SolarWinds impact getting a bit larger

Topic

New Reply

As someone just said… 2020 is turning out to be lovely….  I’ll post more tonight https://twitter.com/BleepinComputer/status/1339706445307195392
[See the full post at: SolarWinds impact getting a bit larger]

Susan Bradley Patch Lady/Prudent patcher

9 users thanked author for this post.

rc primak, charlesrbasin, SueW, lurks about, HiFlyer, Fred, OscarCP, GoneToPlaid, geekdom

Reply | Quote

Replies

I don’t know what SolarWinds is. Yet seeing that Microsoft was hacked via this software is scary. This why I uninstall OneDrive every time it gets installed, and this is why I do not use any of Microsoft’s cloud services. This was bound to happen.

7 users thanked author for this post.

doriel, SueW, lurks about, Moonbear, wdburt1, HiFlyer, Cybertooth

Reply | Quote

SolarWinds is enterprise management software one of whose functions is patch delivery.

SolarWinds had a vulnerability that was exploited to corrupt the SolarWinds software when the SolarWinds software was updated. Then this exploit was used to deliver an infected dll to other machines.

Microsoft has stated that none of their production machines or customer data has been compromised. This has nothing to do with Microsoft’s cloud services being hacked.

--Joe

Reply | Quote

More about this gravest of cyber attacks (that now are said to include MS among its targets), and the implications for the national security of the USA, here in this Associated News article:

https://apnews.com/article/technology-malware-hacking-russia-software-b3f993fb7bc9390302f0df26ecb6c10e

Excerpt:

“The hack compromised federal agencies and “critical infrastructure” in a sophisticated attack that was hard to detect and will be difficult to undo, the Cybersecurity and Infrastructure Security Agency said in an unusual warning message. The Department of Energy (*) acknowledged it was among those that had been hacked.

The attack, if authorities can prove it was carried out by Russia as experts believe, creates a fresh foreign policy problem for President Donald Trump in his final days in office.
Trump, whose administration has been criticized for eliminating a White House cybersecurity adviser and downplaying Russian interference in the 2016 presidential election, has made no public statements about the breach.”

(*) The DoE is, among other things, responsible for nuclear weapons development and for maintaining the US nuclear weapons arsenal.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

3 users thanked author for this post.

rc primak, HiFlyer, Fred

Reply | Quote

With respect to who did it, I was told some years ago by a senior IBM security consultant that the “defenders” would know with 98% certainty who broke in. On that basis, I think we can be pretty certain this one was Russian. Probably the reticence in saying so openly is either due to the remaining 2% uncertainty or, more likely, that the effect is greater if the attribution is done off the record.

For me, however, the bigger issue is not whether we can trust MS, or any other entity hacked, but what we can do about the pervasive problem of nation state hacking and spying.

Chris
Win 10 Pro x64 Group A

Reply | Quote

I, for one, would really like to know how they get to 98% on a sophisticated break in like this, that went on for months.

Right now we have one paragraph in the WP that recites anonymous sources and it goes on like its 100% true.

3 users thanked author for this post.

WSedcoan, RTEsysadmin, wavy

Reply | Quote

The quote from the consultant I spoke to was a generality, not a specific statistic of the probability of knowing the source on this particular case. In other words, in the course of analysing a break-in or malware, the white hats will normally be pretty certain of who was the culprit.

Chris
Win 10 Pro x64 Group A

Reply | Quote

I’m 98% sure any state actor would at least consider leaving false-flag breadcrumbs to deflect blame to another state actor.

1 user thanked author for this post.

