 Tom here from Orange Systems, and let's dive again because there's more information here on December 19th than we had a few days ago about the SolarWinds attack, and it's not SolarWinds 1, 2, 3. Sorry, I know that's exciting, and it is certainly something I would participate in sharing memes about of SolarWinds 1, 2, 3, ha, ha, but it's not really much more than a great sound bite for the news. I know they shouldn't have had it. I'm not trying to defend anyone who would use SolarWinds 1, 2, 3, their password even if they weren't SolarWinds because it's too basic of a password. But it is not the entirety of what went on. It is a great sound bite that makes, you know, people get angry and something can get excited about, but doesn't dive deeper at all into the deeper problems that occurred. And the very specific one that we want to talk about here to start with, which is how do they get the signing certificate? I make the password whatever you want. The signing server is one of the things that fascinates me. So you can take files, change the DLL in them, but they're not going to match the signing certificate of the author. And what the signing certificate does, it creates a chain of trust to say that this particular company, SolarWinds, and their signing certificate, it was the author of this particular software and all related DLLs and all the functionality that comes with that software. So if you were to swap one of these files out, it wouldn't match the certificate of the other files and be an easy thing to find. This is something that each company has their own signing servers. They keep these very tightly locked up to make this part very difficult. So even if you were to compromise one of the coders, that would obviously be terrible. It would get to the signing server, but then we can start reversing it. But if you compromise the signing server itself, that means the coders are doing their job right. And at the signing server level, something's getting flipped and changed before it goes over to an install file. Now a couple interesting notes that Microsoft found besides making this pretty thing here, and I'll be leaving links to all this as well, is how some of the initial reconnaissance worked. And we're learning not only did it delay for 12 to 14 days after being compiled, whether or not it would execute, it also checked for a few things. One of them was kind of interesting is it checked to make sure it wasn't running inside of SolarWinds. And this is probably part of a QHX SolarWinds did. So you recompile the software, you run it, you see if any changes. And obviously you would know what changes that you expected your programmers to make, whether it's bug fixes or enhancement, you would test those changes. Maybe you sit on two weeks of testing in some type of lab environment at SolarWinds. All right, software is behaving as expected. Feature enhancements work or bug fixes have been fixed. But the software, the change made by the threat actors never deploys. And that's because they learned that it looks for whether or not it's running inside of SolarWinds. It looks for whether or not Wireshark is running. So all the little security tools around there, and it's got a list of them here, it looks to see if any of those are running alongside and goes, nope, I'm not executing because I see something that might be watching. And that's just very, very clever. Among the other things that's very clever related to this that we've learned is how they were doing the domains. And this is when some reverse engineering to try to figure out what these gibberish looking characters over here, what was the methodology to encode them to figure out what companies they belong to. So as suspected, each one of these domains represented a different company. So something interesting would be found. They would call out to their command and control servers, create a domain and go, hey, this is the domain obfuscated to belong to this company. And Bleeping Computer has an article that breaks some of that down. And they actually have a couple of things I thought was interesting. One, information technology companies for 44% of the attack, undoubtedly to not just exfil data, but potentially exploit them for further supply chain attacks. Because well, some of those companies on the list include Cisco, Intel, Microsoft. And getting inside those companies means we can, they're very popular, well-known companies, means they weren't able to deploy further if they changed things inside of those companies. All these companies are going through full audits to dig around because the shakeup is still going on. We don't know the full damage. And that's what this is. The entire security world, so to speak, dumping everything out in different repositories and hubs and everything that we can figure out and what we know. And pushing it out there so we can dive into it. Government agencies only represented 18% of the total attack surface. But then again, getting into places like the Department of Defense and other military organizations, they don't have to get into many of them. Some of them might be boring. Some of them are really interesting. So it's not actually a quantity. It's what at that point. And obviously, .gov domains that we've seen here are pretty scary to have on the list. Now, the final thing that I find is really interesting is this. And we initially thought May or March or April, early in 2020, is when this attack happened. But it turns out the DLL changes occurred. It looks like October of 2019 and then sat dormant. This was probably a test. They got in. They set off the test. They just changed it, but no execution and no C2 server. Because these reached out to the C2 server. And if they didn't find a server to talk to, they didn't talk. And because of that, here in October, 2018 is when the change was made and then it sat quiet just waiting. And that takes a lot of patience because, well, you could be discovered at any moment. There's a lot of effort just to even get this far and have a signed piece of code. You don't want your years of hacking at this company to get where you want it to be in position and then get discovered. So they laid quiet. And even then, you can possibly get discovers. Maybe there's something to review or audit. But as Microsoft goes and points out, the code changes were minor. They were small. They were really not a lot put into them. And that was completely on purpose to completely avoid this. Matter of fact, when you start digging into just how little these sent out in terms of data, this is what made it so much easier. They sent things over unencrypted HTTP requests that kind of look like part of the quality improvement noise in an obfuscated form, but also look like improvement data with a really simple list of commands that the C2 server could run. So it really was quiet. And they would be very careful before they would deploy anything. Now, eventually it had hooks because of the high levels that it operated at to do more. But it was lay dormant, lay quiet, and slowly there before they actually got in