“ CISA has observed the threat actor adding authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism. In many instances, the tokens enable access to both on-premise and hosted resources.”
Yeah if that’s the case this is a BIG deal. You get access to a high privileged domain account and you can destroy or intercept A LOT. Especially since if the organization is using anything Office 365/Azure, the environment credentials are synced locally and to the cloud directory. Hybrid environments are hit extra hard in this case
Meanwhile your ‘fun’ is completely under the radar in terms of spreading the malicious code because it appears as standard network traffic for solarwinds
Well, imagine if someone, for example, an Elections Chief, somewhere for example, maybe in Milwaukee, were to "lose" an Elections Flash Drive inside an internet connected vote tabulator...for many hours.
Does this have anything to do with stuff like that? Does this have to do with any sort of technological "air gap" that they promised was in place?
Forgive my ignorance, as I'd only heard of this Solarwinds a few days ago, and I am genuinely curious.
The assumption would have to be made that a Solarwinds compromised device, or one that has had lateral movement, was on the same network and internet accessible as these voting machines. Theoretically at that point they could do anything over the local network.
That's a pretty standard persistence mechanism, we see that shit all the time. Backdooring Orion is damn near keys to the kingdom already...the JV squad can do that in their sleep.
Kind of ironic. When the info came out I told a buddy that all the big users will be using SSO. And since they area once in and a user is added they will have access to all the cloud services and it will be a mess. This backs up my point that all the large installs probably feed netflow/sflow to solarwinds and this can show data flows from one network to another. "We can see the data spikes for dominion to Germany Election day and days after"
You can mitigate it by rotating keys and expiring tokens. And my current job, we're force signed out of email accounts on a daily basis so that we have to reauth with a new token.
Devil's advocate: They're compartmentalized and this report is coming from the legit 'whitehats' doing the work. The disgraced director was speaking out of turn, imo.
China has more to gain for an intelligence gathering operation of this size and scope as it is currently the country we are primarily engaging in economic warfare against.
Which sent the American government and companies to a virtual networking situation on steroids. Pushed the virus, pushed the expansion of network access, hacked the network..
Look, as someone who actually takes the time to understand scientific research papers, the potential of this being a bioweapon is incredibly low.
That said, one of the things my group of thinkers discussed on how it COULD HAVE BEEN A BIOWEAPON but disguised to avoid detection as one is setting up a situation where one can create ideal conditions for a spillover event and then stockpile your crossover when you get it. But to do that would require a level of human experimentation that we don't even think the Chinese would allow.
I admit that it is possible, but it is in the very low probability event range.
But in terms of deliberately engineered, the sequencing does not support that at all.
Genuine question, as I don't really have a strong opinion either way on the 'bioweapon' thing, what do you think of the CDC owning a patent on the coronavirus? I'll see if I can find the sauce.
Basically I saw a thread a few days ago saying either way this is illegal. Either it's a patent on 'nature', or it is a manufactured virus. Both are illegal to patent.
You are correct, I didn't include them in the list simply because I didn't even think of them as a potential threat actor in this scenario even in the Very Low Probability Event range. That and so many people jump onto the anti-Semitic bandwagon these days I try not to give that crowd any extra ammo.
Potentially? Sure. But the backlash would be severe enough especially with the Dem BDS bloc out there that the potential benefits would be outweighed by the risks.
Yes I agree, I don't think it was them. I should have rephrased my question, I just meant capability wise would they theoretically have the capability to do this.
The compromise of the software supply chain is the key here and is probably the scariest aspect.
COVID-19 in March 2020 would have made an amazing cover for this entry. IT departments would have been struggling to provide staff with home working solutions and all the info sec issue with that. Plus also struggling with it staff unable to work next to each other which makes a huge difference.
With their eyes off the ball dealing with that would have been the perfect time to slip in when people were much less likely to notice.
I mean - yes of course but this house of cards was bound to fall at some point. The products are horrible the corruption and money laundering is baked right in along with multi national corps operating.
There are more compromised products that haven't yet been publicly listed
Threat actor is highly sophisticated and will monitor and respond to response, containment, mitigation attempts
Just because you use the compromised products doesn't mean you were a target, you may just be collateral damage
YOU MUST MAKE FORENSIC IMAGES OF AFFECTED SYSTEMS (INCLUDING SYSTEM MEMORY) FOR ANALYSIS TO BE SURE ONE WAY OR ANOTHER WHAT ACTUALLY HAPPENED AS THE MALWARE WILL ADAPT
YOU MUST HAVE AN OPSEC PLAN INDEPENDENT OF YOUR ENTERPRISE FOR A VIABLE RESPONSE EFFORT
It isn't the job of CISA to be monitoring inside the networks of cyber response agencies for shit like this.
