Share this page!

Kim Zetter Profile picture
Twitter logo
14 Dec, 21 tweets, 5 min read
I have report from Microsoft about SolarWinds hack, including IoCs. Excerpts in this thread: "Microsoft security researchers recently discovered a sophisticated attack where an adversary inserted malicious code into a supply chain development process.... 1/
"A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations.... 2/
"This attack was discovered as part of an ongoing investigation" 3/
"we do not know how the backdoor code made it into the library..research indicates...the attackers might have compromised internal build or distribution systems of SolarWinds, embedding backdoor..into a legitimate SolarWinds library" - SolarWinds.Orion.Core.BusinessLayer.dll 4/
"While updating the SolarWinds application, the embedded backdoor code loads before the legitimate code runs. Organizations are misled into believing that no malicious activity has occurred and that the program or application dependent on the libraries is behaving as expected."
"The malicious DLL calls out to a remote network infrastructure using the domains avsvmcloud.com. to prepare possible second-stage payloads, move laterally in the organization, and compromise or exfiltrate data"
Oh, and it looks like Microsoft released a patch for the SolarWinds hack yesterday, which it is calling "Solorigate."

"Microsoft detects the main implant and its other components as Solorigate." microsoft.com/en-us/wdsi/thr…
I didn't get all of the DLL hashes into my previous excerpt so here are the rest of them. I'm sorry these are just images, making it impossible to copy/paste. But you can get the report from Microsoft for this info and more.
Apologies for calling the Windows Defender update a patch. To clarify, Microsoft did not release a patch for the SolarWinds vuln, they released an update to their definitions to detect the malicious SolarWinds DLL.
Here is FireEye's report on the SolarWind hack, published today. They're calling the threat SUNBURST: fireeye.com/blog/threat-re…
SolarWinds: "We are recommending you upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible..The latest version is available in the...Customer Portal..An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tues Dec 15" solarwinds.com/securityadviso…
This is from FireEye: "After an initial dormant period of up to two weeks, it retrieves and executes commands, called 'Jobs', that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services...
"The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity...
"The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers....Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website"
"The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals."
.@CISAgov has issued an emergency directive on actions that gov agencies need to take immediately to mitigate against the SolarWinds threat: cyber.dhs.gov/ed/21-01/
More from the @CISAgov emergency directive for gov agencies re SolarWinds threat

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Kim Zetter

Kim Zetter Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @KimZetter

Kim Zetter Profile picture
14 Dec
Someone asked me to provide a simple description of what this SolarWinds hack is all about. So for anyone who is confused by the technical details, here's a thread with a simplified explanation of what happened and what it means.
The maker of software that is used in the highest echelons of gov, including the White House and NSA, was compromised by attackers who slipped malicious code into the software maker's trusted code without the software maker knowing it. The code got distributed to its customers
That malicious code, once it infected customer systems, opened a backdoor into those systems and contacted the hackers to let them know the door was open for them to surreptitiously enter those systems and begin stealing sensitive data on those networks.
Read 7 tweets
Kim Zetter Profile picture
14 Dec
@tcward_ The maker of software that is used in the highest echelons of gov, including the White House and NSA, was compromised by attackers who slipped malicious code into the software maker's trusted code without the software maker knowing it. The code got distributed to its customers
@tcward_ That malicious code, once it infected customer systems, opened a backdoor into those systems and contacted the hackers to let them know the door was open for them to surreptitiously enter those systems and begin stealing sensitive data on those networks.
@tcward_ The hackers did this back in March and their activity was only recently discovered - this means they have been inside gov systems all these months stealing data and spying on gov workers without anyone knowing until now. They also infected telecoms and other company networks.
Read 4 tweets
Kim Zetter Profile picture
11 Nov
NOTe: This is a risk-limiting audit. It’s NOT a recount being done to appease Trump. It was always planned that Georgia would do a risk-limiting audit of one statewide race this election. It makes sense that the chosen race is the presidential one.
Journalists, if you’re going to write about this, please understand the difference between a recount and an audit. A risk-limiting audit does not recount all the ballots. Officials manually examine only a PERCENTAGE of randomly chosen paper ballots in such an audit.
In this particular case, GA will manually audit ALL of the ballots in the presidential race because of the type of risk-limiting audit they’ve chosen to do and because they chose the presidential race to audit. In risk-limiting audits, the percentage of ballots examined...
Read 19 tweets
Kim Zetter Profile picture
10 Nov
Fact-checking undervotes - where a race shows no vote. Undervotes are normal. Normal percentage of undervotes is 1-2 % of total ballots cast. When # is unusually high, can indicate poor ballot design (causing voters to miss race), machine problem or voter failed to mark correctly
It's not unusual for optical scan machines to miss votes if voter didn't follow directions and fill in oval correctly (or connect arrow completely, depending on ballot style). This can be caught by simply visually examining ballot during adjudication.
Of course this only works if there are hand-marked paper ballots to examine. If there is high % of undervotes where paperless machines were used, there is no way to know for certain if voter intended to leave race blank, if they missed race on ballot or if machine dropped vote.
Read 5 tweets
Kim Zetter Profile picture
4 Oct
A thread on voting in-person vs. voting by mail. The best way to vote is always going to be voting in person. So if you feel it's safe and you're able to do so, vote in-person if possible. Why? Ballots cast by mail have a greater chance of being rejected. 1/6
You have to follow more directions to vote by mail than in person; any mistake can disqualify yr ballot. 1) You have to sign ballot envelope (and have witness also sign in some states). 2) In some states, like PA, you have to insert your ballot into 2 envelopes not just one. 2/6
3) Election staff have to match the signature on yr absentee envelope w/ sig they have on file for you. If they don't match, states vary in what happens next. Some contact you to give you chance to resolve discrepancy, or "cure" it, as it's called. 3/6
Read 9 tweets
Kim Zetter Profile picture
2 Oct
The Cleveland Clinic - which hosted Tuesday's debate and which failed to enforce the use of masks at the event - say they have traced 11 cases to the event
Statement from Cleveland Clinic about policy: "we had requirements to maintain a safe environment that align with CDC guidelines- including social distancing, hand sanitizing, temperature checks and masking... wkyc.com/article/news/h…
"Most importantly, everyone permitted inside the debate hall tested negative for COVID-19 prior to entry. Individuals traveling with both candidates, including the candidates themselves, had been tested and tested negative by their respective campaigns."
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @KimZetter has new unrolls!

Check out other threads from @KimZetter!

Read all threads by @KimZetter