My guess is it's probably the reason FireEye got compromised. They haven't explicitly stated it, but the timing ain't a coincidence. Based on the "highly sophisticated, manual supply chain attack", it sounds like they had someone inside slipping something extra into their patches.

Solarwinds Advisory

Quote:

---

SolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020. We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.

---

CRN Article

Quote:

---

SolarWinds confirmed in a security advisory issued late Sunday that it experienced a manual supply chain attack on versions of Orion released between March and June of this year.

"The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors," Mandia said. "Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction."
...
"This campaign may have begun as early as Spring 2020 and is currently ongoing," FireEye's threat researchers said. "The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security."

The malware masquerades its network traffic and stores reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity, according to FireEye threat researchers. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers, they said.

---

FireEye Analysis

Quote:

---

• FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.
• The attacker's post compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection.
• The campaign is widespread, affecting public and private organizations around the world.
• FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild. These are found on our public GitHub page. FireEye products and services can help customers detect and block this attack.

...
FireEye has detected this activity at multiple entities worldwide. The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals. FireEye has notified all entities we are aware of being affected.

---

Poor Zoom. Probably a crap ton of emergency calls ongoing right now.

Big yikes.

Fireeye confirmed last night it was from Solarwinds.

Our company is scrambling too. Solarwinds servers have all be powered off for now. Luckily my team stopped managing them at the beginning of the year

Rebuild before reconnecting

I'll ask again... what's this mean for the average Joe?

bkag9824 said:

---

I'll ask again... what's this mean for the average Joe?

---

Directly, nothing. Indirectly, it all depends on what the companies find. A truncated list of known partners is at this link.

We won't know the far reaching impact until all of those companies start doing audits. Step one is stopping the vulnerability, step 2 will be forensics to see if anything got exfiltrated/compromised. Also depends on the intent of the controller. With it being currently designated as nation-state, it's a big unknown. They could have had a specific target in mind (like FireEye), or they could just be seeing what they could get.

bkag9824 said:

---

I'll ask again... what's this mean for the average Joe?

---

Unknown what the exposure is yet

yep 100% what is happening, just waiting on new installs from SW. All virtual stuff so not too complicated for us.

This doesn't make them look very good

Quote:

---

President & CEO of Solarwinds Corp (30-Year Financial, Insider Trades) Kevin B Thompson (insider trades) sold 166,129 shares of SWI on 11/19/2020 at an average price of $21.65 a share. The total sale was $3.6 million.

---

Hopefully just a coincidence.

I think SW had known since summer. Fireeye forced their hand.

mickeyrig06sq3 said:

---

This doesn't make them look very good

Quote:

---

President & CEO of Solarwinds Corp (30-Year Financial, Insider Trades) Kevin B Thompson (insider trades) sold 166,129 shares of SWI on 11/19/2020 at an average price of $21.65 a share. The total sale was $3.6 million.

---

Hopefully just a coincidence.

---

Selling a month before the peak isn't exactly suspicious. They usually schedule sell orders at least a quarter in advance.

DallasTeleAg said:

---

mickeyrig06sq3 said:

---

This doesn't make them look very good

Quote:

---

President & CEO of Solarwinds Corp (30-Year Financial, Insider Trades) Kevin B Thompson (insider trades) sold 166,129 shares of SWI on 11/19/2020 at an average price of $21.65 a share. The total sale was $3.6 million.

---

Hopefully just a coincidence.

---

Yeah... isn't that what we call "illegal"?

---

Not only that, but he sold over half a million shares the day before and over 350k shares in Aug. Could be a coincidence but definitely looks suspicious.

nutmegger_aggie said:

---

mickeyrig06sq3 said:

---

Poor Zoom. Probably a crap ton of emergency calls ongoing right now.

---

If my security company is using zoom for emergency meetings, please let us know. Would not want them to be my security company anymore.

---

Why not?

Another good article on it

Pretty much, the threat actors cycles have probably run and they got everything they needed. But this was a extremely effective supply chain attack that probably allowed them to monitor email accounts for months. Will take a long time to understand the extent of the information that they got. But if they were in the treasury and commerce departments, it's a fair bet they're trying to do something bigger than just steal random data from companies. Probably looking to manipulate the value of currency or a particular commodity, or could be looking for leverage into the current and new administration. Scary stuff.

TMoney2007 said:

---

DL04 said:

---

DallasTeleAg said:

---

mickeyrig06sq3 said:

---

This doesn't make them look very good

Quote:

---

President & CEO of Solarwinds Corp (30-Year Financial, Insider Trades) Kevin B Thompson (insider trades) sold 166,129 shares of SWI on 11/19/2020 at an average price of $21.65 a share. The total sale was $3.6 million.

---

Hopefully just a coincidence.

---

Yeah... isn't that what we call "illegal"?

---

Not only that, but he sold over half a million shares the day before and over 350k shares in Aug. Could be a coincidence but definitely looks suspicious.

---

C level executives for publicly traded companies are generally required to file their trading plan well in advance like at least a quarter),... It's highly unlikely that there's anything going on here.