Keep in mind that CISA is still a nascent agency with limited powers and most of its powers are in giving guidance during the phases of preparedness.
It also has the limited authority to tell federal agencies to apply mitigation measures in the form of Emergency Directives.
We really don't want to give them the authority to sit on every network listening for crime.
I'm not a fan of Krebs and his election comments, but that doesn't make this event arrest worthy.
An arrest worthy event would have been arresting Katherine Archuleta for the OPM hack when DISA revoked her agencies ATO for their entire network and she kept running vulnerable systems.
That event is why CISA now has the authority to mandate federal agencies to take action BTW.
The fact that you can bypass two factor authentication or DUOs multi factor authentication is mind blowing to me. It's like the tv show MR ROBOT. Kinda cool. I always thought two factor was secure as hell
It seems it was so embedded and camouflaged its virtually impossible to detect. was it an inside job? how do they get the info out once they have what they want?
The possible capabilities are literally unlimited.
The possibilities include that they could have manipulated Dominion reporting in real-time if Dominion used that version of Orion or any of the other potential systems not yet listed.
That said, I am unconvinced that this was the method used for election interference, given we have so much physical evidence of fraud on tape. If they could have just leveraged this compromise, they would not have needed this.
It is far more likely that a Chinese or Russian actor used this to penetrate the networks of defense contractors and the military and government for the purpose of exfiltrating trade secrets, exfiltrating personnel information, and exfiltrating relevant sensitive economic data for the purpose of engaging in economic warfare.
With a LAN connection, could you put a wireless router in play to inject data seamlessly or usb? Did you watch the dominion CEO testify in Michigan? It sounds like they sell the machines and their pretty much done with any maintenance etc because they have no access anymore and the states/County can choose whoever they want to maintain them etc?
What office in government would be responsible in safeguarding the integrity of the system. Could it be that this was local and the DNC was plugged in?
THE GOVERNMENT IS NOT RESPONSIBLE FOR PROTECTING YOU, YOUR NETWORK, OR CYBERSECURITY AGENCIES.
The government in CISA has a specifically narrow scope in terms of cyber defense. It pertains to things like physical infrastructure, assisting organizations that are asking for help in preparedness/mitigation/response/recovery, assisting Federal/State/Local/Tribal in same, and providing publicly available guidance to all.
Just like the government isn't responsible for your safety (so buy a gun already and get training), the person responsible for protecting you online is YOU.
That’s what’s crazy, So many people like Krebs just shit on trump why? He now looks like an idiot cause that would of been one of his jobs and he was infiltrated since March!!!!
This is bad, the CCP have access to everything. They have had it for months and already downloaded it, besides that loads of companies use Solarwinds garbage, so lots of IP theft also.
It's bad. It's extensive. It looks like it goes beyond just SolarWinds by came in by other methods as well. Government and commercial servers watched for months and potentially under the control of someone else.
Surprisingly low. Our grid is highly segmented and in varying states, but one thing they are consistent on is not spending money on upgrades. A LOT of orgs I have talked with that used this software have been joking about the fact that while they use it they are several versions old simply because of the cost of the upgrades.
Security through not following security policy of upgrading and patching apparently sometimes works in our favor.
That said there are over 3000 separate power entities and if the right ones are hit in the right spots... it would be bad.
But it would be far easier to initiate a physical attack to achieve the same result far faster.
I've seen analysis on the timestamps of the remote access activities to identify the timezone where the attackers belong to. None has been reported so far...
The threat actor has been observed leveraging a software supply chain compromise of SolarWinds Orion products2 (see Appendix A). The adversary added a malicious version of the binary solarwinds.orion.core.businesslayer.dll into the SolarWinds software lifecycle,
Thats as far as I needed to read to know their product is bullshit.
Makes me wonder now if these SW companies release intentionally buggy code, then quickly release a patch so they can choose not to patch them and leave them vulnerable (in the case of dominion and Win7)
If this was the only company involved I'd assign more weight to the possibility of an inside job, especially given the signed code. Since there are more undisclosed companies whose software has been compromised the likelihood becomes significantly lower of it being an inside job, as having multiple insiders in multiple companies coordinating such a hack has historically never been done (that we know of, of course. This could be the first. But that would make it unprecedented.)
In a nutshell, you are so wrong it is impossible to explain just how wrong you are except to point out that 10 minutes after I posted this you are blaming Outlook when Outlook is literally mentioned once in the 17 pages here. And it is mentioned in the context of this APT bypassing the MFA on OWA, not the outlook application itself.