OscarCP

Reply | Quote

Heard that Microsoft themselves have bee compromised thanks to the Solarwinds hack.   Hopefully we all aren’t bots.   🙂

https://finance.yahoo.com/m/d573dcb7-a1b4-3cd1-8aad-e29d6340a664/microsoft-was-breached-in.html

 

Reply | Quote

In the Yahoo article posted above by Iylejk, there is a link to this other one:

https://www.marketwatch.com/story/microsoft-was-breached-in-solarwinds-cyberattack-in-what-one-exec-calls-a-moment-of-reckoning-11608260264?siteid=yhoof2

Excerpt:

“Smith (MS President) warned that the attack is “ongoing,” and said at least seven other countries had been hit, including Canada, the U.K., Spain, Israel and the UAE. “It’s certain that the number and location of victims will keep growing,” he said”

So this is also going on well beyond the USA borders: someone is playing a dangerous game of unforeseen consequences, on top of all the urgent problems we already have to deal with in this world.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Iylejk: “Hopefully we all aren’t bots”

About that, see here #2320608 a relevant comment by Anonymous.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Initially, Microsoft blamed their SolarWinds problems on hacked customers using O365 (It’s not our fault, nothing we could have done…). Then we found out that they, too, use SolarWinds’ Orion product. Even worse, while cleaning up their own SolarWinds installations, Microsoft found a SECOND backdoor into their systems.

I want to know what was done to Microsoft’s systems before they closed those backdoors. “Microsoft says it has not found evidence hackers breached customer data or used its systems to attack others” sounds like famous last words to me. Microsoft is not unhackable, and neither are their updates.

Group K(ill me now)

5 users thanked author for this post.

windbg, rc primak, doriel, Microfix, Cybertooth

Reply | Quote

So can we trust now Microsoft’s Windows, servers, Azur, Defender, Tuesday patches ?

1 user thanked author for this post.

doriel

Reply | Quote

Thats the right question. But here is the catch, thats now important: “what if you do not trust anymore? Or even if your Azure or cloud is infected? What are other options? Admins deployed Azure where recommended. Some went to O365.

And we were all bomabrded with statements, how updates are safe now secure things now are. Now we will see if its true or just marketing. There is no option to go back. Only time will tell.

“We have not found evidence of access to production services or customer data. Out investigations, which are going on, have found absolutely no indications that our systems were used to attack others”

hmmm.. absolutely no indications. aboslutely.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

4 users thanked author for this post.

RTEsysadmin, OscarCP, Cybertooth, Moonbear

Reply | Quote

Microsoft says it identified 40+ victims of the SolarWinds hack

Microsoft said it identified more than 40 of its customers that installed trojanized versions of the SolarWinds Orion platform and where hackers escalated intrusions with additional, second-stage payloads.

The OS maker said it was able to discover these intrusions using data collected by Microsoft Defender antivirus product, a free antivirus product built into all Windows installations.

Microsoft President Brad Smith said his company is now in the process of notifying all the impacted organizations, 80% of which are located in the United States, with the rest being spread across seven other countries —namely Canada, Mexico, Belgium, Spain, the UK, Israel, and the UAE….

2 users thanked author for this post.

rc primak, OscarCP

Reply | Quote

[Fred]

OscarCP wrote:

Iylejk: “Hopefully we all aren’t bots”

About that, see here #2320608 a relevant comment by Anonymous.

@OscarCP & @SB Sad to see that my writings is wiped again without any notice; like the truth ends in the USA and this administration, like there is no collaboration between 3Eyes 5Eyes 7Eyes 11Eyes.  Talking about socalled ongoing attacks is an understatement of what has  happened. Secret services all around were robbed of their own breaking-in tools, and were used to plant malicious parts in software used by all. So, are we all bots? In a matter of speaking: yes, we are.!

* _ ... _ *

• This reply was modified 4 years, 4 months ago by Fred.

1 user thanked author for this post.

OscarCP

Reply | Quote

Bleepingcomputer has a partial list of SolarWind customers in this article By Ionut Ilascu.
Scary. Seems it has touched all of us one way or the other.

Nation-state hackers breached US think tank thrice in a row

Reply | Quote

I guess more companies and public bodies will end up running private networks disconnected from the internet at large. Unfortunately, this flies in the face of their increasing dependence on the Cloud – the main issue with which was always going to be centred on security. It also doesn’t help if the software they install on their private networks is compromised in the first place! Nonetheless, reducing accessibility from outside has to be a good thing.

