[kwlug-disc] Grandiosity ... naked
Mikalai Birukou
mb at 3nsoft.com
Wed Jan 6 11:17:29 EST 2021
Big brother want to have a program called Stellar Wind.
Here comes Sollar Wind:
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
When there is such attention to detail, you can't but admire the craft:
evaluating environment, etc.
I like the following bit. Key word is "signed". Key question is "by who".
"""
The fact that the compromised file is digitally signed suggests the
attackers were able to access the company’s software development or
distribution pipeline. Evidence suggests that as early as October 2019,
these attackers have been testing their ability to insert code by adding
empty classes. Therefore, insertion of malicious code into the
/SolarWinds.Orion.Core.BusinessLayer.dll /likely occurred at an early
stage, before the final stages of the software build, which would
include digitally signing the compiled code. As a result, the DLL
containing the malicious code is also digitally signed, which enhances
its ability to run privileged actions — and keep a low profile.
"""
Several, may be unrelated reactions/fumes:
1) So where is your build infra? Where are the keys?
2) What does the law say? Is it sabotage if spooks pay you to look away?
3) This is a sophisticated exploitation: center and later parts of an
attack. This is definitely not a sophisticates hack, i.e. attack start.
4) Admins have targets on their backs. Truly.
5) <tinfoil> Remember that time when Google's Schmidt extended a serious
effort to sensor Wired? This shows an approach towards PR. Very strict
PR, even if it blinds true appreciation of reality by common folks. If
something like this happens, what are the chances of information never
surfacing in public news? Hmm. </tinfoil>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20210106/3536d388/attachment.htm>
More information about the kwlug-disc
mailing list