This password to their FTP server would have allowed you to upload arbitrary executables, but they still wouldn't be signed like a valid SolarWinds update would be, so it seems unlikely to be related to the recent hack. The real attack compromised SolarWinds' build server, as they self-reported in their SEC filing [1].
Really, really, really looking for the eventual analysis of how the attackers were able to compromise SolarWinds' build server. And to that point, while SolarWinds' bending over backward to characterize it as "an incredibly complex and sophisticated attack" is predictable, it's also ludicrous without saying how the initial intrusion occurred. That is, everything I've read has explained how the actual payload that was delivered to the victims' networks was sophisticated and complex, but it's possible the original build server vulnerability was braindead simple. We just don't know until that is revealed.
Pure conjecture. But let’s say solar winds is using a known popular build server, and this build server was only ever going to be accessed by internal resources and employees.
Then let’s say this build server had an unusually high usage of build plugins. And the upgrading of that product was difficult and sometimes troublesome because of these custom plugins and their interdependencies. And so they at some point they missed an upgrade or two on accident, or because upgrading is hard.
Now they are running an build server with several know vulnerabilities. But because that build server isn’t public. It’s really no big deal that it’s a bit out of date. Until it is.
That sounds very interesting and frightening at the same time.
Could it be that there are more companies out there in a kind of similar situation? It would be quite bad of course if such information would become widely know I could imagine.
Now that it's come out that SolarWinds's default password on their deployed systems was 'solarwinds123', it's quite possible that the break-in to their build server wasn't all that hard.
It also doesn't really matter if I understood correctly AFA establishing incompetent defense for simple attacks. You could ftp in and upload a binary? but it wouldn't be signed! What about an old binary? Already we are into attacks on the anti-rollback on individual clients and we didn't need anything a beginner wouldn't try.
(I would go so far as to say that if there was insufficient anti-rollback and they still burned 0-days to get into that build server then they were expending resources trying to either look sophisticated or had some other odd motivation.)
Whenever I hear statements like "incredibly complex and sophisticated attack" I'm reminded of the 2011 Comodo (now Sectigo) hack where the company said it had "clinical accuracy" and "likely to be a [Iranian] state-driven attack".
Days later, the perpetrator released a "manifesto" (and several other documents) all but confirming that it was the work of a lucky amateur.
Moxie (of Signal fame) has a hilarious account of the story in his 2011 Blackhat talk "SSL and the future of authenticity" (starts at around 5:00):
Here is a simple way to monitor your machines for intrusions or malpractice by insiders:
Put an amount of bitcoin on each machine , equal to licensing fees you would pay for backdoored security tools like solar winds. Monitor the bitcoin address for when it gets stolen. If it gets stolen, you have been owned.
The nation state isn’t going to know which bitcoins their agent stole... the agent can take both data and bitcoin. No one will talk about the bitcoin to the outside world.
Do you think offensive black hats employed by governments aren't closely monitored by their employers?
It doesn't matter whether the attacker works for China, Russia, the US, whoever – they are likely sitting in a very secure building owned by a military branch or intelligence agency, absolutely everything they do is closely monitored by their superiors (spy agencies love to spy on their own spies), they aren't allowed to take personal electronic devices into the building and they are physically searched on entry and exit.
Do you think, working in that kind of environment, they'll find it easy to steal their target's bitcoin?
Do you think their superiors will look kindly on agents compromising operations for personal financial gain?
Two facts about that case which don't help your argument (1) the US Secret Service is not an intelligence agency, it is a law enforcement agency – US intelligence agencies are the members of the https://en.wikipedia.org/wiki/United_States_Intelligence_Com... – and the US Secret Service doesn't engage in offensive hacking against foreign targets (that's primarily a CIA and NSA responsibility); (2) he got caught
Didn't we hear stories about people in three letter agencies spying on their neighbours, girlfriends etc? If they let that pass then who's to say they wouldn't just look the other way on the BTC.
Three Letter Agencies don't approve of that kind of behaviour and will discipline employees caught doing it. The fact we've heard about it is because those doing it got caught. Indeed, talking about the US in particular, many of those stories originate in an unclassified letter the NSA Inspector-General sent to Senator Chuck Grassley back in 2013, which the Senator released to the public – the fact that the Inspector-General knew about the cases means those people got caught somehow.
Some complain that the Three Letter Agencies are too soft on the perpetrators – a reprimand, a demotion/paycut, a forced resignation, or termination instead of criminal prosecution – but going soft isn't the same thing as approval. (Also, the agencies themselves don't have authority to prosecute, the most they can do is send a referral to the prosecutor but it is up to the prosecutor to decide whether to proceed.) Given how much emphasis those agencies put on staff reliability, getting caught doing stuff like that is a pretty serious career-limiting move.
I reckon those agencies – and the prosecutors too – care a lot more about employees stealing bitcoin from targets than they do about employees spying on their neighbours or love interests. Bureaucrats always care about money; and thefts are more straightforward cases to prosecute than LOVEINT.
Every time I’ve looked into “cyber incident” insurance it just didn’t make any sense financially. They’ll cover things like required customer credit monitoring and the cost to mail notification letters but neither of those costs are worthy of insuring against. In the grand scheme of things they’re negligible.
At the same time it’s almost impossible to put a dollar value on the real cost of a cyber security incident: bad PR, lost and unhappy customers, increased regulatory oversight, a board that’s (understandably) skeptical of your ability to prevent future incidents. And no matter how big of a check you could get an insurance company to write the data still walked out the door. All the money in the world can’t unring that bell.
How would you even begin to model the risk here though? There's no straightfoward financial loss to Solarwinds here except their reputation likely being forever ruined. Do you ensure the value of the entire company?
When your client is the USG and foreign hackers exfiltrate secrets through your platform, I don't the DoD cares that you had insurance.