Other than that, I suppose it’s the usual case of condemning any foreign power that is seeking to break into our computer systems while conveniently overlooking the fact that we’re all doing exactly the same thing with theirs!

Reply | Quote

I guess more companies and public bodies will end up running private networks disconnected from the internet at large.

May be true. After advertising and pushing cloud solutions to everyone, different direction can grow now.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

Echoing @GoneToPlaid, I don’t know what SolarWinds is.

But, judging by the partial list in the article by BleepingComputer linked in the guest post above (#2320680) it seems to have been used by companies in every major facet of the tech industry.

Is there anything normal users can or should do right now?

 

Reply | Quote

You think about all the added security Microsoft has baked into Windows. Yet the bad guys have no problem getting around it. What’s worse is detection seems to be getting worse not better.

Reply | Quote

You think about all the added security Microsoft has baked into Windows. Yet the bad guys have no problem getting around it. What’s worse is detection seems to be getting worse not better

Thats not coincidence. Since the complexity grows, there must be more and more weak spots in all these systems. Its impossible to remove them all. There will always be the way how to overcome security. And if all is constantly changing (neverending stream of patches and updates), you repair one thing and two others can break. Thats just reality!

Its like people sobering these days. They start to notice that security is not about nicely sounding sentences. Its about the real situation, which is different from “whats written on the paper”.

Im not surprised too much, I know that hackers are always one step ahead.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

3 users thanked author for this post.

rc primak, OscarCP, Cybertooth

Reply | Quote

The impact of this intrusion will not go away any time soon. Recovery is going to be expensive and may never be complete. Every attempt to fix it will be observed.  It is reported that they have the access to override the recovery attempts. It is a master plan not just a hack to disrupt and do a bit of damage.

Can SolarWinds survive?

SolarWinds have several competitors in the same tech space. The competitors are no doubt doing some serious forensics right now. Private and government cyber analysts should be able to determine if they too have suffered the same fate or not.  If they come out unscathed,  it may mean that they were not targeted as opposed to not vulnerable.  Industry, business and government need to know before they can act on any recovery processes.

1 user thanked author for this post.

OscarCP

Reply | Quote

I found this article on GeekWire that speaks to the response by MS to the Solar Winds breach. MS released (ta da)”Death Star” in response. Death Star????

Peace,

CAS

4 users thanked author for this post.

doriel, GoneToPlaid, OscarCP, Microfix

Reply | Quote

Future Cloud based AV and security with no local installations?
Would fit in with WaaS

Windows - commercial by definition and now function...

Reply | Quote

Very interesting reading. Seems like MSFT did whatever he could to get rig of this. Especially that part about updating Defender during night and taking the control of compromised servers sounds good.

According to SolarWinds, this malware was present as a Trojan horse in updates from March through June 2020. This means any customers who downloaded the Trojaned updates also got the malware. While not all customers who got the malware have seen it used for attacks, it has been leveraged for broader attacks against the networks of some strategically critical and sensitive organizations.

So it looks like Windows users were really affected by this issue. So its possible to hack Windows updates. Good that MSFT created this flexible updating service. I hope it will be used more effectively in the future, more than it is now.

And btw did someone confirm it was Russia? I think its just to easy blame “the biggest opponnent.” Could it be some interneational group of hacker probably?

In the end, this all reminds us how much power Microsoft has at its disposal. Between its control of the Windows operating system, its robust legal team, and its position in the industry, it has the power to change the world nearly overnight if it wants to. And when it chooses to train that power on an adversary, it really is the equivalent of the Death Star: able to completely destroy a planet in a single blast.

Yeah, how much power Microsoft has! And still MSFT is annoying us with new start menu icons, new layout and reworked control panels every half a year. Now it seems they have more important tasks, than recreating calculator and creating new “snip and sketch” tool.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

1 user thanked author for this post.

Cybertooth

Reply | Quote

Something to contemplate with the time span this went undetected; it is not just the backdoors them selves, for which detection signatures are known, but what came through the backdoor in all that time. With the pure skill and brain power that went into this hack there will be deeper penetrations that already had their back trail obscured if not obliterated.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Was is not Queen Victoria who said ‘we are not amused’?

