 Time here from Lauren systems saw the wins went from a name that well lots of technical people knew But the mainstream media probably never would have been able to really think about what that product was After the events that unfolded in December of 2020 it has now become well mainstream news and in February here of 2020 It became a Senate hearing and a 60 minutes Coverage so it is now pretty much everywhere people are aware of it People are asking questions about it and I did some videos about the initial attack vectors kind of what we knew back then I also did a video called it wasn't as easy as SolarWinds 1 2 3 because this attack is much more complicated than just a bad Password that was used not excusing bad passwords. It's just that there was a lot more to this than just a bad password I'll also admit in the 60 minutes that this guy said this was An act of cyberterrorism the goal behind this was fear And I think that's taking things way out of context. That's not what was going on here This was not a terrorist act to put fear in us The threat actors goal was espionage if they wanted to actually create a absolutely chaotic event Well, they have the right tool to do so They chose to be quiet and clandestine with a list of targets that they wanted to exfiltrate data from not cause Total chaos financial ruin and some post-apocalyptic shut down all the systems Which by the way, if you're not familiar with what the SolarWind Orion system does it happens to do like Configuration management that means it is in the center of all of your systems and has credentials to all of your firewalls And your switches and all of the infrastructure that runs all these companies If they were to use this tool to flip a switch turn them off and delete all the configurations of well 18,000 major companies and many of them I say major because we know that out of the fortune 500 list I believe 400 companies were on the list if you talk about Breaking the networks of that many companies Simultaneously you do talk about a real event that well We just read about in sci-fi writing and things like that where what happens when a Major outage of the internet and infrastructure of all these computers go down. That is that type of event This was a quiet clandestine event and the mistake the threat actors made was going after fire I that was where they actually were caught the other companies They were able to get in and this does include government bodies That they were able to use and leverage this level of access that the solar winds Orion tool had first They compromise compromise the solar winds Orion tool that turned into the compromise of all these companies They use Orion because it lives at the heart of their networks And let's break down a timeline and clear up a little bit of confusion here and Microsoft's deep dive was really good on this topic Deep dive into solar gate second stage activation from sunburst to teardrop to raindrop now one thing about Microsoft is They decided to call it something else. I'm not into the politics of Fighting with security researchers who decide to name things differently But they did at least do this and I want to clear up this little piece of confusion We have published our in-depth analysis of the solar gate backdoor malware also referred to as sunburst by fire I I wanted to bring it up because sometimes people have asked what's the difference between all of these there are payloads There are different Names for it and things like that specifically We are going to be talking only here about what Microsoft calls solar gate and fire I call some burst But yes, there are things like such as trustwave who were able to find some other flaws not used in this particular attack So there are a few other things because security researchers have all jumped on rightfully so Diving into and see if there's any other flaws in a Ryan project that may have not been discovered And of course some were found anytime you take and really dive deep into software You're gonna find bugs and when you take some of the most powerful and Really talented security people and they really put a lot of effort into it They find a lot of bugs and software that means right now solar winds could be some of the most vetted software on the planet right now and I feel that there's probably other companies that may work may have been compromised and We'll get into some of the details in the timeline because one of the ways this threat actor did was by infecting the build server Not the source code that means the Speculatively here that process may have not only been used against solar winds because from a timeline They came in put put it in there seen if it was unnoticed and later removed it when we go to the timeline The removal part is really interesting because if they hadn't attacked fire I we wouldn't know at all and we don't know who else may have been attacked and targeted and We don't know that's a big piece. There may be someone Who got into some of these systems but then removed their access? They had like they did with the solar winds and if they wouldn't have gone after one of these companies such as fire I have forensics investigation company. It would be really hard for us to know how that happened Now here's Microsoft's timeline of the attack. We have September is when the access begins September of 2019 This is a real long game that was played here So the initial access they inject some code and they wait they want to see if anyone noticed that they injected code They actually didn't deploy the back door all the way until February 20th of 2020 That's when they actually said all right now We're gonna actually push this build and deploy a back door They just put some sample code in there and when no one noticed it. They're like, let's go a step further Let's keep pushing the envelope until we can get to where we need to be Then comes May of 2020 when the hands-on activation a target occurs and hands-on means well Hands-on. This is one of the reasons Microsoft said they believe there's many as a thousand different people working on this project Because they had a targeted list They did deploy this and it was roughly 17 or 18 thousand systems that took and loaded this update But only companies that were targeted were the actual backdoor Activated and then lateral moving across their network pursued so it was Very hands-on because they would methodically look for and craft how they were gonna get from that particular server to other servers And how they were going to hide their tracks of how they got there So they would infect the solar winds server that it was running on with the Orion software And then he would move through the network Laterally to get to another server and then try to hide how they got there that way if their other attacks would trip up an alarm or Alert someone that they were there. You wouldn't know how they got there This is essentially what happened with fire. I which made them start taking things apart now. We go over to the Activation and then mailware removed. This is also interesting on 6 4 20. It appears they've removed the backdoor Now this goes in adds to the confusion if you were Regular updating customer and you loaded the update that had the backdoor in February and then you load an update after 6 4 20 the update fixed itself so to speak and now when you're trying to do your forensics Do you have all the previously version? Installed and you got a member this wasn't discovered till December So it took someone having an old version installed either because they didn't update it or they kept archives and images of Each system from those dates six months prior to start forensically going through and finding it This is just a pretty wild Investigation and hunt to find out as much as we know right now And this gives us an overview of exactly how they got in there We start with the attacker first compromising the SolarWinds Orion build server So that's this whole process down here of getting it there Now if that server the