Solarwinds hack by Russia can’t be understated

While America has been reading news articles about tweets our adversaries have been busy.

Busy since March 2020.

Not my first rodeo, and given hackers are incredibly patient and typically play the “long game”, reported breaches in my experience are frequently off by two years or greater. So I’d guess 2018 ish for the initial entry point.

Regardless, SUNBURST, dug deep with APT into places that shouldn’t even be possible. Like the power grid.

https://theintercept.com/2020/12/24/solarwinds-hack-power-infrastructure/

“to gain access into the 15 electric, oil, gas, and manufacturing entities that were infected with the software. But Lee notes that it may not be possible to uncover such activity if the attackers did access them and burrow further into the industrial control networks, because critical infrastructure entities generally don’t do extensive logging and monitoring of their control system networks.“

and

“In these ICS networks, most organizations don’t have the data and visibility to actually look for the breach,” says Lee. “So they might determine if they are compromised, but … almost none of them have network logs to … determine if there is follow-on activity [in their network].”

In other words, we don’t know.

The Solarwinds hack is so bad… that in response … the United States will do nothing.

Why?

Because when you own department of homeland security, and the treasury, among 18,000 other organizations are compromised, You have been epically pwned.

it means your adversaries totally own you. They have surely added back doors and more back doors and more back doors into the systems as well as “sleepers” like some subcontractor’s laptop used once a year to service a particular piece of hardware.

Meanwhile we are using AI/ML bots to automate trading on the stock markets. They all have triggers, “if this / then that”, if bond yields hit x percent up or down, if company y changes their guidance up or down by y percent, sell all. Crash.

In other words, those of us in the devops and infosec world, hackers, know if an adversary has infiltrated even half this far, its game over. Yank and replace. “Game over dude.”

We have one option in the short term; capitulate. Concede. Because you can’t “rip and replace” everything simultaneously across an unknown number of compromised networks simultaneously when you can’t even identify them. And with APTs in place possibly down to the Silicon chip level, that are just lying in wait, even rip and replace will just get reinfected.

Stuxnet was the greatest malware/hack ever written. The US wrote it. We created Pandora’s box. We reimagined hell. Then left the lid open. The NSA got hacked and our own code has been “reflected” back on us. Since somewhere between 2012 and 2014 initially by my estimation.

All of the stuxnet code and more is now widely available to download for free on the dark web. You could do it today. Fire up VMWare fusion, kali linux, metasploit and an external wifi adapter and your are good to go. Or just use a raspi.

Officially I think notPETYA is still “the most expensive hack in history.” (get it? “think not”? but I digress….)

Unofficially? The Solarwinds hack is the Anvil dropped on the camel’s back that has broken it and brought it to its knees.

Solarwinds will shatter the geopolitical and monetary policy of the United States and the world.

Get your COVID vaccine. Get some popcorn. Watch your 401k and pension funds knowing that one or two edits and they go to zero. And try to wrap your brain around the fact that our military power is second only to financial power, and we are losing that. Any monetary power we have left is because they allow it.

Maybe buy some Bitcoin?

Take some anti anxiety meds. And pull out your Boy Scout handbook and practice setting up that old tent. (Just be careful where you put it in case the upstream dam and levees gates suddenly open up.

And if there is a “deep state”, maybe look externally instead of internally.

Happy 2020.

UPDATE: Further publicly released details available here:
https://us-cert.cisa.gov/ncas/alerts/aa20-352a

Marissa Mayer Testifies Russian Agents Behind 2013 Yahoo Attack

Marissa Mayer

Nov 8, 2017.  From the Reuters article regarding former CEO of Yahoo Marissa Mayer’s testimony before Congress:

WASHINGTON (Reuters) – Former Yahoo Chief Executive Marissa Mayer apologized on Wednesday for two massive data breaches at the internet company, blaming Russian agents for at least one of them, at a hearing on the growing number of cyber attacks on major U.S. companies.

