U.S. Treasury breached by hackers backed by foreign government

Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,260
Solarquest said:
www.microsoft.com

Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers | Microsoft Security Blog

We, along with the security industry and our partners, continue to investigate the extent of the Solorigate attack. While investigations are underway, we want to provide the defender community with intel to understand the scope and impact, remediation guidance, and detections and protections we...
www.microsoft.com www.microsoft.com
Click to expand...

Additional malware discovered

In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor. The malware consists of a small persistence backdoor in the form of a DLL file named App_Web_logoimagehandler.ashx.b6031896.dll, which is programmed to allow remote code execution through SolarWinds web application server when installed in the folder “inetpub\SolarWinds\bin\”. Unlike Solorigate, this malicious DLL does not have a digital signature, which suggests that this may be unrelated to the supply chain compromise.
Click to expand...
 
Last edited by a moderator:
  • Like
  • +Reputation
  • Wow
Reactions: Nevi, Venustus, Protomartyr and 7 others
fabiobr

fabiobr

Level 12
Verified
Top Poster
Well-known
Mar 28, 2019
569
Sunburst: connecting the dots in the DNS requests | Securelist

We spent the past days checking our own telemetry for signs of this attack, writing additional detections and making sure that our users are protected. At the moment, we identified approximately ~100 customers who downloaded the trojanized package containing the Sunburst backdoor. Further investigation is ongoing and we will continue to update with our findings.
Click to expand...
 
Last edited:
  • Like
  • +Reputation
Reactions: Nevi, Venustus, Protomartyr and 6 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,260
It's all fake news :eek:
The President of The United States of America, Donald J. Trump's, first comments on Solarwinds:

"The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!). There could also have been a hit on our ridiculous voting machines during the election, which is now obvious that I won big, making it an even more corrupted embarrassment for the USA."



Click to expand...

Thanks hawki at Wilders for his post (y)
www.wilderssecurity.com

U.S. Treasury, Commerce Depts Hacked by Group Tied to 'Foreign Government’

"Hackers’ Monthslong Head Start Hamstrings Probe of U.S. Breach -- ‘We may never know the full scope of what happened here’... ...Access was in some...
www.wilderssecurity.com www.wilderssecurity.com
 
  • Like
  • HaHa
  • +Reputation
Reactions: starsfighter, Nevi, Venustus and 8 others
fabiobr

fabiobr

Level 12
Verified
Top Poster
Well-known
Mar 28, 2019
569
  • HaHa
  • Like
Reactions: Nevi, Venustus, oldschool and 5 others
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Lenny_Fox said:
I looked at their website, what is so hideous about their service offering? It looks a pretty sophisticated network management solution.

Even while stock value dropped yesterday with nearly 20 percent, 7 out of 10 stock market analist still value Solarwinds a buy, 1 a hold and only two giving it a sell advice, while even the wall street journal reports that the hack was probably undetected for months (so the analists know of this breach). For fun let me ask you what is your take on this stock market madness? :)

I understand what you are posting. When I understand your post correctly, the correct thing to do would be to take the network and hardware offline and rebuild it with a clean sheet. Experts expect it to take months before the malicious code is removed/purged from the infrastructure.

What I don't understand is how they will remove the malicious code while keeping the network operational. In Dutch we have a saying "reconstruct while keeping the store open for business". Given the fluid characteristics of software flowing over networks, how are they going to remove the code while keeping the network in the air?

/L
Click to expand...
A buy? I wouldn't even look at the stock right now...these analysts probably didn't update their view or don't understand the consequences of what happened.
If I just think of the little we know, of the number of agencies and companies affected, of the fact that they should replace all HW and SW, of how long it will take to clean this mess, of what the USA could do whenever they think they found out who is behind this attack, of what happens if other nations got hit too (e.g, same way, different software), of what the attacker can do with all they got and what they have planted in the system they breached ...there is no way I can be so "positive"....just my personal opinion...
 
