Hey Pede's
I have worked as a Network Engineer the better majority of the past 20 years of my life.
I am CCNA, SolarWinds Certified Pro, Network General Sniffer Certified Expert... among others.
I want to bring attention to the level of danger something like SolarWinds being hacked by foreigners.
SolarWinds is a network management application that grants immense capabilities and incredible monitoring.
Some of these are:
- Physical Network Diagram (Viewed live, like a Network Map) for both LAN and WAN networks.
- WAN and LAN network monitoring from physical layer all the way up through the application layer. This includes SNMP access to all devices on the network (if configured this way), which gives SolarWinds an unconscionable amount of authority and power to alter configurations on those network devices.
- Packet Sniffing, and Capturing. Can watch traffic in real time, and capture the packets.
This is just a short list of capabilities. It goes far more indepth than this, down to applications themselves like SQL databases, web traffic, email server traffic and packets, are all monitor-able with SolarWinds.
This is very bad Pede's. I worry very very much how much damage was done.
That is all.
It really depends. If the US Govt's network devices and servers have SNMP enabled (and also if the servers have the solar winds agent client installed on the server)... then yes, classified information could have been obtained through SolarWinds. Quite easily.
That being said. I would hope the US Govt would not use those aspects of SolarWinds. I am hopeful they were only using the Network Link Up/Down Monitoring. Which is just a simple tool network operation centers use to quickly detect and isolate network related problems when they arise.
Data collected by SNMP could be useful in an orchestrated hack but is limited in terms of usefullness. What no one seems to have highlighted is that SolarWinds suite includes hardware and software inventory collection and goes beyond basic SNMP 'monitoring'. Inventory collection uses network or infrastructure wide elevated permissions to gain access to every device on a network in order to scan hard drives (mainly for scheduled software licensing audits). Device audits include servers in most networks too. Basically speaking if a SolarWinds suite is compromsed the attacker may well be able to farm admin level login credentials for EVERY device on a network.
This was what I was getting at involving the SolarWinds agent most clients will have installed. Hopefully NOT the government.
That being said, with SNMP alone network configuration changes can be made, if it is not set for read only.
If it is read-only, you only gain access to general statistics.
Most network operators will enable SNMP on the network devices though, which is worrisome. Thats where I worry about Level3.net and the like.
default public string is read only. usually enabled by default on all computers. Low risk. If you want to get hold of server or machine data/files you'd need credentials. Network or company wide changes are usuallly rolled out with Group Policies.