Nearly the entire enterprise world uses Outlook, they operate within a microsoft exchange environment either on premises, in the cloud via exchange online with microsoft azure, or a hybrid environment
Eh, they probably had to hack to steal the key in the first place. Which hacks aren't a means to facilitate theft, besides defacements or DDoS? Most are. Even DDoSes are often smokescreens for a hack+theft behind the scenes. A breach almost always involves theft of information to some degree. They go hand-in-hand and your comment makes it seem like the hack/breach was trivial.
“ CISA has observed the threat actor adding authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism. In many instances, the tokens enable access to both on-premise and hosted resources.”
Yeah if that’s the case this is a BIG deal. You get access to a high privileged domain account and you can destroy or intercept A LOT. Especially since if the organization is using anything Office 365/Azure, the environment credentials are synced locally and to the cloud directory. Hybrid environments are hit extra hard in this case
Meanwhile your ‘fun’ is completely under the radar in terms of spreading the malicious code because it appears as standard network traffic for solarwinds
You mean like if they were using Excel 365 for manipulating Dominion csv file vote totals.
I wish i could laugh at that...
Well, imagine if someone, for example, an Elections Chief, somewhere for example, maybe in Milwaukee, were to "lose" an Elections Flash Drive inside an internet connected vote tabulator...for many hours.
Does this have anything to do with stuff like that? Does this have to do with any sort of technological "air gap" that they promised was in place?
Forgive my ignorance, as I'd only heard of this Solarwinds a few days ago, and I am genuinely curious.
The assumption would have to be made that a Solarwinds compromised device, or one that has had lateral movement, was on the same network and internet accessible as these voting machines. Theoretically at that point they could do anything over the local network.
We have videos. it's all coming together right now.
That's a pretty standard persistence mechanism, we see that shit all the time. Backdooring Orion is damn near keys to the kingdom already...the JV squad can do that in their sleep.
Holy shit, they got access to Active Directory domain accounts?
They literally had access to anything. Once they get admin access, they can grant themselves access and modify logs to hide what they did.
Kind of ironic. When the info came out I told a buddy that all the big users will be using SSO. And since they area once in and a user is added they will have access to all the cloud services and it will be a mess. This backs up my point that all the large installs probably feed netflow/sflow to solarwinds and this can show data flows from one network to another. "We can see the data spikes for dominion to Germany Election day and days after"
You can mitigate it by rotating keys and expiring tokens. And my current job, we're force signed out of email accounts on a daily basis so that we have to reauth with a new token.
As Solarwinds specialist... this is as bad as I imagined it could be.
When I saw it could create valid SAML tokens you kind of know any SSO network is fucked.
I’m a Solarwinds SME...do u think we’re going to move away from Solarwinds?
Oh?
Yup. I have built systems with Cisco enable passwords and Windows AD admin accounts. Meaning if Orion is compromised, you have to check everything.
Imagine having Orion put a script on a server to tell every router on the network to delete its config file and reboot.
Everything goes dark at once and you have to touch each router to fix it.
Imagine a banks debit card database backing up to the bad guys.
Shit like that.
I didn't want to upvote you, but you're right. Scary stuff.
So the guys that said this was the most secure election ever that were hacked since MArch now have an opinion. LOL. #BALLSY
Devil's advocate: They're compartmentalized and this report is coming from the legit 'whitehats' doing the work. The disgraced director was speaking out of turn, imo.
It is absolutely a state based actor and only 3 groups are capable of pulling this off:
Given that we live in an Alex Jones world I have to include the USA as an option :/
Replace Russia with USA (CIA), then swap 1 and 2 for correct ranking of likelihood.
IMHO
I personally believe Russia is the LEAST likely attacker.
The entire RUSSIA RUSSIA RUSSIA Joint Intelligence Brief, when analyzed by external agencies, actually showed it to be outdated UKRAINE UKRAINE UKRAINE malware. https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
China has been repeatedly shown to be the more sophisticated adversary against the US (see the OPM breach, the worst security breach in US history) https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach
China has more to gain for an intelligence gathering operation of this size and scope as it is currently the country we are primarily engaging in economic warfare against.
China has also shown a propensity for penetrating cyber oriented companies before (see RSA hack) https://www.schneier.com/blog/archives/2019/12/chinese_hackers_1.html
When you ask "Cui Bono", the clear person benefiting from an attack of this scope repeatedly shows up as China. https://en.wikipedia.org/wiki/PLA_Unit_61398
Which sent the American government and companies to a virtual networking situation on steroids. Pushed the virus, pushed the expansion of network access, hacked the network..
