My sister is a leftist retard with kids. Her husband is a fucking banana. Bring back keeping our mothers in line, we've let feminism run too fucking far. That is all.
Made breakfast for my girlfriend this morning (she can't cook bless her heart), and had this epiphany. Fuck all the haters and Biden's, we got this. When they overstep their boundaries we'll keep em in check. Much blood will have to flow for the globalists to take over, but a message was sent to not fuck with us and to know a fight when there is one.
If we didn't have this site and were still on cuckoldreddit, we would've been shut down. Mods are Gods for recognizing this. That's what I appreciate's about you (tv show reference). Start a Biden .win. I know there are inept folks who vote for Biden. But I know there are people who can be won over with facts not faggot feelings. Also, fuck reddit and islam. Reproduce, raise your children right. America first and America Always. Love you all.
That is all. Now we continue to make America the best Country in the world. Make more children, raise them well. Diversify your investments, buy more crypto and also make sure your 401k is funded. Fuck globalists. Riggers be damned but won't stop me. I had a drunken two days to cope and now I want more of America. Fuck Joe and Camela. This is what we do. Procreate and raise them right. Love this Country, nobody can take that from me.
Now that Biden was "elected", imagine that, no riots or BLM activity in Kenosha. Funny how that works.
But I haven't seen anything to support these tweets, albeit me believing logically(hopefully) despite no evidence, a large majority of them. Hoping he's right. I hope Jan 6 brings something. Also hoping Veritas walks the walk as they say.
Good Morning.
Long time lurker, first time poster.
We all know about the SWO (Solarwinds Orion) hack, but why is it important from a technical perspective?
Been working in Cybersecurity for ~5 years now, started at help desk and worked my way up (fuck college for technical fields). Worked Incident Response for an APT as well and that was intense.
So, background. Solarwinds had their source code breached by an attacker which was more than likely a nation state due to the complexity. Not only did they breach Solarwinds, they also breached FireEye and stole their red team tools to utilize during this breach of SO SO many orgs. For those less informed red teams are paid to audit (read: "hack") into companies with full auth. Note that in my personal opinion/experience these cats tend to be pompous script kiddies, but some of them are good to go.
Just for SA there's a framework called MITRE (https://attack.mitre.org/), which I highly recommend folks read about if interested in this field. It's known as the attack framework and can help folks understand exactly what these folks were doing to breach so many networks.
I can delve deeper into a technical analysis of the breach if desired, but there are plenty of blogs that break this down extremely well:
Background on APT-29 AKA cozy bear:
Good analysis by FireEye for what they've dubbed as sunburst:
Why this is important? There's a framework for attacks (MITRE above). I'll break it down as to what these folks did with this attack and why it's not good, but also why it's technologically impressive - I hate that they did this to us, but I love reading about how impressive autists can be:
Reconnaissance
Scan the environment, in this case what companies do we want to breach? Once we Identify who we want to breach, we have to know the target and what they use. The sheer number of applications that can be exploited in large orgs use is staggering. This is primarily accomplished through OSINT or open source intel. Think of things like scouring linkedin for list of employees (https://delta.navisec.io/osint-for-pentesters-part-2-linkedin-is-not-just-for-jobs/), dorking (https://exposingtheinvisible.org/guides/google-dorking/), etc.
Quick fun fact, I found the Hunter Biden password on a forum via google dorking, posted it here, and was banned for being a shill. Weird times we live in! Oh well, first post since I never post for obvious reasons so I guess I was an anomaly so I get it. Mods=Gods even with mistakes! :-)
Resource Development
Okay, we've identified the target, and we need to find a way to get onto the network. For this they identified SolarWinds. Now that they identified Solarewinds, they needed to exploit their software. (should be noted that typically Nation States have the capabilities and incentive to go after software, known as supply chain attacks.) This isn't atypical (http://www.cs.tufts.edu/comp/116/archive/fall2017/lholden.pdf), but traditionally this requires A LOT more resources (humans, dev time, coffee lol, etc.) so it's only carried out when you want to be supa sneky
Initial Access
This is as the term implies, need to get onto the system. This can be done a multitude of ways. Typically when done by script kiddies it's done with a known vulnerability and a known exploit in the wild that they use metasploit to do. Very ez mode, put in target ip, port, your ip, your port, and what payload you want to drop and run after exploit is successfully run granting you shell access as either user or admin (this will depend on what the software is running as, if you have software running as admin or a service on the device, you have admin rights that are the same as the program you exploited. As an example, let's say you have VLC Media Player running on your computer and there's a known vuln and working exploit for it. If it's installed and running as a user, you would inherit those permissions and can execute code within those perm limitations. Solarwinds hack used Windows library files or DLL's for the initial access. DLL's are commonly used by nation states as dll hijacking or injection is hard to detect. Long story short, executables reference and load DLL's, if you can modify the dll, you can put your own commands all up in there and the program doesn't give a shit and will run your commands. Recommend reading the MITRE framework referenced above for more information on this.
Execution
Basically covered this with initial access. Just exploiting a known vuln, in this case there was no need to gain access to a system directly, as you can just go after the source code, and when these poor cats install their updates as recommended by the software dev, in this case SolarWinds, they dl, and run the software for you. That piece of trusted software is no longer trusted. Just an aside, software companies that outsource are statistically more likely to have this happen. Not only due to more flexible access permissions but also fragrant abuse of the H1B system guarantees you're hiring degree mill folks from India, but that's another conversation entirely.
Persistence
Once you're on a system you need to establish persistence. What's the point of getting access to a system if you can't guarantee you get back onto it. What happens if the person reboots the computer? This kills your shell. What happens if they see something weird and exit out of the program or kill your connection? Establishing persistence ensures you can still get back onto the device despite these items. Typically you can establish persistence by putting something in startup so that every time a computer launches, she opens a shell or listens for a connection on a port.
