack
thehackernews.com thehackernews.com
 
TS
TS
Dharma

Dharma

OT Supporter
Sep 24, 2004
22,618
Capt. Hammer said:
Thanks for the heads up. Goddamn all these companies that are supposed to be top-tier getting their stuff compromised. Scary shit.
Click to expand...

there's no such thing as ''un hackable'' other than an internet based on quantum physics.

Read an mit story how scientists transmit pairs of photons across fiber-optic cables in a way that absolutely protects the information encoded in them.
 
wizurd

wizurd

Engorged Member
OT Supporter
Mar 7, 2002
161,952
Las Vegas
Dharma said:
there's no such thing as ''un hackable'' other than an internet based on quantum physics.

Read an mit story how scientists transmit pairs of photons across fiber-optic cables in a way that absolutely protects the information encoded in them.
Click to expand...

Fuck ya feel my photons all over you
 
Cashishift

Cashishift

Well-Known Member
Dec 12, 2000
60,031
Omaha, NE
Capt. Hammer said:
Thanks for the heads up. Goddamn all these companies that are supposed to be top-tier getting their stuff compromised. Scary shit.
Click to expand...

ditto - we use solarwinds extensively. Upgraded to HF1 a few weeks ago. Looks like I’ll be on the horn with our security folks in the morning.. as I manage Solarwinds right now :o
 
  • Wow
Reactions: Dharma
phat🐄

phat🐄

#meltdowns are NOT based off post count
Oct 9, 2002
55,629
Los Angeles, CA
:eek3: :eek3: :eek3: :eek3:

the supply chain was compromised :eek3::eek3::eek3:

Delivery and Installation
Authorized system administrators fetch and install updates to SolarWinds Orion via packages distributed by SolarWinds’s website. The update package CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp (02af7cec58b9a5da1c542b5a32151ba1) contains the SolarWinds.Orion.Core.BusinessLayer.dll described in this report. After installation, the Orion software framework executes the .NET program SolarWinds.BusinessLayerHost.exe to load plugins, including SolarWinds.Orion.Core.BusinessLayer.dll. This plugin contains many legitimate namespaces, classes, and routines that implement functionality within the Orion framework. Hidden in plain sight, the class SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer implements an HTTP-based backdoor. Code within the logically unrelated routine SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager.RefreshInternal invokes the backdoor code when the Inventory Manager plugin is loaded.

SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020.
 
  • Wow
Reactions: vr6vdub
FDT

FDT

no custer shit
OT Supporter
Jan 3, 2006
54,909
PNW
Dharma said:
there's no such thing as ''un hackable'' other than an internet based on quantum physics.

Read an mit story how scientists transmit pairs of photons across fiber-optic cables in a way that absolutely protects the information encoded in them.
Click to expand...
1607930646107.gif
 
  • Haha
Reactions: intro_vert13
emanuel

emanuel

baby girl, how do I look in my durag?
Oct 28, 2005
25,187
SoCal
phat🐄 said:
:eek3: :eek3: :eek3: :eek3:

the supply chain was compromised :eek3::eek3::eek3:

Delivery and Installation
Authorized system administrators fetch and install updates to SolarWinds Orion via packages distributed by SolarWinds’s website. The update package CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp (02af7cec58b9a5da1c542b5a32151ba1) contains the SolarWinds.Orion.Core.BusinessLayer.dll described in this report. After installation, the Orion software framework executes the .NET program SolarWinds.BusinessLayerHost.exe to load plugins, including SolarWinds.Orion.Core.BusinessLayer.dll. This plugin contains many legitimate namespaces, classes, and routines that implement functionality within the Orion framework. Hidden in plain sight, the class SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer implements an HTTP-based backdoor. Code within the logically unrelated routine SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager.RefreshInternal invokes the backdoor code when the Inventory Manager plugin is loaded.

SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020.
Click to expand...
What does this mean
 
intro_vert13

intro_vert13

∞/21M
OT Supporter
Feb 26, 2005
35,840
an offshore haven somewhere
phat🐄 said:
:eek3: :eek3: :eek3: :eek3:

the supply chain was compromised :eek3::eek3::eek3:

Delivery and Installation
Authorized system administrators fetch and install updates to SolarWinds Orion via packages distributed by SolarWinds’s website. The update package CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp (02af7cec58b9a5da1c542b5a32151ba1) contains the SolarWinds.Orion.Core.BusinessLayer.dll described in this report. After installation, the Orion software framework executes the .NET program SolarWinds.BusinessLayerHost.exe to load plugins, including SolarWinds.Orion.Core.BusinessLayer.dll. This plugin contains many legitimate namespaces, classes, and routines that implement functionality within the Orion framework. Hidden in plain sight, the class SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer implements an HTTP-based backdoor. Code within the logically unrelated routine SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager.RefreshInternal invokes the backdoor code when the Inventory Manager plugin is loaded.

SolarWinds.Orion.Core.BusinessLayer.dll is signed by SolarWinds, using the certificate with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e:34:5d:c0:ed. The file was signed on March 24, 2020.
Click to expand...
WRQBXSCnEFJIuxktnw.gif
 
  • Like
  • Haha
Reactions: stevezissou and Carrera
TS
TS
Dharma

Dharma

OT Supporter
Sep 24, 2004
22,618
Cashishift said:

cyber.dhs.gov - Emergency Directive 21-01

A site for cybersecurity directives and implementation guidance, from the Cybersecurity and Infrastructure Security Agency.
cyber.dhs.gov

Good lord
Click to expand...


Affected agencies shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain. Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available. Additionally:


a. Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.
 
Last edited:
  • Wow
Reactions: Carrera
You must log in or register to reply here.

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)

About Us

  • Please do not post anything that violates any Local, State, Federal or International Laws. Your privacy is protected. You have the right to be forgotten. Site funded by advertising, link monetization and member support.
OT v15.8.1 Copyright © 2000-2022 Offtopic.com
Served by fu.offtopic.com

Online statistics

Members online
135
Guests online
31
Total visitors
166
Totals may include hidden visitors.

Forum statistics

Threads
369,610
Messages
16,900,075
Members
86,875
Latest member
Theodor
Top Bottom