This is going to be a long and technical post. For those of you in the industry you are fine with that. Many won't be and honestly they should probably just fuck off and let experts analyze this situation.

There is a ton of misinformation being spread about Solarwinds Orion and Fireeye. I'm going to straighten that out with actual informed analysis.

I don't expect this post to go very far... because its real. Because it has facts in it and we live in a post-cybersecurity world. Instead of the freedom we experienced in the industry the last 20 or so years... our brightest minds have been shut down by SJW and liberal ideology. Replaced by inexperienced diversity hires, many of us have been scooped by alphabet agencies and we've sold out for the almighy dollar and the rest of us who haven't sold out have no platform to share critiques and questions on. The normal channels are so infested with shills and disinformation we can't even do the normal analysis that used to come natural in information security... before the government hijacked it and started calling it cybersec to give glorified pencil pushers orgasmic fantasys about the irrelevance of their own position.

CHRONOLOGY DECEMBER 8th - Major news outlets (Including NYT) shared that Fireeye a major cybersecurity firm was hacked... "most likely by Russia". Oooohhs and Ahhhs from mass media. For those of us in the know we recognize that Fireeye and Kevin Mandia are heavily involved in Geopolitics... and that Mandia's firm gave the report to congress that the DNC hack was performed by Russia. This is demonstrably false and the person who received the hacked DNC data (Assange) has basically stated it WAS NOT Russia.

*DECEMBER 13th - * Solarwinds an Enterprise software company who makes the Orion platform which is used for network and oplog monitoring shared a security advisory stating that several builds of its Orion platform had a backdoor in it which they named "Sunburst".

*DECEMBER 14th - * Fireeye releases a breach analysis and in that document they state that due to "automatic update methods" they received the Sunburst backdoor and they speculate that this is how foreign actors were able to breach their system.

*DECEMBER 14th - * CISA a major security/tech thinktank and policy writer for government releases an advisory to shut down Orion servers (basically impossible for critical infrastructure unless you want to remove all optics on the healthy operation of your network

THE STATE OF ORION The ONLY, let me repeat the ONLY trustworthy documentation I've seen thus far comes from Solarwinds. In their security advisory: https://www.solarwinds.com/securityadvisory They state that the following builds of ORION possibly had the Sunburst backdoor in them. 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 That's it. If you aren't currently running a build in that list.. you aren't hacked. Utilizing file hashing Solarwinds can state this with authority. They can compare hashes of their known, safe builds to hashes of builds in the wild that have initiated connections to foreign IPs... see that they don't match and state those builds are compromised.

At this time I've only heard of one company claiming to have had a breach via the Orion backdoor. That is Fireeye, but their own breach analysis states this was speculated, that their own breach was very sophisticated, that the backdoor was delivered via an automatic update service and it was most likely foreign.

The problem with this is many-fold:

• Orion HAS NO AUTOMATIC UPDATE SERVICE. Updates of the platform are initiated manually. Its strange that a company of the caliber of Fireeye would misrepresent this piece of information

• In Cybersec its very hard to make a determination that any hack initiates from a foreign entity. Originating connections can be spoofed, IPs can be tunnelled, forwarded and server space can be hosted on foreign server farms. About the only way you can truly specify a hack as being foreign in nature is if you ID key individuals perpetuating the attack or observe foreign language or code in binaries and network traffic... even this is tough because if a foreign adversary attacks a US based asset, it must utilize English to attack a target, so code most likely utilize an ASCII character set.

• CISA stating to shut down Solarwinds Orion is completely unfounded and irresponsible. This guidance is just as overreaching as saying "wear a mask to stop the spread". It doesn't take into account discovery to see if you are even susceptible, sharing how to properly secure Orion servers or monitoring to actually see if you are compromsed. It assumes the lowest common denominator.

The DOMINION/SOLARWINDS Schizo conspiracy

• I've seen many people stating OMG Dominion uses Solarwinds! They've shown a website with a Dominion logo on it. I've also seen people share a code snippet of HTML from the webpage where they viewed the source. There is a HTML ahref in there that points to "www.solarwinds.com". Just so you know... forensically this means nothing. A Solarwinds Orion webpage is very easy to ID. It will contain numerous javascript code blocks, ASP and json. It will also reference the orion.app AngularJS app. I didn't see any of this in that screenshot... and not that it matters. Solarwinds Orion is a valid monitoring product that thousands of private and government orgs use. It means nothing if Dominion used it. (having a public facing Solarwinds Orion server however could be indicative of bad security practices and having an attack vector though)

CYBERSEC IS DEAD The hack of Fireeye is just another example of how liberalism, communism and groupthink has poisoned our country and its open, free, productive mentality. I could go into much much more detail about this... what I've done to measure threats, sort the misinformation monitor and protect.... but what is the point? I've had C-levels come to me and ask if we should shut down our Orion servers. I told them "no", we are secure and we are monitored but at the end of the day I can't give them the clear reasons why they should trust me instead of the weaponized news cycle.