Having spent the majority of the last three years doing almost exclusively InfoSec and Security on the Tendenci SaaS Cloud, not by choice but out of necessity, I do feel a bit of vindication as they confirm the facts. This is DATA people. Not opinion. I see it every day.
Tendenci has always kept logs, but never before have we had to have three (and sometimes four) sets of logs kept in different locations. Log verification, audit, cross references, searching through millions of logs DAILY. Just the expense … it’s frustrating for us in the security community for several reasons:
  1. We can’t talk fully openly about it for confidentiality reasons

  2. We sound kra-kra.

  3. When we do, everyone thinks we are crazy and it’s a conspiracy theory.

It turns out reality is like an idiom, what everyone initially thought was wrong and like so many other things, people get silenced. That shit Cray . Oh, and that reference doesn’t mean what you think it means either. Because Jay-Z is smart as f*ck and he is making a damn point.

All I can say is … what he said. Because THIS shit is Cray.

By World Economic Forum – “An insight, an idea: Marissa Mayer” at Flickr, CC BY-SA 2.0, https://commons.wikimedia.org/w/index.php?curid=24851211

The FBI confirms NGOs and Associations are Targets of Russian Hackers

James Comey Testimony on Russian Hackers Targeting Nonprofits and NGOs
James Comey Testimony on Russian Hacking Includes Acknowledgement of Russians Specifically targeting NGOs and Nonprofits

Growing Tendenci – The Open Source AMS, has been eye opening. I didn’t realize fully why our clients were constantly being attacked. Even behind all of our firewalls, scanners, ACLs, malware, rootkit detection, antivirus, third party scanners, multifactor, use of Honeypots, we don’t store credit cards, and then still even more custom security measures we’ve developed in house.

I mean seriously, it’s not like you’re going to scan a site we host and not have it logged and inspected and blocked aggressively when possible. Nothing is hack proof obviously. But our security practices are  FAR beyond the norm.

I didn’t have the luxury of questioning the motive. We do.

When necessary, we have engaged authorities for assistance. So it was interesting to see this from former FBI Director James Comey’s testimony:

Source: http://www.politico.com/story/2017/06/08/full-text-james-comey-trump-russia-testimony-239295

BURR: Okay. When did you become aware of the cyber intrusion?

COMEY: The first cyber — there was all kinds of cyber intrusions going on all the time. The first Russian-connected cyber intrusion I became aware of in the late summer of 2015.

BURR: And in that time frame, there were more than the DNC and the D triple C that were targets?

COMEY: Correct, a massive effort to target government and nongovernmental, near governmental agencies like nonprofits.

BURR: What would be the estimate of how many entities out there the Russians specifically targeted in that time frame?

COMEY: It’s hundreds. I suppose it could be more than 1,000, but it’s at least hundreds.

Let me repeat that last part for emphasis in case anyone who works with Associations and Non Profits needs some ammo to take back to their board about why they can’t host for $10 a month on a cheap hosting site.

COMEY: The first cyber — there was all kinds of cyber intrusions going on all the time. The first Russian-connected cyber intrusion I became aware of in the late summer of 2015.

COMEY: Correct, a massive effort to target government and nongovernmental, near governmental agencies like nonprofits.

BURR: What would be the estimate of how many entities out there the Russians specifically targeted in that time frame?

COMEY: It’s hundreds. I suppose it could be more than 1,000, but it’s at least hundreds.

Those words should weigh heavily on people in the NPO/NGO sector. It is worthy of mention to everyone using an AMS system. To be secure, you need to be able to inspect your own code if you host with us or somewhere else. Please do so with Tendenci at https://github.com/tendenci/tendenci/  . Security is a process, not a magic pill.

The motives for these attempted hacks are above my pay grade. Just know if you feel you are being targeted, well, it isn’t paranoia if they really are out to get you. And they really are out to get you.

And please don’t click that link in your email. Please. Just don’t do it.

Stay vigilant my friends.

PS – two other facts I can add. I can personally confirm it was in the hundreds just based on our client base. This does NOT mean they breached, but targeted? Yes. And second, by my estimations it started in earnest in 2013, not 2015.

PPS – and now we start the count down before they take my blog offline with DDOS again. Whoever “they” is. All I see is a matrix at this point… and I’m ok with that oddly enough. Because if the Zombie apocalypse is real in downtown SF, then everything else is possible too.

Disclaimer: This post is NOT about the President. Or about former FBI Director Comey’s testimony as it relates to our elected Zombies on both sides who vote party over the people they represent.  No, this post is about a small part of Comey’s testimony that relates to Associations and Nonprofits. It applies if they use Tendenci or not. Whatever the motive of the Russian hackers, the fact is that associations and nonprofits are being singled out for attacks. This is a fact of your current reality.