Look, as someone who actually takes the time to understand scientific research papers, the potential of this being a bioweapon is incredibly low.
That said, one of the things my group of thinkers discussed on how it COULD HAVE BEEN A BIOWEAPON but disguised to avoid detection as one is setting up a situation where one can create ideal conditions for a spillover event and then stockpile your crossover when you get it. But to do that would require a level of human experimentation that we don't even think the Chinese would allow.
I admit that it is possible, but it is in the very low probability event range.
But in terms of deliberately engineered, the sequencing does not support that at all.
Genuine question, as I don't really have a strong opinion either way on the 'bioweapon' thing, what do you think of the CDC owning a patent on the coronavirus? I'll see if I can find the sauce.
Basically I saw a thread a few days ago saying either way this is illegal. Either it's a patent on 'nature', or it is a manufactured virus. Both are illegal to patent.
Edit: here it is... https://thedonald.win/p/11R4X9yoYV/fauci-is-soooooo-busted-on-covid/c/
That is fully outside the scope of my research. I can look into it, but it might be a while.
You are correct, I didn't include them in the list simply because I didn't even think of them as a potential threat actor in this scenario even in the Very Low Probability Event range. That and so many people jump onto the anti-Semitic bandwagon these days I try not to give that crowd any extra ammo.
No, 4chan would have been bragging about having pulled off a righteous hack one week in.
I don't think they were the culprit, but don't you think Unit 8200 could have pulled this off as well?
Potentially? Sure. But the backlash would be severe enough especially with the Dem BDS bloc out there that the potential benefits would be outweighed by the risks.
Yes I agree, I don't think it was them. I should have rephrased my question, I just meant capability wise would they theoretically have the capability to do this.
The compromise of the software supply chain is the key here and is probably the scariest aspect.
Is there not a third, much smaller nation that could also do this? One Alex Jones knows a lot about?
Think nosy spy with a master key and cloak of limited invisibility. Its bad, very, very bad.
COVID-19 in March 2020 would have made an amazing cover for this entry. IT departments would have been struggling to provide staff with home working solutions and all the info sec issue with that. Plus also struggling with it staff unable to work next to each other which makes a huge difference.
With their eyes off the ball dealing with that would have been the perfect time to slip in when people were much less likely to notice.
There was an update roll out about that time also.
Makes you wonder doesn't it? 🤔
I mean - yes of course but this house of cards was bound to fall at some point. The products are horrible the corruption and money laundering is baked right in along with multi national corps operating.
I'm No an IT Guy but read it, What does it mean?
Takeaways:
Krebs wasn't the problem here.
It isn't the job of CISA to be monitoring inside the networks of cyber response agencies for shit like this.
Keep in mind that CISA is still a nascent agency with limited powers and most of its powers are in giving guidance during the phases of preparedness.
It also has the limited authority to tell federal agencies to apply mitigation measures in the form of Emergency Directives.
We really don't want to give them the authority to sit on every network listening for crime.
I'm not a fan of Krebs and his election comments, but that doesn't make this event arrest worthy.
An arrest worthy event would have been arresting Katherine Archuleta for the OPM hack when DISA revoked her agencies ATO for their entire network and she kept running vulnerable systems.
That event is why CISA now has the authority to mandate federal agencies to take action BTW.
But keep in mind those agencies this time were hacked as a result of the hackers compromising the very software that was supposed to protect them.
This hack is going to redefine enterprise cyber defense planning.
Even worse, gov ordered a standdown of SIPRNET.
https://justthenews.com/government/security/pentagon-imposed-emergency-shutdown-computer-network-handling-classified
To put that in perspective, the data Manning walked off with was on SIPRNET.
SW is not technically an IDS just NMS though very helpful for big network management
He was also fired before we knew of this event and its extent.
He failed at election security. That is a separate issue from this.
The fact that you can bypass two factor authentication or DUOs multi factor authentication is mind blowing to me. It's like the tv show MR ROBOT. Kinda cool. I always thought two factor was secure as hell
It is when used correctly.
NSA just released updated guidance on two factor authentication in response to this threat:
https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF
It seems it was so embedded and camouflaged its virtually impossible to detect. was it an inside job? how do they get the info out once they have what they want?
Based on the sophistication and that they are reviewing other products for similar infiltration it seems highly unlikely it was an inside job.
With this type of malware, what was the possible capabilities and what damage did they cause? This is how you know CISA was full of shit right?
The possible capabilities are literally unlimited.
