US Cyber Agency Says SolarWinds Hackers Are 'Impacting' State, Local Governments

The U.S. cybersecurity agency says that a sprawling cyber espionage campaign made public earlier this month is affecting state and local governments, although it released few additional details. From a report: The hacking campaign, which used U.S. tech company SolarWinds as a springboard to penetrate federal government networks, was "impacting enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and other private sector organizations," the Cybersecurity and Infrastructure Security Agency (CISA) said in a statement posted to its website. The CISA said last week that U.S. government agencies, critical infrastructure entities, and private groups were among those affected, but did not specifically mention state or local bodies. So far only a handful of federal government agencies have officially confirmed having been affected, including the U.S. Treasury Department, the Commerce Department, and the Department of Energy.

Re:

[Anonymous Coward]

Solar Winds Inc
Software company in Tulsa, Oklahoma
Address: 4111 S Darlington Pl # 500, Tulsa, OK 74135
FFS WindBourne, do you even know what offshoring means?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Seven Spirals]

Wow, you think because they have a US address they somehow can't hire Indians? How did you manage to climb up high enough to reach the keyboard and type this?

Re:

[ceoyoyo]

Managed to hit the "don't tell them my name" button too.

Re:

[WindBourne]

yup. In fact, majority of Solar Wind employees are in India. [linkedin.com]

If the idiots at Cyber had a brain amongst themselves, they would notice that about 3/4 of all the cracks happen from Russia, and that nearly all of them, involve companies that outsourced to India.
Problem is, that political correctness is winning out over national security.

Re:

[Seven Spirals]

Bro, you are linking to open jobs that even *mention* SolarWinds. How (in the actual FUCK!?) is it that you think this has anything whatsoever to do with how many people of what nationality work for SolarWinds? Besides having access to their payroll records you'd also have to have insider knowledge of how much offshoring to contractor firms that don't share their name to give a fair picture of their overall staffing levels. You literally don't know a fucking thing and just made shit up. Your link has zero v

Re:

[John Cavendish]

This is not being caused by Russia, or even solar winds. ...

It is caused by Russia by using buggy software, however some decisions allowed this wide hack to happen and so far there's no evidence any offshore companies were involved in administering hacked servers.

Re: This is America's own fault

[WindBourne]

Assume that it was due to buggy software. Then it would caught by chinese, iranian, n. Korea, etc. But nearly all of the major cracks is by russia.

Largely due to thinking of "levels" of access

[raymorris]

Most of the damage here is caused by 1980s thinking in terms of "levels" of access, "admin access", rather than roles. That is, people giving Solarwinds "a high level" of access rather than giving it the access it needs in order to do its job.

Solarwinds is primarily used for monitoring, for reading logs and stats. To do that, it needs access to read the stats. AD comes with a built-in group exactly for this purpose - the Performance Monitoring group.

What most organizations did instead is give it Domain Admin (or equivalently, Administrator on the Domain Servers), which gives it WRITE access to absolutely everything in the domain. Because it has write access to all of the logs (though it needed only read access), now you can't trust your logs to tell you what it did and if a particular machine or account is infected.

Solarwinds did some stupid that allowed their software to be trojaned. That was bad; yet stupid happens. We have to be prepared for one person in some other company to make one mistake. What we don't have to do is design our systems such that one mistake by someone in a different company completely hands our entire network over to the attackers.

To prevent this level of catastrophic hacks in the future, we need to move into at least 1990s thinking about how we do access -
To do my job, I need to read a particular group of files, I need to write to particular database tables. You need whatever access to whatever group of resources. My access isn't "higher" or "lower" than yours - we need *different* access to different things, to do different jobs

For companies that approached it that way, the Solarwinds attack means that the bad guys could read some stats; patch or turn off Solarwinds and you're done. For organizations that gave Solarwinds admin access, the bad guys could completely take over all of the computers. The only way to clean up in a way that you can trust they are actually gone is to burn everything to the ground and start over from scratch.

