[conspire] Security breach @ multiple Federal agencies via SolarWinds Orion software
Rick Moen
rick at linuxmafia.com
Thu Dec 17 19:54:39 PST 2020
As I suggested would probably happen, the redoubtable Brian Krebs has
kept on this story.
https://krebsonsecurity.com/2020/12/malicious-domain-in-solarwinds-hack-turned-into-killswitch/
About March at the latest, SolarWinds, Inc. got epically H4X0Red, and
allegedly had no idea of this fact, until:
Dec. 7th: Two large institutional investors with inside connections at
SolarWinds (including six of the company's Board of Directors seats),
private equity firms Silver Lake and Thoma Bravo, unloaded their
holdings of 70% of SolarWinds's stock, respectively getting $140M and
$110M.
Dec. 8th: Cybersecurity firm FireEyes announced that it had suffered a
security break-in and that the thieves had stolen sensitive
security-testing tools as part of a breach they’d discovered in recent
weeks. Shortly afterwards, they notified SolarWinds, Inc. of detailed
data it had collected proving that SolarWinds's Orion Platform
network-monitoring software had compromised the security of FireEyes's
internal network and sensitive information.
It's not fully clear to us outsiders at what date SolarWinds figured out
from FireEyes investigative contacts and other signs that they were in
trouble -- but there are now SEC investigators who are looking into that
question.
Dec. 9th: SolarWinds announces that its CEO since 2010, Kevin Thompson,
was resigning and would be replaced effective at year end.
Dec. 11th: SolarWinds confirms to the public that it was the proximate
cause of FireEyes's problems, along with about 18,000 other Orion
Platform users. SolarWinds stock thereupon loses 22% of its value.
Insider trading? SEC is keenly interested in that possibility.
Dec. 13th: FireEye publishes detailed write-up on the malware
infrastructure, tracing the problems at SolarWinds all the way back to
March. News emerged that fellow victims included US Treasury Dept. and
US Commerce Dept.
Dec. 14th: Add to the victims US Dept. of Homeland Security, among
many others. DHS’s Cybersecurity and Infrastructure Security Agency
(CISA) took the unusual step of issuing an emergency directive ordering
all federal agencies to immediately disconnect the affected Orion
products from their networks. (On this date, SolarWinds _still_ had
not removed the compromised Orion software updates from its distribution
server.)
More information about the conspire
mailing list