where they refer to the resulting hand-on keyboard attack when they would actually execute something. They also did a lot of what's referred to as live off the land. Live off the land means instead of loading other tools, you run things like PowerShell scripts that run Windows tools. And those Windows tools, well, they're built into Windows. They're ways to go through and look at the list of domains and networks connected. And it's a popular methodology because, well, it's hard to get your threat actor tools on there because they're known. So you just use the domain tools and some PowerShell tools. And by connecting to this C2 server to get PowerShell commands and then pipe the results back out, you keep a really low key of, well, they ran a domain script. It ran a user script. It created another user. And from there, they leverage higher and higher levels of privilege inside of there. Now, kind of an offshoot to this. And this is where people get distracted easily besides the SolarWinds123 is finding out that there's been other problems. And I thought this one was a little bit interesting and it's related though. And it's the solar flare release password dumper for SolarWinds Orion. There's been some updates to this. This was actually brought up from 2016. Not necessarily any attack factor, but it's compromises in this particular program. But this program runs at high privilege and it doesn't necessarily have a direct exposure to the internet. It's a tool used by internal IT teams. So kind of the answer is, well, you have to have admin level privilege to do it. I know that's not the right answer, but I'm just saying why it was not, you know, really as big of a deal, so to speak as it is today. But what's interesting that they point out from this, the solar flare release is the password dumper, is it apparently has quite a bit of information in here that you can get out. Now, it's not that this isn't important. It's more that this may not be directly related, but there's obviously going to be a lot of people researching because once SolarWinds gets in the news, everyone's poking away at it. Matter of fact, on, I think it was December 15th, there's a couple more updates for some, one of the other SolarWinds packages completely unrelated to Orion. And what's happening is there just happened to be a flaw in it. And it was from research done from a while ago and they just get around to fix it once the flaw is patched to have an update. It's an update for a way to do some SSH traversal. But it's, once again, off topic of the SolarWinds Orion. It's probably not an attack factor at all. It's more of some security researchers with nothing found in a while found a way to raise the privilege from a user who already had privilege to a higher level of privilege. But, you know, everyone's really scrutinizing everything SolarWinds has done. Now, there's a lot of going to be mystery in this. We can't just point the finger and say who did this right away because that's complicated. And unless the Threat Actor really comes forward with some inside piece of information because they want to have a feather in their hat and claim they did it, you can only look at what they were after and make a lot of assumptions about the target of who it is. And I'll leave that to the people who are much more expert at it than me. And I'll leave links to the course, the Microsoft article, the FireEye article, the SolarWinds one, and this SolarFlare. I like that there's also going to be a lot of play on words for a lot of these as we kind of shake things out. Boy, they picked a cool name to come up with other Threat and exploit names for. But that's just riffing off of it and it probably doesn't, you know, really help any other and makes it kind of fun. Looking at it. Now, the last thing I want to cover is cybersecurity and infrastructure security agency CISA has had other announcements. And one of them is just flat out scary. This just came out on Friday and December 18th. And CISA is investigating other initial access factors in addition to the SolarWinds Orion supply chain. My understanding and takeaway from what you will this, that it sounds like there's some other things that may have been contacting that that weren't using SolarWinds Orion. So more diving into more things to look at. And yeah, keep an eye on this because obviously we know there could be additional threat actors going here. Now, it also could just be one of those results. They were there unrelated. Another piece of software, another compromise. Just someone clicked an email, something simple. But because everything's being turned upside down on the internet right now and anything that had Orion on it or didn't in any government agencies just on high levels of alert taking closer and closer looks at things. I even talked to a couple of friends that went threat level red when they seen something that turned out to be completely benign as well. So this is part of the knee-jerk reaction and panic which is well founded, I think. This is, we're all in a hyper mode of looking at everything, auditing every logs, double checking it, not just kind of scrolling through them passively. Not that you should ever do that. I'm just saying we are all in a heightened state of alert. We're all diving into this deeply. Everyone I know that works in tech right now that touches anything security. And technically, if you work in tech at all, you have a pretty deep involvement with security whether you directly do or indirectly do. Security is of the utmost concern in a topic right here going into the holidays because we're at the end of December here that a lot of us are not going to get any sleep over until we've turned over everything, audited everything and double checked and scanned everything once again. So I'll leave links all this. It's still a lot of interesting reading. It's a lot more complicated than SolarWinds123. The Microsoft write up as far as if you want to dive into a few more details of what went wrong and what they were able to find out about this. It's impressive and it raises the bar for these threat actors if you know to say that they did this much work. It's almost more than expected in some ways except for if you think it's a nation state which a lot of us do because that's the only people we know that would go through this level of pains taking patients detail and methodical nature to get data just for the purposes that appear to espionage not your usual and I wish we didn't have to say the usual ransomware but we've kind of been normalized in 2019 and 2020 and they have to get in there just ransomware and ask for money. They didn't ransomware and ask for money. That's what your evidence is. It's not your usual suspects of things. All right, thanks. If you'd like to hire us head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you want to carry on the discussion head over to forums.laurancesystems.com where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free. Also if you'd like to help the channel in other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time.