  • Like
Reactions: Nevi, Venustus, Protomartyr and 3 others
F

ForgottenSeer 89360

Solarquest said:
A buy? I wouldn't even look at the stock right now...these analysts probably didn't update their view or don't understand the consequences of what happened.
If I just think of the little we know, of the number of agencies and companies affected, of the fact that they should replace all HW and SW, of how long it will take to clean this mess, of what the USA could do whenever they think they found out who is behind this attack, of what happens if other nations got hit too (e.g, same way, different software), of what the attacker can do with all they got and what they have planted in the system they breached ...there is no way I can be so "positive"....just my personal opinion...
Click to expand...
An even bigger issue is that attackers had a wide backdoor in various networks for months, so it would be EXTREMELY challenging to verify the integrity and safety of existing platforms, data, services, and connections. It is not known what have they implanted and where. It is not known what hardware and software change is necessary and would anything be sufficient at this point. It is not known what more will be discovered and how much dormant/latent malware there is currently.
It is not known who else may have suffered and how. Right now there is nothing to be positive about.
 
  • Like
  • +Reputation
  • Applause
Reactions: Nevi, Venustus, starsfighter and 8 others
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
Gandalf_The_Grey said:
It's all fake news :eek:

Thanks hawki at Wilders for his post (y)
www.wilderssecurity.com

U.S. Treasury, Commerce Depts Hacked by Group Tied to 'Foreign Government’

"Hackers’ Monthslong Head Start Hamstrings Probe of U.S. Breach -- ‘We may never know the full scope of what happened here’... ...Access was in some...
www.wilderssecurity.com www.wilderssecurity.com
Click to expand...
The guy who can't even put a secure password talking about cybersecurity 🙄
His Twitter password in 2016 was : "yourefired" and "MAGA2020" in 2020. 😄
But he could be right about the Russia stereotype. When something bad happens the finger is always pointed at Russia and China even when not enough proof is available.
 
  • Like
  • HaHa
Reactions: starsfighter, Nevi, Venustus and 5 others
cruelsister

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
A few things regarding this hack:

1). McMcbrad's post above is superb.
2). Initially FireEye was criticized for "allowing" the hack when they were actually the first to catch it (where were Palo Alto and crowdstrike?). Also the lifted RedTeam tools that the Press was whining about as being a Horrible Security Risk for Humans and Aliens alike were actually Open Source thingies (eg KeeFarce) so not exactly State Secrets.
3). The biggest issue here (and has been my ever present fear) is that some are able to acquire Digital Signatures mainly through bribery, blackmail- or through wearing a really short skirt and low cut top (trust me) in order to create backdoors. Sadly there is nothing a Security Company can provide to defend against this.
4). I absolurely hate malware that will sit for weeks before activating. My attention span is much too short.

m
 
  • Like
  • +Reputation
Reactions: starsfighter, Nevi, Venustus and 10 others
paulderdash

paulderdash

Level 6
Verified
Well-known
Apr 28, 2015
271
McMcbrad said:
An even bigger issue is that attackers had a wide backdoor in various networks for months, so it would be EXTREMELY challenging to verify the integrity and safety of existing platforms, data, services, and connections. It is not known what have they implanted and where. It is not known what hardware and software change is necessary and would anything be sufficient at this point. It is not known what more will be discovered and how much dormant/latent malware there is currently.
It is not known who else may have suffered and how. Right now there is nothing to be positive about.
Click to expand...
As @cruelsister says above, this is pretty much it.
 
  • Like
Reactions: Vitali Ortzi, Nevi, Venustus and 3 others
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
It's a nightmare and what we know so far is probably just the tip of an iceberg....more nations were affected and evidence of multiple hacks were found.
Yesterday I read the password for the update server was apparently "solarwinds123"......the one we use for our samples in the HUB is safer...
blogs.microsoft.com

A moment of reckoning: the need for a strong and global cybersecurity response - Microsoft On the Issues

The recent spate of cyberattacks require the government and the tech sector in the United States to look with clear eyes at the growing threats we face. At Microsoft, we are committed to being at the forefront of these efforts.
blogs.microsoft.com blogs.microsoft.com
www.newsweek.com

SolarWinds Hack May Be Tip of Iceberg, Evidence of Multiple Hacks Found

"CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated," the Cybersecurity and Infrastructure Security Agency said.
www.newsweek.com www.newsweek.com
 