“Some of the legal and regulatory fallout may hinge on what SolarWinds knew or should have known about the incident, when, and how it responded. For example, Vinoth Kumar, a cybersecurity “bug hunter” who has earned cash bounties and recognition from multiple companies for reporting security flaws in their products and services, posted on Twitter that he notified SolarWinds in November 2019 that the company’s software download website was protected by a simple password that was published in the clear on SolarWinds’ code repository at Github.” – re: Brian Krebs article, cited by Susan.

What they should have known is how to create a password better than this one …

****123

Two mistakes in one:  (1) A useless password  (2) Publishing it.

 

4 users thanked author for this post.

windbg, rc primak, doriel, GoneToPlaid

Reply | Quote

But the update was also signed so they had more access than that. Still bad yes 🙂

Reply | Quote

Cant follow Vinoth Kumar logic, since its not obviuos to me, why is the password something123. There is just public token exposed, so it can be “decyphered”?

I cant believe that company that focuses on device management is so lame. Accessing server does not automatically mean you can inject trojans there. We dont know how their download or upload works.
And can we be sure, that they dont use 2FA? Do you think you just get the password and “perform server wipe”? I think its more complicated. But still their password should not be obviously uploaded on GitHub.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

I heard today the Minority Leader in the US Senate call the related breakins “an invasion of the US.” He could have added also of all those countries the President of MS listed in his statement ( #2320663 ), for a start, .So we are in for some political drama ahead but, I really hope, not for a real escalation. Whoever did this has made a big and reckless move and raised the bets in a dangerous game. One thing I expect is that, starting in the coming year 2021, what users are allowed to do on the Internet is going to become different in certain ways from what we are accustomed to: the reaction to this big cyber attack is going to be, I think, also a big game changer for users everywhere and not necessarily in ways that many are going to like. Well, let’s wait hoping for the best. Not much we can do otherwise, as far as I know.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Are we *sure* the joint cybersecurity effort with Russia that the administration proposed a few years ago didn’t get implemented…even some preliminary steps?

Reply | Quote

Any ideas on how to mitigate?

Reply | Quote

Emergency Directive 21-01
December 13, 2020

Mitigate SolarWinds Orion Code Compromise

Disconnecting affected devices, as described below in Required Action 2, is the only known mitigation measure currently available.

 
Read the full bulletin here

From link in latest Joint Statement.

 
PS Yahoo are now reporting the initial attempts were in October last year:
https://news.yahoo.com/hackers-last-year-conducted-a-dry-run-of-solar-winds-breach-215232815.html

4 users thanked author for this post.

doriel, rc primak, GoneToPlaid, OscarCP

Reply | Quote

[OscarCP]

Anonymous: “Any ideas of how to mitigate?”

Well, yes, some ideas, but not ones very nice to contemplate, at least according to this Associated Press article published today:

https://apnews.com/article/hacking-russia-bafff5557a8941aa1a5ef239d36c4e28

Excerpts:

“Many federal workers — and others in the private sector — must presume that unclassified networks are teeming with spies. Agencies will be more inclined to conduct sensitive government business on Signal, WhatsApp and other encrypted smartphone apps.”

“We should buckle up. This will be a long ride,” said Dmitri Alperovitch, co-founder and former chief technical officer of the leading cybersecurity firm CrowdStrike. “Cleanup is just phase one.”

“The only way to be sure a network is clean is “to burn it down to the ground and rebuild it, said Schneier.”  Emphasis mine. (For what it’s worth, Bruce Schneier is described in this article as “a prominent security expert and Harvard fellow”, whatever that means)

“Imagine a computer network as a mansion you inhabit, and you are certain a serial killer has been there. “You don’t know if he’s gone. How do you get work done? You kind of just hope for the best,” he (Schneier) said.”