The possibilities include that they could have manipulated Dominion reporting in real-time if Dominion used that version of Orion or any of the other potential systems not yet listed.
That said, I am unconvinced that this was the method used for election interference, given we have so much physical evidence of fraud on tape. If they could have just leveraged this compromise, they would not have needed this.
It is far more likely that a Chinese or Russian actor used this to penetrate the networks of defense contractors and the military and government for the purpose of exfiltrating trade secrets, exfiltrating personnel information, and exfiltrating relevant sensitive economic data for the purpose of engaging in economic warfare.
With a LAN connection, could you put a wireless router in play to inject data seamlessly or usb? Did you watch the dominion CEO testify in Michigan? It sounds like they sell the machines and their pretty much done with any maintenance etc because they have no access anymore and the states/County can choose whoever they want to maintain them etc?
What office in government would be responsible in safeguarding the integrity of the system. Could it be that this was local and the DNC was plugged in?
So everyone can hear me in the back:
THE GOVERNMENT IS NOT RESPONSIBLE FOR PROTECTING YOU, YOUR NETWORK, OR CYBERSECURITY AGENCIES.
The government in CISA has a specifically narrow scope in terms of cyber defense. It pertains to things like physical infrastructure, assisting organizations that are asking for help in preparedness/mitigation/response/recovery, assisting Federal/State/Local/Tribal in same, and providing publicly available guidance to all.
Just like the government isn't responsible for your safety (so buy a gun already and get training), the person responsible for protecting you online is YOU.
That’s what’s crazy, So many people like Krebs just shit on trump why? He now looks like an idiot cause that would of been one of his jobs and he was infiltrated since March!!!!
It means that everything you've heard so far is the tip of the fucking iceberg.
This is bad, the CCP have access to everything. They have had it for months and already downloaded it, besides that loads of companies use Solarwinds garbage, so lots of IP theft also.
I don't keep up on this stuff. What is the Q reference here?
It's December 17 here. Add that to 17 pages...
Someone please fucking ELI5
It's bad. It's extensive. It looks like it goes beyond just SolarWinds by came in by other methods as well. Government and commercial servers watched for months and potentially under the control of someone else.
Wow. Using steganography to obfuscate c2 is pretty sophisticated.
So who's gonna compare the employee list with the 2million CCP member list?
Tick tock!
Ok, I've spent a couple hours answering questions as best I can on this, I'm logging out for a bit to actually accomplish some work.
Please ask any other questions you all may have and I'll try to get around to explaining as best I can the significance of this.
Surprisingly low. Our grid is highly segmented and in varying states, but one thing they are consistent on is not spending money on upgrades. A LOT of orgs I have talked with that used this software have been joking about the fact that while they use it they are several versions old simply because of the cost of the upgrades.
Security through not following security policy of upgrading and patching apparently sometimes works in our favor.
That said there are over 3000 separate power entities and if the right ones are hit in the right spots... it would be bad.
But it would be far easier to initiate a physical attack to achieve the same result far faster.
I've seen analysis on the timestamps of the remote access activities to identify the timezone where the attackers belong to. None has been reported so far...
Thats as far as I needed to read to know their product is bullshit.
Cool thanks. I’ll check it
Makes me wonder now if these SW companies release intentionally buggy code, then quickly release a patch so they can choose not to patch them and leave them vulnerable (in the case of dominion and Win7)
While some companies do engage in such practices that does not appear to be what happened here.
If this was the only company involved I'd assign more weight to the possibility of an inside job, especially given the signed code. Since there are more undisclosed companies whose software has been compromised the likelihood becomes significantly lower of it being an inside job, as having multiple insiders in multiple companies coordinating such a hack has historically never been done (that we know of, of course. This could be the first. But that would make it unprecedented.)
In a nutshell, you are so wrong it is impossible to explain just how wrong you are except to point out that 10 minutes after I posted this you are blaming Outlook when Outlook is literally mentioned once in the 17 pages here. And it is mentioned in the context of this APT bypassing the MFA on OWA, not the outlook application itself.
Nearly the entire enterprise world uses Outlook, they operate within a microsoft exchange environment either on premises, in the cloud via exchange online with microsoft azure, or a hybrid environment
No, it's a hack. The outlook token issue is one of 19 attack techniques utilized in this event.
Eh, they probably had to hack to steal the key in the first place. Which hacks aren't a means to facilitate theft, besides defacements or DDoS? Most are. Even DDoSes are often smokescreens for a hack+theft behind the scenes. A breach almost always involves theft of information to some degree. They go hand-in-hand and your comment makes it seem like the hack/breach was trivial.