SolarWinds Orion one also had access to the internet then it would go out to the Backdoor and connect to their initial C2 server They were setting up the command and control servers C2 servers for each individual target So it wasn't like normal viruses and malware where there's a C2 server. It's easy to identify all the attacks For that particular virus frequently would go to a C2 server or a series of them to kind of make it obvious for people watching the Network and go yeah, we know that's on the list now How they get these out and off the list was another interesting piece of this They had registered domains that had been registered for a long time. We're not exactly clear I well, I should say I'm not exactly here Someone may have some of the logs on this but essentially these Domains were registered a long time ago. They weren't new That's important because one of the flags you're looking for if you're a security researcher Is if you see a server beaconing out to a newly registered server on the internet a new domain Especially if that domain is outside the US they used domains inside the US they use servers inside the US They also used old domains that had been registered for a long time Basically everything they could do to not trip anyone up including it looked like normal telemetry data That would normally be sent so looking inside it didn't trip any flags either like yep That's just some quality telemetry data that was flowing out of there. No big deal nothing there It was only on the back end that they were actually diving in and using it for command and control and exfiltration So they have the initial C2 the second C2 if you're not familiar with cobalt strike you can look up that That's another remote control Strike beacon and all this is being done outside of that server that was the initial attack So if they got into the server that's running solar winds Orion They move laterally in a network to start deploying all these things So even if these were discovered you didn't necessarily discovered how it got there so you could remove this But it didn't necessarily answer the question of how now Microsoft goes on further and I'll leave a link to everything I mentioned here and breaks down like all the finer details Exactly which DLL files were infected and how they sent some of the command to control Well, let's talk about discovery real quick and that comes to the Senate hearings with Kevin I Really liked his testimony and I'm gonna play a little clip of it because it kind of gives you an idea of just how Difficult this was to find and what they had to go through in order to turn their network inside out to discover this But I want to explain how we found this implant because there's no magic wand to say where's the next implant When we were compromised We were set up to do that investigation. It's what we do We put almost a hundred people on this investigation almost all of them had ten thousand hours There's so to speak ten thousand hours of doing investigations and we unearth every clue we could possibly find and We still didn't know so how did the attacker break in? So we had to do extra work and at some point in time after exhausting every investigative lead The only thing left was the earliest evidence of compromise was a solo and server and we had to tear it apart And what I mean by that is we had to decompile it specifically there was 18,000 files in the update 3500 executable files. We had over a million lines of assembly code for those of you that haven't looked at assembly You don't want to it's something that you have to have specialized expertise to review Understand peace apart and we found the proverbial needle in the haystack an implant But how did we get there thousands of hours of humans investigating everything else? And that's one of the reasons I share that is you wonder why people missed it. This was not the first place You'd look this was the last place you'd look for an intrusion million lines of assembly thousands of Hours by security researchers who do this for a living they have the resources over at FireEye to throw at this project It was on their own network. So is you know taken personally I'm sure that someone got in and they had to turn everything upside down to find it It was a non-arbitrary task by a company specializing in it So I think it really says a lot for the scale and scope I mean the defenses we have keep getting better and better That means the adversaries have to work harder and harder to find their way in so the Complexity scale goes up and up on here. This was a absolute crazy attack from the perspectives We have today it will be looked at as simple like oh that was child's play to do something that complex sometime in a future Perhaps but I think there's still a lot. We don't know like was this used before did this get into other build servers? That's very speculative I know but it's so interesting to think about because we only know this as I said because FireEye was one of the people that were attacked and the threat actors made a mistake About registering a second phone that tripped fire I to go wait a minute something's wrong stop everything We're gonna turn our company inside out upside down until we find this so it was a Lot to take in to really dive into all this I'll leave links to everything and some of the research and the way forward. That's the one thing I want to leave you with yes We can do better There are ways you can take and look at build servers and do side-by-side builds then that requires now them to compromise to build Servers more thorough audits can take place and this isn't just a solar winds thing recently. I did a video called Dependency confusion and I bring that up because it was done by a security researcher for the good team and the security researcher proved that he could hack many large companies by Looking at their dependencies and creating external dependencies for them to pull in libraries and execute on their own build servers And is a tackle successful and paid out a bug bounty from companies like Shopify Apple and many others So we do know there's still more flaws and still more tightening up that could be done at all these large companies This is just the cat and mouse game that is you know keep building better defenses better adversaries come at it and better Defenses get built and just figuring out where that Spot is and doing everything we can all the time to defend it and being a better Security ecosystem by sharing all the knowledge that can be shared to help get this word out there and get people to understand These threats are very real and get people thinking especially at the development process of all the security Implications that go on in this security really is a team sport and all of us run the same team named for defending It's not a secret it we share this knowledge We get it out there and that's part of me doing you know the videos that I do is just throw more knowledge out there It's just we all want to see things more secure and not happening like this for sure All right, and thanks and thank you for making it to the end of this video if you enjoyed this content Please give it a thumbs up if you like to see more content from this channel Hit the subscribe button and the bell icon to hire a sure project head over to Lawrence systems calm and click on the Hire us button right at the top to help this channel out in other ways There's a join button here for YouTube and a patreon page where your support is greatly appreciated For deals discounts and offers check out our affiliate links in the descriptions of all of our videos including a link to our shirt store We have a wide variety of shirts and new designs come out. Well randomly, so check back frequently And finally our forums forums that Lawrence systems commas where you can have a more in-depth discussion about this video and other tech topics covered on this channel Thank you again, and we look forward to hearing from you in the meantime check out some of our other videos