I have report from Microsoft about SolarWinds hack, including IoCs. Excerpts in this thread: "Microsoft security researchers recently discovered a sophisticated attack where an adversary inserted malicious code into a supply chain development process.... 1/
"A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations.... 2/
"This attack was discovered as part of an ongoing investigation" 3/
"we do not know how the backdoor code made it into the library..research indicates...the attackers might have compromised internal build or distribution systems of SolarWinds, embedding backdoor..into a legitimate SolarWinds library" - SolarWinds.Orion.Core.BusinessLayer.dll 4/
"While updating the SolarWinds application, the embedded backdoor code loads before the legitimate code runs. Organizations are misled into believing that no malicious activity has occurred and that the program or application dependent on the libraries is behaving as expected."
"The malicious DLL calls out to a remote network infrastructure using the domains avsvmcloud.com. to prepare possible second-stage payloads, move laterally in the organization, and compromise or exfiltrate data"
Oh, and it looks like Microsoft released a patch for the SolarWinds hack yesterday, which it is calling "Solorigate."
I didn't get all of the DLL hashes into my previous excerpt so here are the rest of them. I'm sorry these are just images, making it impossible to copy/paste. But you can get the report from Microsoft for this info and more.
Apologies for calling the Windows Defender update a patch. To clarify, Microsoft did not release a patch for the SolarWinds vuln, they released an update to their definitions to detect the malicious SolarWinds DLL.
Here is FireEye's report on the SolarWind hack, published today. They're calling the threat SUNBURST: fireeye.com/blog/threat-re…
SolarWinds: "We are recommending you upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible..The latest version is available in the...Customer Portal..An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tues Dec 15" solarwinds.com/securityadviso…
This is from FireEye: "After an initial dormant period of up to two weeks, it retrieves and executes commands, called 'Jobs', that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services...
"The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity...
"The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers....Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website"
"The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals."
.@CISAgov has issued an emergency directive on actions that gov agencies need to take immediately to mitigate against the SolarWinds threat: cyber.dhs.gov/ed/21-01/
More from the @CISAgov emergency directive for gov agencies re SolarWinds threat
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Someone asked me to provide a simple description of what this SolarWinds hack is all about. So for anyone who is confused by the technical details, here's a thread with a simplified explanation of what happened and what it means.
The maker of software that is used in the highest echelons of gov, including the White House and NSA, was compromised by attackers who slipped malicious code into the software maker's trusted code without the software maker knowing it. The code got distributed to its customers
That malicious code, once it infected customer systems, opened a backdoor into those systems and contacted the hackers to let them know the door was open for them to surreptitiously enter those systems and begin stealing sensitive data on those networks.
@tcward_ The maker of software that is used in the highest echelons of gov, including the White House and NSA, was compromised by attackers who slipped malicious code into the software maker's trusted code without the software maker knowing it. The code got distributed to its customers
@tcward_ That malicious code, once it infected customer systems, opened a backdoor into those systems and contacted the hackers to let them know the door was open for them to surreptitiously enter those systems and begin stealing sensitive data on those networks.
@tcward_ The hackers did this back in March and their activity was only recently discovered - this means they have been inside gov systems all these months stealing data and spying on gov workers without anyone knowing until now. They also infected telecoms and other company networks.
NOTe: This is a risk-limiting audit. It’s NOT a recount being done to appease Trump. It was always planned that Georgia would do a risk-limiting audit of one statewide race this election. It makes sense that the chosen race is the presidential one.
Journalists, if you’re going to write about this, please understand the difference between a recount and an audit. A risk-limiting audit does not recount all the ballots. Officials manually examine only a PERCENTAGE of randomly chosen paper ballots in such an audit.
In this particular case, GA will manually audit ALL of the ballots in the presidential race because of the type of risk-limiting audit they’ve chosen to do and because they chose the presidential race to audit. In risk-limiting audits, the percentage of ballots examined...
Fact-checking undervotes - where a race shows no vote. Undervotes are normal. Normal percentage of undervotes is 1-2 % of total ballots cast. When # is unusually high, can indicate poor ballot design (causing voters to miss race), machine problem or voter failed to mark correctly
It's not unusual for optical scan machines to miss votes if voter didn't follow directions and fill in oval correctly (or connect arrow completely, depending on ballot style). This can be caught by simply visually examining ballot during adjudication.
Of course this only works if there are hand-marked paper ballots to examine. If there is high % of undervotes where paperless machines were used, there is no way to know for certain if voter intended to leave race blank, if they missed race on ballot or if machine dropped vote.
A thread on voting in-person vs. voting by mail. The best way to vote is always going to be voting in person. So if you feel it's safe and you're able to do so, vote in-person if possible. Why? Ballots cast by mail have a greater chance of being rejected. 1/6
You have to follow more directions to vote by mail than in person; any mistake can disqualify yr ballot. 1) You have to sign ballot envelope (and have witness also sign in some states). 2) In some states, like PA, you have to insert your ballot into 2 envelopes not just one. 2/6
3) Election staff have to match the signature on yr absentee envelope w/ sig they have on file for you. If they don't match, states vary in what happens next. Some contact you to give you chance to resolve discrepancy, or "cure" it, as it's called. 3/6
The Cleveland Clinic - which hosted Tuesday's debate and which failed to enforce the use of masks at the event - say they have traced 11 cases to the event
Statement from Cleveland Clinic about policy: "we had requirements to maintain a safe environment that align with CDC guidelines- including social distancing, hand sanitizing, temperature checks and masking... wkyc.com/article/news/h…
"Most importantly, everyone permitted inside the debate hall tested negative for COVID-19 prior to entry. Individuals traveling with both candidates, including the candidates themselves, had been tested and tested negative by their respective campaigns."