Last edited:
  • Like
Reactions: Nevi, Venustus, upnorth and 6 others
F

ForgottenSeer 58943

McMcbrad said:
An even bigger issue is that attackers had a wide backdoor in various networks for months, so it would be EXTREMELY challenging to verify the integrity and safety of existing platforms, data, services, and connections. It is not known what have they implanted and where. It is not known what hardware and software change is necessary and would anything be sufficient at this point. It is not known what more will be discovered and how much dormant/latent malware there is currently.
It is not known who else may have suffered and how. Right now there is nothing to be positive about.
Click to expand...
Basically what I said on page one.. Also I said "A few good things might come of this, honestly... For one, other major exploits and channel compromises will be discovered as a result of audits this causes.".. Which accurately foretold the following before it was disclosed;

In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor. The malware consists of a small persistence backdoor in the form of a DLL file named App_Web_logoimagehandler.ashx.b6031896.dll, which is programmed to allow remote code execution through SolarWinds web application server when installed in the folder “inetpub\SolarWinds\bin\”. Unlike Solorigate, this malicious DLL does not have a digital signature, which suggests that this may be unrelated to the supply chain compromise.
Click to expand...

The stark reality will set in that it wasn't just that additional exploit but a whole lot of things are compromising all of their systems, even the most sensitive ones, and that essentially, it's all compromised, and most of the technology is a trojan horse. None of this should come as a surprise to anyone. Also, Russia? Nah, as I told everyone on page one, my sources tell me that's a smokescreen, but Trump wasn't supposed to be opening his mouth about that.
 
  • Like
Reactions: Azure, Handsome Recluse, Protomartyr and 2 others
F

ForgottenSeer 58943

oldschool said:
... without new malicious code being injected somewhere else?

... like whack a mole!
Click to expand...
As I mentioned on page one, they will never fully fix all of it unless they construct entirely new networks but they probably can't do this as their networks and environments are too expansive - can you imagine rebuilding a replacement AD, which would require audit of every account, for a government branch that has 452,000 people?

We've seen serious breaches, and had to basically rebuild the entire network/AD/MDF+IDF's from scratch and haul them out to the site, pull off the old stuff, and drop in the new. But doing that for a company with 80 computers, 4 servers, and 5 switches is one thing... All of this is just dumb and not unexpected at all.

IRS's core systems should be safe at least, they use COBOL.... :)

PS: Still very glad I am out of all of this, relatively isolated, and enjoying working remote for a non-cybersecurity firm while being a complete ghost to the world as a whole. Very very glad I must say!
 
  • Like
  • +Reputation
Reactions: Handsome Recluse, Protomartyr, oldschool and 2 others
danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
This was either 1) an inside job or 2) the initial breach involved other malware, which to me is the source of the problem and deserves the most attention. The media and cybersecurity companies seem to be ignoring this and are solely focused on the SolarWinds malware. Hopefully someone will come to their senses and realize that this might be a much larger breach than they initially thought, as you guys are discussing, and stop being fixated on the SolarWinds malware. Otherwise they will finish remediating the SolarWinds malware and assume the breach was fully contained, and all the while the attackers will have gained a more permanent persistence.

I wonder if the SolarWinds malware was a red herring. The code in the dll was not obfuscated at all… it was designed and written to hide in plain sight.

Anyway, I just thought it was funny that the media and the cybersecurity companies remediating this mess are focused on the wrong thing, but the MT members are focused on the right thing... the source of the problem.

I am with you guys… this is probably just the tip of the iceberg. Here is a really interesting video that describes the SolarWinds malware in detail.

 
  • Like
  • +Reputation
Reactions: cruelsister, Protomartyr, paulderdash and 7 others
You must log in or register to reply here.

Similar threads

enaph
    • Like
    • Wow
Security News FBI: Chinese State Hackers Breached U.S. Telecom Providers
Replies
3
Views
954
Security News
bazang
bazang
nicolaasjan
    • Like
    • Applause
Security News US Sanctions Affiliates of Russia-Based LockBit Ransomware Group
Replies
0
Views
1,606
Security News
nicolaasjan
nicolaasjan
vtqhtr413
    • Wow
    • +Reputation
    • Like
Security News Chinese 'Earth Krahang' hackers breach 70 orgs in 23 countries
Replies
0
Views
1,065
Security News
vtqhtr413
vtqhtr413

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top