It's more likely that they were trying to take income before next year since it looked like Biden and lots of Democrats had a good chance of winning the election by the end of Q2.

If they were going to do something shady, they're not going to do it using shares in their own names,... Think about it.

---

Was reading the same a little later on. Thought about correcting my post, but the horse had already left the gate.

DHS is recommending all devices managed by Solarwinds be rebuilt. DAMN! This would mean routers, core switches and firewalls...

• We should immediately change the password for all service accounts used by or stored in Solarwinds.
• Our servers should remain down and should not be brought back online for upgrade as originally planned. These servers will need to be completely rebuilt and unfortunately it's not yet clear which version are safe. Solarwinds recommends upgrading to 2020.2.1 HF1 but DHS does not believe it's safe.
• They're recommending that all devices managed by Solarwinds be rebuilt. Basically assume anything managed by Solarwinds has been compromised.

Stock sales happen regularly from executives considering the likelihood of stock options, vesting regularly, and lock-up periods expiring etc. It's just a different way to doling out a bonus these days.

Kuz89 said:

---

DHS is recommending all devices managed by Solarwinds be rebuilt. DAMN! This would mean routers, core switches and firewalls...

• We should immediately change the password for all service accounts used by or stored in Solarwinds.
• Our servers should remain down and should not be brought back online for upgrade as originally planned. These servers will need to be completely rebuilt and unfortunately it's not yet clear which version are safe. Solarwinds recommends upgrading to 2020.2.1 HF1 but DHS does not believe it's safe.
• They're recommending that all devices managed by Solarwinds be rebuilt. Basically assume anything managed by Solarwinds has been compromised.

---

The rebuild is probably more related to endpoint servers. For infrastructure you're looking more at modifying various credential sets. Depends on the environment as well. The companies out there who were lax with internal security protocols are feeling the heat because of how this compromise is operating, and how long of a window this thing has had to operate.

More information. Attackers were able to bypass MFA.

https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

mickeyrig06sq3 said:

---

TMoney2007 said:

---

DL04 said:

---

DallasTeleAg said:

---

mickeyrig06sq3 said:

---

This doesn't make them look very good

Quote:

---

President & CEO of Solarwinds Corp (30-Year Financial, Insider Trades) Kevin B Thompson (insider trades) sold 166,129 shares of SWI on 11/19/2020 at an average price of $21.65 a share. The total sale was $3.6 million.

---

Hopefully just a coincidence.

---

Yeah... isn't that what we call "illegal"?

---

Not only that, but he sold over half a million shares the day before and over 350k shares in Aug. Could be a coincidence but definitely looks suspicious.

---

C level executives for publicly traded companies are generally required to file their trading plan well in advance like at least a quarter),... It's highly unlikely that there's anything going on here.

It's more likely that they were trying to take income before next year since it looked like Biden and lots of Democrats had a good chance of winning the election by the end of Q2.

If they were going to do something shady, they're not going to do it using shares in their own names,... Think about it.

---

Was reading the same a little later on. Thought about correcting my post, but the horse had already left the gate.

---

I'm not saying that they didn't do ANYTHING shady, but it's not going to be something that people like you or me would read about in a public insider trading disclosure.

There was a CISA public call yesterday. Their stance is that if you have the vulnerable version, just assume you've been compromised. Apparently they've seen some instances of the hacker cleaning up everything on the server except for the initial compromised DLL. Once they've been able to establish other footholds, they can abandon the Solarwinds server and go on to the other systems. Which is fun, because a company could have been compromised a month in May, and then the Solarwinds portion stopped. Companies that are just looking for the Solarwinds compromised traffic are already late in the game if they fall into that category.

Another item (I need to find the link) basically said that built into the exploit was a DNS check. If any of the C&C servers in its list changed to RFC1918, or IPs for security companies, it turned itself off for a certain period of time.

Is there any truth to the rumor that Solarwinds offices in Austin were raided yesterday by the FBI? I can't seem to find anything about it

kb2001 said:

---

Is there any truth to the rumor that Solarwinds offices in Austin were raided yesterday by the FBI? I can't seem to find anything about it

---

https://texags.com/forums/16/topics/3166010

kb2001 said:

---

Is there any truth to the rumor that Solarwinds offices in Austin were raided yesterday by the FBI? I can't seem to find anything about it

---

In order to save you the tin foil hat required to go to the politics board... It was reported by gateway pundit based on a guy that called into hannity... so you can bet that it hasn't been vetted at all.

bkag9824 said:

---

I'll ask again... what's this mean for the average Joe?

---

In all seriousness, nothing at this moment. Only a couple of versions of a couple of enterprise apps are affected so far.

This could change as we find out if there are additional apps and what, if any, data was exfiltrated.

MGS said:

---

kb2001 said:

---

Is there any truth to the rumor that Solarwinds offices in Austin were raided yesterday by the FBI? I can't seem to find anything about it

---

https://texags.com/forums/16/topics/3166010

---

I've followed that thread. At this point I haven't found any source other than that one, and that one hasn't confirmed it either.