NEW - @CISAgov just issued a new alert and warns of "grave risk" from the @solarwinds attack.https://t.co/6hJ9dDSVBn pic.twitter.com/A7cGD7doku— Disclose.tv 🚨 (@disclosetv) December 17, 2020
https://us-cert.cisa.gov/ncas/alerts/aa20-352a
Excerpt:
SolarWinds Orion Supply Chain Compromise SolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring and network configuration management along with several different types of analyzing tools. SolarWinds Orion is used to monitor and manage on-premise and hosted infrastructures. To provide SolarWinds Orion with the necessary visibility into this diverse set of technologies, it is common for network administrators to configure SolarWinds Orion with pervasive privileges, making it a valuable target for adversary activity.
The threat actor has been observed leveraging a software supply chain compromise of SolarWinds Orion products[2] (see Appendix A). The adversary added a malicious version of the binary solarwinds.orion.core.businesslayer.dll into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This binary, once installed, calls out to a victim-specific avsvmcloud[.]com domain using a protocol designed to mimic legitimate SolarWinds protocol traffic. After the initial check-in, the adversary can use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for interactive command and control (C2) traffic. Consequently, entities that observe traffic from their SolarWinds Orion devices to avsvmcloud[.]com should not immediately conclude that the adversary leveraged the SolarWinds Orion backdoor. Instead, additional investigation is needed into whether the SolarWinds Orion device engaged in further unexplained communications. If additional Canonical Name record (CNAME) resolutions associated with the avsvmcloud[.]com domain are observed, possible additional adversary action leveraging the back door has occurred.
**
Could this be one of the reason for the 10 days of darkness? To get a handle on this.
Wouldn’t there be consequences (such as this) from the witless idiots selling access to our military and government secrets that were on her thighness’ servers and laptops?
Didn’t Q mention a scare event?
Could it be to wake the normies of such treachery?
Spitballing wildly over here.
Re: solarwinds attack
Is this a thing that would infect MI/Q as well? Would they be aware and use other products or their own product?
I’m not tech-savy. Can you define why this scares you? I comprehend the Fib, seeeyeA, pentagon ... but is this bigger than MI?
PSA to those on the Q Ping List
Please take a moment to pick up the white courtesy phone located in your FR email box. ThankQ!
grave usually reserved for war.
Thanks !
CISA assesses that the threat actor engaged in the activities described in this Alert uses the below-listed ATT&CK techniques.
Query Registry [T1012]
Obfuscated Files or Information [T1027]
Obfuscated Files or Information: Steganography [T1027.003]
Process Discovery [T1057]
Indicator Removal on Host: File Deletion [T1070.004]
Application Layer Protocol: Web Protocols [T1071.001]
Application Layer Protocol: DNS [T1071.004]
File and Directory Discovery [T1083]
Ingress Tool Transfer [T1105]
Data Encoding: Standard Encoding [T1132.001]
Supply Chain Compromise: Compromise Software Dependencies and Development Tools [T1195.001]
Supply Chain Compromise: Compromise Software Supply Chain [T1195.002]
Software Discovery [T1518]
Software Discovery: Security Software [T1518.001]
Create or Modify System Process: Windows Service [T1543.003]
Subvert Trust Controls: Code Signing [T1553.002]
Dynamic Resolution: Domain Generation Algorithms [T1568.002]
System Services: Service Execution [T1569.002]
Compromise Infrastructure [T1584]
Thanks !
CISA assesses that the threat actor engaged in the activities described in this Alert uses the below-listed ATT&CK techniques.
Query Registry [T1012]
Obfuscated Files or Information [T1027]
Obfuscated Files or Information: Steganography [T1027.003]
Process Discovery [T1057]
Indicator Removal on Host: File Deletion [T1070.004]
Application Layer Protocol: Web Protocols [T1071.001]
Application Layer Protocol: DNS [T1071.004]
File and Directory Discovery [T1083]
Ingress Tool Transfer [T1105]
Data Encoding: Standard Encoding [T1132.001]
Supply Chain Compromise: Compromise Software Dependencies and Development Tools [T1195.001]
Supply Chain Compromise: Compromise Software Supply Chain [T1195.002]
Software Discovery [T1518]
Software Discovery: Security Software [T1518.001]
Create or Modify System Process: Windows Service [T1543.003]
Subvert Trust Controls: Code Signing [T1553.002]
Dynamic Resolution: Domain Generation Algorithms [T1568.002]
System Services: Service Execution [T1569.002]
Compromise Infrastructure [T1584]