Solarwinds exploit ran as a service at startup. This gave them full access to the systems that it was run on.
Privilege Escalation
Priv Esc is just what it sounds like. You get onto a system and you only have user access, you need to find a way to run as a service or as an admin to be able to own the device. Note owning the device is the ability to do whatever you want to the system as you are the administrator of said device. This can be done by scoruing the system to find a way to esc such as finding a vulnerable software version on the device and then using a known exploit to escalate to run as that software or service. I hate this a lot, it requires a lot of patience tbh.
Defense Evasion
Don't let the victim know you're on there. Using obfuscation of commands, encrypting commands, process hollowing, code signing, etc.
Solarwinds used code signing. Think of code signing as having a third party say "yo I know this software and it's trusted" and your comp going, "aight, cool dawg thanks!".
The attackers compromised Solarwinds Digital certs to do this. This is atypical and reserved for complex folks traditionally.
They also put files in normal places. They also used renamed system utilities, masqueraded as other tasks/services, and two of my personal favorites.
-
Time based They used this to basically tell the program to WAIT to operate. Think of this as a criminal, when someone jogging initially want to rob a house, you would knock on the door and wait to see if there is a response. When there is no response you know no one is home and then they would make poor decisions and break into the house. This is the same that the Solarwinds attack did, they had a wait for 12-14 DAYS before doing anything. Not only is this great for evasion, but it just shows their confidence knowing this would work and wanted to be chill. It should also be noted that this helps avoid any sandboxing attempts to discover the malware. Short and Dirty, malware sandboxing is taking a program and running it in a virtual environment and seeing what it does. If you have it waiting for 12-14 days, the sandbox will report it as being just fine. If you want to get into sandboxing, do it SMART and RESEARCH before you download malware. Also check out Cuckoo which is an open sourced sandbox albeit difficult to get it running correctly initially.
-
Steganography Hiding shit in images. Want to do the most basic form of steganography? Super basic and easy to detect if logging commands but still (DO NOT DO THIS ON A WORK COMPUTER) https://www.instructables.com/Hide-Your-Message-Inside-Text-File-New-Trick/
It won't break anything but it might make your IT department piss themselves if they know what they're doing especially with everything going on in the world.
Note that the above will hide your information in the Alternate Data Stream (ADS) so is a basic file stego. You can google to find progs to do steg for photos on Google. I wouldn't personally dl them cause don't trust the sw but you know what I mean.
Credential Access
Once you get onto a system, you're on that device as a LOCAL admin or service. It can be different when you get service creds which can be used across a domain, but the skinny is this: Imagine a computer as just like what you have at home. It's on it's own traditionally and not like an enterprise Environment. When you have a domain, you have different perms you need to think about. There's a local admin (again, your machine), and a DOMAIN admin (you have admin rights on more than likely ALL machines on the domain). Because of this the cats will want to dump creds. Dumping creds can be accomplished many different ways. You can find creds in a lot of places. Of note, Solarwinds also stored creds in a db, including old creds. Once you have access to a system with admin rights, if that db isn't protected, it's now yours.
Discovery
Scanning the environment. Finding out what's out there. It's like meeting your neighbors, you want to know what car they have, if they're god fearing folks, or if they own firearms as good citizens.
Same concept. What file shares are out there? Which machines are Domain Controllers (DCs), which machines are email servers?, etc.
This isn't too difficult but has to be carried out carefully if there are any baseline signatures being used for network based IDS or IPS Devices
Lateral Movement
As the name implies, move laterally. Once you get domain creds this is easy. There are many open source tools to help them do this.
Collection
Find the secret sauce. Using commands like strings on a linux box they can find important files quickly with ease. findstr can be used on windows. Can then take this information, and package it, encrypt it, etc. to ready for exfil
Command and Control
This is important. Like I explained to my gf, when you were younger and you got home late and your parents were out, you were required to call them and let them know you were home, the door was locked, and you were eating leftover dinner for food. This is important information that your parents wanted to know. This program of course did this as well.
Exfiltration
Take the collected tools, and exfil them. This can be done via DNS, my personal favorite, or just like what they did with a put or a post depending on size.
Why is this important? When you read the analysis that these companies and eventually CISA will put out, it's important to know what it all means. Furthermore, this takes A LOTTTTTTTTT of resources to accomplish. This pretty much exclusively means this was an act of war IMHO just like codemonkey said.
What I'm impressed with though, is it used a domain for C2 that would kill it if no information was passed (MSFT Killed this domain). https://archive.is/4AnFq I'm honestly surprised that they didn't just fucking encrypt everything once it was killed. There was ransomware a couple years ago (wannacry) that stopped when a security researcher registered the domain (https://gizmodo.com/marcus-hutchins-security-researcher-who-stopped-wannac-1834181972#:~:text=News-,Marcus%20Hutchins%2C%20Security%20Researcher%20Who%20Stopped%20WannaCry,Pleads%20Guilty%20to%20Malware%20Charges&text=Marcus%20Hutchins%2C%20the%20security%20researcher,unconnected%20to%20the%202017%20attack). Same exact concept. If whoever did this wanted to kill our infrastructure they could've just encrypted everything when the C2 stopped responding or responded instead of not.
All in all, this is a terribly awesome piece of malware from a technological standpoint. I worked with an APT before and it wasn't this much in depth nor as widespread. This was beautiful, this was more than likely an act of war, even if unintentional.
I thought this would be a shorter post but nope, when I start going it's hard to stop so here we go. If any further questions don't hesitate to reach out.
Want to start in this field? Don't go to college, read, read, read, and read some more. Home labs, certs as a challenge, and just be a hard worker. ez pz