As to that “Russia” thing: as far as I know as I write this, still no one has declared in an official capacity this or any other country’s government guilty of the attacks, at least no one whose job would be on the line along with any possibility of future employment anywhere else if they were to accuse, le’s say Russia, unequivocally and without enough undeniable supporting evidence for such a claim. So we are still waiting to be told, in a credible way, who’s done it.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

• This reply was modified 4 years, 4 months ago by OscarCP.

1 user thanked author for this post.

Fred

Reply | Quote

? says:

so, what does this mean to me? how does this breach affect an individual’s personal information? could the stolen info contain an individual’s personal information? i really don’t need anymore spam, or password changing, or worrying about the security of online banking, or level3, comcast, att or any other ISP’s records (mine included) having been vacuumed up for review and sale…

does the IRS have my address? is it time to move up into the mountains with my mask(s) ?

Reply | Quote

As another anonymous explained earlier, your PC could be made part of a billion-strong botnet quietly waiting for the right signal to launch a massive denial of service attack against a chosen target Web site. What can one do about it? That is the question. With, so far, no answers. But I hope that the answers will come, sooner or later. Whether we’ll  like them, is the other big question.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Would running a Standard User account instead of an Admin account make any difference in keeping anything that may crop up from this in the future off your system?

 

Reply | Quote

anonymous wrote:

so, what does this mean to me?

It does not affect your computer unless you are running Solar Winds – you would know if you were.

Moonbear wrote:

Would running a Standard User account instead of an Admin account make any difference

No, there is no chance that you will be affected because you do not run Solar Winds.

Stick to your usual precautions, backup, anti virus etc and relax in the knowledge that you are as safe as you can be.

cheers, Paul

6 users thanked author for this post.

rc primak, young058, SueW, Moonbear, Chris B, OscarCP

Reply | Quote

Paul T wrote:

It does not affect your computer unless you are running Solar Winds – you would know if you were.

Well er, actually I rather expect that most of the people who have SolarWinds products on their system don’t know it.

As in the actual users in all of those organizations whose IT support organizations use SolarWinds.

The IT side should know, but even there I wouldn’t rely on it. (ISTR that SolarWinds did offer rebadging, so the thing may report itself as “<company> IT support infrastructure agent” or whatever.)

Reply | Quote

Personal computer users would know.
Corporate users don’t care unless they are admins, in which case, why don’t they know?

cheers, Paul

2 users thanked author for this post.

rc primak, Chris B

Reply | Quote

Could be getting it through a middleman (MSP or something) who don’t admit to buying their tools from SolarWinds.

Don’t know how thorough any such rebadging would be, after all.

Yeah, bad business practices and all that.

Reply | Quote

? says:

thank you Paul. so, you say it doesn’t affect my computer since i don’t run SolarWinds. ok, then what about my (on and off line) participation in the “supply-chain?” any exposure to me of my personal information since i am a customer of several of the suppliers in the compromised SolarWinds supply-chain list? not to disagree with your understanding of the situation, however; i see in this Wikipedia “Supply chain attack,” article under “Risks,” paragraph: “Poorly managed supply chain management systems can become significant hazards for cyber attacks, which can lead to a loss of sensitive customer information, disruption of the manufacturing process, and could damage a company’s reputation.”

https://en.wikipedia.org/wiki/Supply_chain_attack

this is all i’m after, acknowlegement that having a relationship with a compromised supplier involved in this hack i\we may now have our personal information in the hands of an unintended and unfriendly third-party…

Reply | Quote

Paul_T wrote: “Stick to your usual precautions, backup, anti virus etc and relax in the knowledge that you are as safe as you can be.”

I can see the point of doing that: good advice. I am also interested in the possible use of browsers to connect to usually safe sites one often visits, where the servers might be protected with SolarWinds software and, therefore, may have been compromised. What precautions would be appropriate to protect oneself when browsing around, from malware compromised sites might have been primed to propagate by the attackers?

And what would be a good place to go to for information on what is found abut the extent of the attacks and which sites and services have been compromised and, of these, which ones have been cleaned up and can be used with confidence again?