At this time I don't know what is happening behind the scenes... nor do I care. We've never dealt with speculation in our industry. People in our industry say POC GTFO. They've even published a bible that embodies that spirit and many of us keep a copy in our library... where we showed the lengths we went to demonstrate proof of concept or get the fuck out.

This spirit is dead. I've asked many people if they've demonstrated proof of concept of the Orion hack and none have. Everyone is taking this at face value... they're trusting Fireeye's analysis, they are trusting CISAs guidance.

NONE of that should be trusted. There are numerous indicators that Fireeye had a multi-layered attack which including phishing and social engineering.... yet everything is being directed to Orion. It stinks to high heaven.

I could guess about what really happened and I have... but I'm mainly sharing this to let all of you know out there... if you're spreading uninformed analysis of this you are just falling prey to the disinformation campaign around it. Many of you don't have a fucking clue what you are even reading... you don't even know how fucking servers work or what's possible. When people in our industry say Russia, or complex threat... its almost always ignorance or disinformation. Very few attacks are complex, most breaches are never published... and if they are its to spread disinformation and misdirect. There is never a good reason to share breach analysis unless you want to misdirect for another purpose.

At the end of the day Solarwinds had someone place a backdoor into their software build. Fireeye is spreading analysis that states that's how they were hacked... the news cycle is spreading it and its putting hardship on all of us industry insiders whose CEOS, CISOs and partners are breathing down our necks because of the misrepresentation in the news... that's the facts.

What else is new... its par for the course in clown world 2020 when information security has died.

WHAT DO IF IM AN ADMIN Use that God-given ability that you may have forgot to use.

1. Determine what build of Orion you are using. THIS IS THE NUMBER ONE STEP. If you aren't on the published vulnerable builds of Orion... YOU HAVE NOTHING TO WORRY ABOUT. Patch to latest and inform your C levels or bosses that you are secure.... then perform the normal threat analysis and apply your normal secure policy (CIS TOP 20, AUS DOD, NIST FRAMEWORK). If you aren't securing your servers anyway you need to get better at your job. How's your admin group membership, do you have seperation between accounts, is admin authorization mode turned on in UAC? There are so many things and ways you could prevent an attack like this from occuring its laughable... Do I really believe Fireeye wasn't doing them?

2. Log on to your Solarwinds Orion server (the core server, not the IIS or SQL server) and install Sysmon on it. In your Sysmon template exclude all the normal Orion binaries (images). You'll blow your sysmon up with normal SNMP polling otherwise. This will allow you to watch if files are making callouts to public IPs. Forward this using a log forwarder to a monitoring server such as Graylog, Elastic, Splunk, etc. Graph it and build alerts on it.... but don't worry too much about it if you made it past number 1.

3. You should always be analyzing network traffic. No I don't mean watching alerts.. I mean analyzing streams with Network IDS and stream summary engines. Tools like Zeek should be industry standard, but they aren't.... because this new generation seems to be scared of open source software. With stream summary you can analyze and summarizes normal network traffic and you'll know if your Orion server is making a call to a foreign server. Honestly you should know exactly what IPs and subnets your Orion server talks to on a daily basis. You have to preconfigure its SNMP and Log targets so of course you know exactly what it talks to. Fireeye released SNORT rules to watch for the backdoor beacons. I've inspected the rules and honestly they are pretty rudimentary. They have some pretty straightforward domains in them and honestly I think its a smokescreen and a waste of time but I went ahead and loaded them into SNORT. I just think its Fireeye attempting to give credibility to their narrative. They're are probably honest people doing honest work at Fireeye and that's probably a natural product of that.

4. Even if you were running hotfix5 you can compare the file hashes of the published orion dll with the ones seen in the wild that were compromised and see if you had the Sunburst backdoor on your system. My guess is Fireeye is the only one. I've heard of no other groups that had it.

5. Are you running HIDS. Get an agent on your Orion servers that notifies you of file hash changes. If Fireeye was running HIDS on their Orion server and it was actually the source of the hack they would have known immediately.

6. The whole "automatic update service" shared in Fireeye's breach report was very concerning. It doesn't exist. Companies at "Fireeye's level" don't make mistakes like that and I can't get over that this was in their report. To apply the Orion backdoor you would have had to of obtained the patch from their customer portal and applied it manually.