Re: Largely due to thinking of "levels" of access

[chill]

Solar Winds also has a patching module that many companies use, and patching all your applications requires admin.

Thinking of it as only a simple monitor tool is not accurate. It has been more than that for over a decade.

Re:

[raymorris]

Yes, it also has a module that can install software. *Some* companies use it for that. A lot of companies with IT operations sophisticated enough to be using Solarwinds are also sophisticated enough to be using a real software deployment system, a software designed for that purpose (rather than a side hack added to the monitoring solution).

> patching all your applications requires admin.

That's exactly the 1970s thinking that is the problem.
Installing updates requires write permission on the application

Re:

[chill]

I have a project implementing Thycotic Privilege Manager [thycotic.com] starting in January, for just that purpose. There are other options, like Power Broker and Avecto.

Granular permissions are the way to go.

Re:

[raymorris]

Thanks for mentioning that.

I'd love to hear your thoughts on it 30-60-90 days after you roll it out. Unless you've already uses it elsewhere?

Solarwinds can install software on local workstion

[Joe_Dragon]

Solarwinds can install software on local workstations and that needs local admin (in an domain likely in an group that gives admin on all systems / workstations)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[raymorris]

Writing exe files is just like writing ant other file -
You need write permission on the directory. That's what you need, you do NOT, for any operation, need to be in a group with any particular name.

You can run a Windows system just fine without HAVING a group named Administrator.

The way Windows works is when you want to write a file, such as Chrome.exe, it performs essentially this:

SELECT (0)
FROM
Permissions
JOIN Groups
Join Users
WHERE Write=Denied and Filename=Chrome.exe

Then if there are no results it compu

Re:

[Anonymous Coward]

Companies outsource because of "political correctness"?

I thought they did it to make money.

Just like Windows

[mspohr]

People putting their trust in a widely adopted poorly written, poorly maintained and poorly secured secret proprietary software is an open invitation to hacking a recipe for disaster.
Good argument for a diverse open source software ecosystem.

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Just like Windows

[mspohr]

So? They probably have a crappy Linux package too.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mspohr]

Actually, nothing to do with the OS. It's closed proprietary software (which runs on multiple OSs). The problem is that it's crappy software and poorly locked down. If it were open source, people could test it and find problems and fix it.
(The reference to Windows was to another piece of poorly written, closed software.)

Re:

[tmmagee]

An open source ecosystem would hopefully allow for more checks and balances as open source software is not distributed by a single vendor, which people usually complain about but in this case is a good thing. That may be a naive assumption on my part, but at least in this case we see how a single, closed vendor that everyone trusts can lead to disaster (and I don't think that word is hyperbole in this case).

Re:

[ceoyoyo]

Hm... anybody want to go in on developing a Watchmen branded meta-security software package?

Who watches the watchmen? We do.

Solarwinds Envy

[Seven Spirals]

As a hard core Unix guy, I secretly used to have a bit of envy for Solarwinds. It seemed to be easy, effective, affordable, and secure. The monitoring landscape in Unix was pretty awful for a while and HP OpenView (god help us all) ruled the roost using SNMP. Later systems like Zabbix came along and we Unix folks got some parity with some of the features in Solarwinds. After this hack that envy evaporated. Looks like pushing the Easy Button wasn't the best idea...

No Disclosure of Infection Vector

[Retired ICS]

In all the hoopla surrounding this event what I have not seen is *any* discussion anywhere of the infection vector. That is, to be precise, the method by which the "contamination" of the Solarwinds software ended up being deployed to so many network locations. There has been quite a bit of hoopla surrounding how the Solarwinds software ON THE SOLARWINDS SERVERS was compromised, but absolutely NOTHING about how this compromised software got from the Solarwinds server onto the networks of people who use Sol

No one in their right minds ..

[minorityreport]

No one in their right minds install a remote monitoring utility on their confidential computers.