Replies

To: grey_whiskers; Steven W.; ransomnote; bitt; Swordmaker; unixfox; dayglored; All

ALL: this scares me. It looks real. How often does any official agency use the words "grave risk"?

NEW - @CISAgov just issued a new alert and warns of "grave risk" from the @solarwinds attack.https://t.co/6hJ9dDSVBn pic.twitter.com/A7cGD7doku— Disclose.tv 🚨 (@disclosetv) December 17, 2020

https://us-cert.cisa.gov/ncas/alerts/aa20-352a

Excerpt:

SolarWinds Orion Supply Chain Compromise SolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring and network configuration management along with several different types of analyzing tools. SolarWinds Orion is used to monitor and manage on-premise and hosted infrastructures. To provide SolarWinds Orion with the necessary visibility into this diverse set of technologies, it is common for network administrators to configure SolarWinds Orion with pervasive privileges, making it a valuable target for adversary activity.

The threat actor has been observed leveraging a software supply chain compromise of SolarWinds Orion products[2] (see Appendix A). The adversary added a malicious version of the binary solarwinds.orion.core.businesslayer.dll into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This binary, once installed, calls out to a victim-specific avsvmcloud[.]com domain using a protocol designed to mimic legitimate SolarWinds protocol traffic. After the initial check-in, the adversary can use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for interactive command and control (C2) traffic. Consequently, entities that observe traffic from their SolarWinds Orion devices to avsvmcloud[.]com should not immediately conclude that the adversary leveraged the SolarWinds Orion backdoor. Instead, additional investigation is needed into whether the SolarWinds Orion device engaged in further unexplained communications. If additional Canonical Name record (CNAME) resolutions associated with the avsvmcloud[.]com domain are observed, possible additional adversary action leveraging the back door has occurred.

2,020 posted on 12/17/2020 11:04:21 AM PST by grey_whiskers (The opinions are solely those of the author and are subject to change with out notice.)

To: grey_whiskers

"grave risk"
It was a pearl harbor of electronic attack. The real question for me is why now of all times does it come out?
Trump supporters are linking this attack it with Dominion systems. But what about DHS, DNI and FIB? If they don't then they're missing the boat

2,035 posted on 12/17/2020 11:24:10 AM PST by Steve Van Doorn (*in my best Eric Cartman voice* 'I love you, guys')

To: grey_whiskers

2,054 posted on 12/17/2020 11:44:57 AM PST by A virtuous woman (I'm praying for my country. Turn from your sins to God. His Kingdom is at hand.)

To: grey_whiskers

NEW - @CISAgov just issued a new alert and warns of "grave risk" from the @solarwinds attack.https://t.co/6hJ9dDSVBn pic.twitter.com/A7cGD7doku— Disclose.tv 🚨 (@disclosetv) December 17, 2020

Could this be one of the reason for the 10 days of darkness? To get a handle on this.

2,062 posted on 12/17/2020 11:53:58 AM PST by norsky ( <a href=></a> <img src=""></img>)

To: grey_whiskers

Wouldn’t there be consequences (such as this) from the witless idiots selling access to our military and government secrets that were on her thighness’ servers and laptops?

Didn’t Q mention a scare event?

Could it be to wake the normies of such treachery?

Spitballing wildly over here.

2,072 posted on 12/17/2020 12:04:10 PM PST by Cats Pajamas (President Trump won so big he broke their algorithm!)

To: grey_whiskers

Re: solarwinds attack

Is this a thing that would infect MI/Q as well? Would they be aware and use other products or their own product?

I’m not tech-savy. Can you define why this scares you? I comprehend the Fib, seeeyeA, pentagon ... but is this bigger than MI?

2,079 posted on 12/17/2020 12:11:46 PM PST by Wneighbor (Weaponize your cell phone! Call your legislators every week.)

PSA to those on the Q Ping List
Please take a moment to pick up the white courtesy phone located in your FR email box. ThankQ!

2,093 posted on 12/17/2020 12:23:05 PM PST by ransomnote (IN GOD WE TRUST)

To: grey_whiskers

grave usually reserved for war.

2,094 posted on 12/17/2020 12:23:09 PM PST by ichabod1 (He's a vindictive SOB but he's *our* vindictive SOB)

To: grey_whiskers

Thanks !

CISA assesses that the threat actor engaged in the activities described in this Alert uses the below-listed ATT&CK techniques.

Query Registry [T1012]
Obfuscated Files or Information [T1027]
Obfuscated Files or Information: Steganography [T1027.003]
Process Discovery [T1057]
Indicator Removal on Host: File Deletion [T1070.004]
Application Layer Protocol: Web Protocols [T1071.001]
Application Layer Protocol: DNS [T1071.004]
File and Directory Discovery [T1083]
Ingress Tool Transfer [T1105]
Data Encoding: Standard Encoding [T1132.001]
Supply Chain Compromise: Compromise Software Dependencies and Development Tools [T1195.001]
Supply Chain Compromise: Compromise Software Supply Chain [T1195.002]
Software Discovery [T1518]
Software Discovery: Security Software [T1518.001]
Create or Modify System Process: Windows Service [T1543.003]
Subvert Trust Controls: Code Signing [T1553.002]
Dynamic Resolution: Domain Generation Algorithms [T1568.002]
System Services: Service Execution [T1569.002]
Compromise Infrastructure [T1584]

2,134 posted on 12/17/2020 12:51:26 PM PST by HollyB

To: grey_whiskers

Thanks !

CISA assesses that the threat actor engaged in the activities described in this Alert uses the below-listed ATT&CK techniques.

2,135 posted on 12/17/2020 12:51:31 PM PST by HollyB

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794