Very interesting and educational read on the latest major attack you're all hearing about...

SolarWinds attack explained:
 
Yep, A big problem. Below is a meeting notification I received. Staying informed is something we as instructors need to do. Consider joining Infragard (www.infragard.org).

Attention InfraGard member,

You have received a new broadcast message.

Critical Infrastructure Colleagues and Partners,

***For widest distribution amongst CISA partners***

The Cybersecurity and Infrastructure Security Agency (CISA) invites you to participate on a call today (December 14, 2020) at 4 pm Eastern addressing active exploitation of a vulnerability in SolarWinds Orion Platform software versions 2019.4 through 2020.2.1, which was released between March 2020 through June 2020.

Today’s call will highlight the information we have shared earlier. If you have not seen it yet, we have provided it directly below:
  1. CISA Current Activity Alert “Active Exploitation of SolarWinds Software
  2. CISA Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise
  3. SolarWinds Security Advisory
  4. FireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
  5. FireEye GitHub page: Sunburst Countermeasures
Please note, this email serves as the invitation for this event and a separate calendar invite will not be issued.
This call is NOT OPEN FOR MEDIA REPRESENTATIVES

Date/Time:
Monday, December 14, 2020 (4-4:30pm EST)

Meeting Information Omitted


Respectfully,
Stay Safe Stay Healthy. Defend Today Secure Tomorrow.
Cybersecurity and Infrastructure Security
 
  • Like
Reactions: Tess Sluijter

Stephen Schneiter

Administrator
Staff member
  • Nov 26, 2018
    579
    6
    2,105
    Knoxville, TN
    Yep, A big problem. Below is a meeting notification I received. Staying informed is something we as instructors need to do. Consider joining Infragard (www.infragard.org).

    This looks like a great resource @Steve Linthicum. Thanks for sharing. Looking into it. You bring up a great point, as instructors we do need to stay up to date. A lot of times information like this can be taken directly to the classroom. Real life examples really bring the content to life engaging the students.
     

    Stephen Schneiter

    Administrator
    Staff member
  • Nov 26, 2018
    579
    6
    2,105
    Knoxville, TN
    More on the Cyber attack. Points to Microsoft for their actions, they are getting quite good at that.

     
    Did you guys here the part about Solarwinds apparently having a solarwinds123 FTP password which might have led to this whole thing..? Crayz...


    Lee
     
    I tried SolarWinds Orion. I found it pretty tough to get to use, particularly for a smaller environment. But operating on a shoestring budget of basically $0 for that kind of thing, my options were crazy limited.

    It's going to make me really question SolarWinds as a possibility, even after they patch up (and I get money to buy a decent IT infrastructure tool.

    I have a tough time seeing Darth Nadella in my head.

    Messy all the way around for sure.

    /r
     

    Stephen Schneiter

    Administrator
    Staff member
  • Nov 26, 2018
    579
    6
    2,105
    Knoxville, TN
    The story continues! Check out this article from Microsoft as to how the attacks takes place. "The addition of a few benign-looking lines of code into a single DLL file spelled a serious threat to organizations using the affected product ..."

     
    What happened to patch strategies? Sandbox a patched system, look at the Firewall, IPS/IDS and see where it is communicating to, create a rollback plan, then implement. The tools such as Snort (back in the day), on both sides of the border router would have seen traffic that most commercials systems wait to patch on. "Back in the day" we were able to see suspicious traffic with such boxes (ran on old Pentium 60's), create our own signatures then submit to the major vendors who wait on customer input to put out major signatures. Maybe I am off base or in a different game, but hey, in cybersecurity: Once you've seen one nuclear war, you've seen them all!!
     

    Tess Sluijter

    Well-known member
    Apr 1, 2020
    376
    1
    535
    the Netherlands
    www.kilala.nl
    What happened to patch strategies? Sandbox a patched system, look at the Firewall, IPS/IDS and see where it is communicating to, create a rollback plan, then implement.
    What you describe is certainly part of best practices and it's something we should all strive to. Unfortunately most shops out there just aren't mature enough to get this into place though.
     
    What you describe is certainly part of best practices and it's something we should all strive to. Unfortunately most shops out there just aren't mature enough to get this into place though.
    Not to mention the time and effort in raising the maturity level of a shop, or the utility of doing so.

    For example, if you're a one-man band, for example, what's the point of putting in a functional Change Management process. I mean, trying to convince your CAB (which is myself and maybe someone else that probably doesn't understand a word of what I'm talking about anyway),

    ECAB's are easy...just get in there and fix the darn thing. Make it work and later, go into a self-led session on why it was good to replace a hard drive...

    In all seriousness, there is a diminishing rate of return that comes with trying to add more maturity into models .

    So what does this have to do with the OC topic?

    Because sooner or later, as things start happening, it becomes harder and harder for one person to track. Put in the software to do the management, and potentially add in the complexity of all the CI's to track, plus the software itself. (and that's notwithstanding if there is any cost involved). That's where tools like SolarWinds come in - they're supposed to provide that Force Multiplication. Bolt it up to your servers and network and see all the amazing things it can do. But that's also a LOT of trust to throw around.

    Hopefully I'm making some sense here...

    /r
     
    I think that's sort of the way it always is. After all, an OEM is not looking to exhaustively test its products before release because there's no money coming in. So they roll the dice and hope for the best. (not to mention those pesky, unforeseen issues).

    As for legal responsibility, now there's a sticky wicket all its own. OEM doesn't want it otherwise, they get sued for every little thing wrong with their product, along with every use case, whether or not it was as intended. Customer doesn't want it because they are putting their faith and trust in an OEM to solve the problem and stand by their product if/when it fails.

    It goes back to the age old "that's what insurance is for". So we pay those people stupid money and have them accept the risk. It's an old, old song, as you're aware.

    /r