The SolarWinds Story Keeps Getting Worse: China Too?
The “new broom” at SolarWinds keeps lifting rugs and finding more problems have been swept under them. Parachuted CEO Sudhakar Ramakrishna sounds like he’s drowning in logs—and other evidence of Russian naughtiness.
It’s not only the Russians: The Chinese were misusing SolarWinds’ software, too. Or so we’re told by multiple secret-squirrel sources.
And to top it off, yet more serious bugs in SolarWinds’ code have been disclosed—and one of them is an absolute doozy. In today’s SB Blogwatch, we don’t know whether to laugh or cry.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Bootsy.
Time to Ring the Changes?
What’s the craic? Robert McMillan and Dustin Volz report—“Hackers Lurked in SolarWinds Email System for at Least 9 Months”:
The newly appointed chief executive of SolarWinds Corp. is still trying to unravel how his company became a primary vector for hackers in a massive attack revealed last year, but said evidence is emerging that they were lurking in the company’s Office 365 email system for months. … “Some email accounts were compromised. That led them to compromise other email accounts and as a result our broader … environment was compromised.”
…
Investigators are trying to determine how widespread the damage has been. So far only several dozen victims have been identified, but the attack could have ultimately affected close to 18,000 of the company’s customers. … “We have been evaluating mountains of data,” … Sudhakar Ramakrishna said.
…
The attackers crafted a way to turn SolarWinds’ own software update into a kind of digital Trojan horse. … The hackers were running tests on SolarWinds’ internal build systems … in September 2019. [It] was then used to create a malicious software patch that SolarWinds says it shipped out to fewer than 18,000 customers in 2020. The U.S. government has publicly blamed Russia, which has denied responsibility.
But that’s not the whole story. Christopher Bing, Jack Stubbs, Raphael Satter and Joseph Menn add—“Suspected Chinese hackers used SolarWinds bug”:
Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into U.S. government computers last year, five people familiar with the matter told [us]. … Two people briefed on the case said FBI investigators recently found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, was among the affected organizations, raising fears that data on thousands of government employees may have been compromised.
The software flaw exploited by the suspected Chinese group is separate from the one the United States has accused Russian government operatives of using. … Although the two espionage efforts overlap and both targeted the U.S. government, they were separate and distinctly different operations, according to four people who have investigated the attacks
…
The Chinese foreign ministry said attributing cyberattacks was a “complex technical issue” and any allegations should be supported with evidence. … SolarWinds said … the attackers did not gain access to its own internal systems and that it had released an update to fix the bug in December.
…
[We] could not determine what information the attackers were able to steal from the National Finance Center (NFC) or how deep they burrowed into its systems. But the potential impact could be “massive,” former U.S. government officials [said].
…
Records held by the NFC include federal employee social security numbers, phone numbers and personal email addresses as well as banking information. … The NFC says it “services more than 160 diverse agencies, providing payroll services to more than 600,000 Federal employees.”
And still the bugs keep coming. Martin Rakhmanov found three “New SolarWinds … Vulnerabilities”:
[Here are] three new security issues that I recently found in several SolarWinds products … severe bugs with the most critical one allowing remote code execution with high privileges. … In light of the recent SolarWinds supply chain attack, I decided to take a quick look at SolarWinds products based on the Orion framework.
…
CVE-2021-25274: … There is a huge list of private queues, and literally, every one of them has a specific problem. … In short, unauthenticated users can send messages to such queues over TCP. [And] the code that handles incoming messages [is] an unsafe deserialization victim. … Combining those two issues … allows remote code execution by remote, unprivileged users.
…
CVE-2021-25275: … Permissions are generously granted to all locally authenticated users. … Unprivileged users [can] get a cleartext password for the SolarWindsOrionDatabaseUser. … And at this point, we have complete control over the SOLARWINDS_ORION database. From here, one can steal information or add a new admin-level user.
…
CVE-2021-25276: … Anyone who can log in … can just drop a file that defines … an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive.
…
We recommend that administrators upgrade as soon as possible.
I bet you do. And I assume junrbarnes is staggered:
The sheer number of bad decisions SolarWinds coders and management made is staggering. Certainly bit my workplace, yet we’re still with SW as we don’t really have a choice, thanks to an ever-slimming budget.
In general you assume a company like this is on top of their vulnerabilities and has really solid intrusion systems. Another reminder what “assume” stands for.
Perhaps raymorris is, too:
We have three new vulnerabilities in Solarwinds announced today. One of them is a critical, must be patched today issue. … It leverages a terribly insecure subsystem in Windows which SolarWinds should not have been using.
…
Why does Solarwinds keep having these problems? Because while they are obviously a very desirable target, they haven’t taken security seriously. Simple as that.
…
Also, they need to stop ****ing running their monitoring as LocalSystem. If they want to have a separate optional component for pushing out software that runs at high privilege, fine. But you don’t ****ing need OS-level write privileges to read monitoring data!
TIL how capitalism works. Here’s the lesson from ArtistAtLarge:
This is what happens when you put good ITSec people out to pasture in the name of profits.
What next? OffTheLip has to ask the big question:
The core server management software compromised, their email/office suite compromised, what’s next? I can’t fathom why anyone is comfortable using their products now.
On the other hand, MisterGrumps has high, apple-pie in the sky hopes:
I keep getting calls from SW competitors talking about how their products are so much more secure than SW. “Look what happened, you can’t trust SW!”
I get that sentiment, but then I think back to when Chipotle had all the food poisoning issues. I ****ing loved eating at Chipotle after that. Cleanest places to eat I’ve ever been in. Pretty sure I could have eaten off the floor.
I guess my point is that it seems like SW is learning from this and is vastly improving their processes. Hopefully it works out.
Meanwhile, did someone say the Chinese hacked federal payroll? ELYSIANFEELS has a cunning plan:
Where were they when I needed old electronic paystubs to file for UI? Maybe I should contact the Chinese for help.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Jongsun Lee (via Unsplash)