This is an idea that should be explored more fully. The downside is that it will make information technology a much less freewheeling and innovative field.
It's a massive innovation killer downside. How about we restrict this to "all internet companies selling security software to governments", at the very widest?
Construction companies seem to do fine even though building codes exist.
It's not uncommon for a mature industry to face a reckoning around damaging practices that were common when they were nascent industries.
Would you like to live below a dam that was built under a loose and permissive regulatory regime? How about storing sensitive personal data in a datacenter whose owner specifically disclaims liability for it's exposure?
>Construction companies seem to do fine even though building codes exist.
They're not the one's paying for it. The people wanting the building built are. And there's a lot of corruption in that. On top of that, there's a pretty clear housing crisis in big cities.
Presumably it could work the way auto insurance works, where you'd be required to carry insurance but you'd have your pick of who supplies it. (Unless I misunderstood and you're opposed to requiring insurance for anything.)
The issue here is that insurance doesn't actually solve the problem. Auto insurance doesn't get people to drive better, because a car accident can kill you, which means that all the people driving like idiots are doing it because they already don't think they're going to get into a collision. And you'll notice that they all still drive like idiots even with insurance, possibly more so because of the moral hazard.
All auto insurance really does is make it so that when some idiot with no money hits you with their car, there will be somebody to pay for the damages.
The problem with doing this for computer security is that if you don't put the liability on the company then there is nothing for the insurance to cover, but if you did then it would bankrupt the insurance company.
Imagine one of the vendor's clients is a pharmaceutical company and the attackers get access to their pre-publication research files. That could be ten billion dollars in damages. For one client. Imagine five of the clients are pharmaceutical companies. The other clients could be financial institutions, cloud providers (who would in turn have their own affected clients), movie studios (and now all of the next year's movies are on The Pirate Bay prior to release), etc. All at the same time, for a single security incident.
And how do you put a price on the sort of national security threat it poses when foreign governments gain access to US government systems? Who do you even compensate for that?
This isn't the sort of problem insurance can fix.
Maybe what we need is something like publicly-funded security audits of popular software.
Edit: I too read the Microsoft analysis/decompilation. It looks like it was developed by a competent team that either was comfortable with using English correctly for the various symbols, or went out of their way to do so.
It is a straw man, because it is conflating the idea that SolarWinds had some simple security hole in the past with the evidence of this particular hack, which shows quite a level of competent capability, at least as described by the FireEyes report.
Edit: Furthermore, the argument isn't just "the attack is so sophisticated it could only have been done by the Russians." The report from Reuters identified people internal to the investigation who said it "bore the hallmarks" of known Russian hacking groups. One could argue that isn't sufficient evidence, fine, but nobody is saying people are just assuming it's the Russians because it's a sophisticated attack.
I'm actually really curious now if the GitHub repo where the password was found was the initial cause of the breach.
The article doesn't make this clear, but the original Twitter post[1] does: it was a password that allowed FTP uploads to downloads.solarwinds.com (the same DNS name as where the backdoored updates came from[2]). Vinoth Kumar (mentioned in the article) uploaded a PoC text file which could then be downloaded over HTTP.
His screenshot has the repo name redacted, but if SolarWinds accidentally included their code-publishing credentials, maybe the signing key for their code was also in that repo at some point? I've seen that kind of thing before, even if I had to grep through old commits to find it.
I did a bit more research, and found that it wasn't an official SolarWinds GitHub repo. It seems to have been an employee's personal repo containing company code that they accidentally made public.[1]
The original URL of the file with credentials in it was https://github.com/xkozus00/mib-importer/blob/master/Src/Lib... .[2] That is, the credentials were part of a utility/library that was only being referenced by the project, but it was still included in the repo.
SolarWinds historically hasn't provided a tool to import arbitrary MIB files into their product. Customers seem to submit them to SolarWinds support, and if support agrees, they seem to use internal tooling (presumably the mib-importer) to import them into the official MIB database.[3]
Building some sort of official release data could easily require the use of a signing key, and a company that uses "solarwinds123" as their code-publishing password seems likely to use the same key for multiple purposes, but I didn't find any conclusive evidence, and it's certainly possible the two incidents aren't related.
> The report from Reuters identified people internal to the investigation who said it "bore the hallmarks" of known Russian hacking groups.
I too believe that report. That's not what we're discussing though - the supposed straw man was "experts on TV are saying this hack was so sophisticated it could have only been done by the Russians".
What I'm saying is that many countries and companies have the capability to perform something like this. Not that Russia didn't do it.
But I'm saying it is a strawman because "experts on TV are saying this hack was so sophisticated it could have only been done by the Russians" is not actually true. If it is, I would like to see some specific quotes from these supposed experts.
Pedantic: It is a strawman. A strawman is when you take your opponent's argument and instead recast it as a much weaker version so it's easy to tear down.
In this case the actual argument I've heard made is "Experts on TV (in addition to, I might add, Bill Barr, the current US Attorney General) are saying that the hack was from the Russians because investigation insiders said it had hallmarks of known Russian hacking groups" which is being recast as the much weaker argument, which I've never heard any serious expert actually make, of "Experts on TV are saying that the hack was from the Russians just because it's such a complicated hack".
I don't recall the source of this paraphrased quote:
"You ascribe the hack to a nation-state. So, you believe that the hack was so cunning, so devious, and so elegantly written and deployed that the perpetrators must be civil servants?"
This was widely known. All organizations who didn’t ditched SolarWinds by then deserved what happened. Will you risk your enterprise bussiness for someone who don’t take good care of his own passwords? Would you trust morons who disclose their own keys with your IT infrastructure? It will happen again because nobody really cares. But its our data they’re gambling.
[1]: https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739942/6dd04fe...