Solarwinds hack by Russia can’t be understated

While America has been reading news articles about tweets our adversaries have been busy.

Busy since March 2020.

Not my first rodeo, and given hackers are incredibly patient and typically play the “long game”, reported breaches in my experience are frequently off by two years or greater. So I’d guess 2018 ish for the initial entry point.

Regardless, SUNBURST, dug deep with APT into places that shouldn’t even be possible. Like the power grid.

https://theintercept.com/2020/12/24/solarwinds-hack-power-infrastructure/

“to gain access into the 15 electric, oil, gas, and manufacturing entities that were infected with the software. But Lee notes that it may not be possible to uncover such activity if the attackers did access them and burrow further into the industrial control networks, because critical infrastructure entities generally don’t do extensive logging and monitoring of their control system networks.“

and

“In these ICS networks, most organizations don’t have the data and visibility to actually look for the breach,” says Lee. “So they might determine if they are compromised, but … almost none of them have network logs to … determine if there is follow-on activity [in their network].”

In other words, we don’t know.

The Solarwinds hack is so bad… that in response … the United States will do nothing.

Why?

Because when you own department of homeland security, and the treasury, among 18,000 other organizations are compromised, You have been epically pwned.

it means your adversaries totally own you. They have surely added back doors and more back doors and more back doors into the systems as well as “sleepers” like some subcontractor’s laptop used once a year to service a particular piece of hardware.

Meanwhile we are using AI/ML bots to automate trading on the stock markets. They all have triggers, “if this / then that”, if bond yields hit x percent up or down, if company y changes their guidance up or down by y percent, sell all. Crash.

In other words, those of us in the devops and infosec world, hackers, know if an adversary has infiltrated even half this far, its game over. Yank and replace. “Game over dude.”

We have one option in the short term; capitulate. Concede. Because you can’t “rip and replace” everything simultaneously across an unknown number of compromised networks simultaneously when you can’t even identify them. And with APTs in place possibly down to the Silicon chip level, that are just lying in wait, even rip and replace will just get reinfected.

Stuxnet was the greatest malware/hack ever written. The US wrote it. We created Pandora’s box. We reimagined hell. Then left the lid open. The NSA got hacked and our own code has been “reflected” back on us. Since somewhere between 2012 and 2014 initially by my estimation.

All of the stuxnet code and more is now widely available to download for free on the dark web. You could do it today. Fire up VMWare fusion, kali linux, metasploit and an external wifi adapter and your are good to go. Or just use a raspi.

Officially I think notPETYA is still “the most expensive hack in history.” (get it? “think not”? but I digress….)

Unofficially? The Solarwinds hack is the Anvil dropped on the camel’s back that has broken it and brought it to its knees.

Solarwinds will shatter the geopolitical and monetary policy of the United States and the world.

Get your COVID vaccine. Get some popcorn. Watch your 401k and pension funds knowing that one or two edits and they go to zero. And try to wrap your brain around the fact that our military power is second only to financial power, and we are losing that. Any monetary power we have left is because they allow it.

Maybe buy some Bitcoin?

Take some anti anxiety meds. And pull out your Boy Scout handbook and practice setting up that old tent. (Just be careful where you put it in case the upstream dam and levees gates suddenly open up.

And if there is a “deep state”, maybe look externally instead of internally.

Happy 2020.

UPDATE: Further publicly released details available here:
https://us-cert.cisa.gov/ncas/alerts/aa20-352a

Equifax Breach via Apache Struts Framework

Equifax Hack via Apache Struts

As reported last Friday, the 2017 Equifax personal credit reporting agency had a data breach of 143 Million people’s identities. It started in May 2017 and is just now (August 2017) being disclosed. It is going to impact all of us. Sources:

  1. Equifax data leak could involve 143 million consumers
  2. PSA: no matter what, Equifax may tell you you’ve been impacted by the hack
  3. Did Lack of Visibility into Apache Struts Lead to the Equifax Breach?

From the second article on the Equifax breach linked above, this portion really galls me:

… not only are none of the last names tied to your Social Security number, but there’s no way to tell if you were really impacted.

It’s clear Equifax’s goal isn’t to protect the consumer or bring them vital information. It’s to get you to sign up for its revenue-generating product TrustID.

Earlier it was revealed executives had sold stock in the company before going public with the leak. We also found TrustID’s Terms of Service to be disturbing. The wording is such that anyone signing up for the product is barred from suing the company after.

The following phrase alone, if true, combined with Equifax literally trying to monetize their security errors, is what gives capitalism a bad name:

The wording is such that anyone signing up for the product is barred from suing the company after.

I have to believe the Equifax PR team is working for PharmaBro or Putin trying to make them look good in comparison.

Note: Equifax has changed the indemnification, but only under duress imho. Furthermore 30 days free credit monitoring by the company that released your data and then you will have to pay monthly still seems wrong. But to be fair, here is their update:

Questions continue to be raised about the arbitration clause and class action waiver language that was originally in the terms of use for the free credit file monitoring and identity theft protection products that we are offering called TrustedID Premier.
(Editor: well ya, duh!?)

We have removed that language from the TrustedID Premier Terms of Use and it will not apply to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself. The arbitration language will not apply to any consumer who signed up before the language was removed.
(Editor: but did you fire the person who did it in the first place?)

I get it. Nothing is secure. If the NSAs hacking tools get stolen and OPM loses all of the data on security clearance checks on our own people, then truly nothing is safe. I get it.

What I do not understand is a company as large as Equifax not being prepared for something like this. That Equifax did not announce it promptly. That Equifax executives sold stock before announcing it. That Equifax then attempted to indemnify themselves. That Equifax is using the crisis to sell a monitoring service that you have to pay for after 30 days. A service to monitor YOUR data that THEY lost control of!

This boggles the mind of a PR Professional.

The Internet was not built for e-commerce – it was built for knowledge sharing in a “walled garden”. Therefore keeping sites secure is not possible. Any security professional will tell you best practice is to white-list good guys (selective inclusion) as opposed to trying to find every attack and block it. Therefore the difficulty at a high level is primarily in identifying and blocking bad actors.

I hate to say it folks, but we are playing whack-a-mole with your identity and money.  It will always be an uphill battle to maintain security on the Internet and you will never ever be 100% safe.

As reported by Black Duck (awesome people btw), the specifics of the attack on Equifax are currently easily exploitable on similar sites.

This is like Hurricane Harvey – it’s not even close to over.