Finally, I would think that being shy of using anything online with “Cloud” in its name would also be a good precaution. Any comments, advice, ideas about this? How about those who depend on things such as Office365 and similar online software for their work?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

anonymous wrote:

which can lead to a loss of sensitive customer information, disruption of the manufacturing process, and could damage a company’s reputation

And this does not already happen via existing breaches, on social media and via phishing?
The attackers aren’t likely to be after your data as it’s worth too little compared to accessing internal systems of government etc.

The trashing of a company’s reputation due to poor security is a good thing. It encourages all companies to make an effort.

OscarCP wrote:

What precautions would be appropriate to protect oneself when browsing around, from malware compromised sites might have been primed to propagate by the attackers?

This is no different to the current arrangement where every site you visit may have been compromised / host malware via advertisements etc.
Use an up to date browser and anti virus, don’t pass personal info / passwords to anyone and backup (there’s an echo in here  🙂  ).

cheers, Paul

3 users thanked author for this post.

OscarCP, Cybertooth, rc primak

Reply | Quote

Paul T wrote:

The trashing of a company’s reputation due to poor security is a good thing. It encourages all companies to make an effort.

Doesn’t seem to be helping thus far.  Sadly, I doubt this massive Russian  hack will change that.

Reply | Quote

This observation suggests that there are other original access vectors besides SolarWinds Orion, and there may be others that are not yet known. Identifying the affected systems, analyzing them, and cleaning the software of the infections is likely to take months.

source: borncity

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

2 users thanked author for this post.

Cybertooth, rc primak

Reply | Quote

Quote: “You think about all the added security Microsoft has baked into Windows. Yet the bad guys have no problem getting around it. What’s worse is detection seems to be getting worse not better.”

Funny thing about that…you are aware that Microsoft shares source code with Russia and China? ZDNET:Does Microsoft’s sharing of source code with China and Russia pose a security risk?

I wouldn’t trust the statement about being “98% sure” about the source of infection, either. Spoofing is much more sophisticated these days, and anyone who pulled this off isn’t going to be sloppy about leaving clues…unless those clues are meant to misdirect. I’m more suspicious of North Korea or China (or both), with the current state of tension these days in the South China Sea.

There’s also a good possibility that third parties got access of the source code from either Russia or China, in order to cash in on vulnerable systems. Bot Nets can be VERY profitable!

Much of the issue is ourselves, though. The emphasis by the NSA and other US agencies  to degrade encryption is a major factor in making things less safe. Instead of degrading protection, we should have iron proof encryption (and yes, that will be an issue in other areas). That’s the only way to protect critical systems, IMO.

2 users thanked author for this post.

OscarCP, Fred

Reply | Quote

johnf wrote:

Much of the issue is ourselves, though.

[@]johnf , I cannot agree more, this is right.
Even 7Eyes is “monitoring” (a political correct expression for reading-all/spying) for their partners, and than exchange the data…. So in that country itself everybody can claim they didn’t do it.
Many of these countries do think this is an acceptible way, just as buying the illegal hacking-tools/0Day-tools is accepted by parliaments. If there was a moral this has disappeared?

To degrade encryption as many parliaments want to do is a major factor in making things less safe, and prompted by political and managemental fear and ignorance.

* _ ... _ *

1 user thanked author for this post.

OscarCP

Reply | Quote

https://www.reuters.com/article/us-global-cyber-microsoft/solarwinds-hackers-were-able-to-access-microsoft-source-code-microsoft-blog-post-idUSKBN2951M9

The hacking group behind the SolarWinds compromise was able to break into Microsoft Corp and access some of its source code, Microsoft said on Thursday, something experts said sent a worrying signal about the spies’ ambition…

Microsoft:

We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.

3 users thanked author for this post.

Nathan Parker, SueW, Fred

Reply | Quote

At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft. This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.

As with many companies, we plan our security with an “assume breach” philosophy and layer in defense-in-depth protections and controls to stop attackers sooner when they do gain access.

Microsoft Internal Solorigate Investigation Update

2 users thanked author for this post.

Nathan Parker, wavy

Reply | Quote