Cory is on typically good form in his latest piece about UEFI, TPMs, the Trickbot malware and the god in the machine.
Canāt believe I posted this first. Iām guessing readers of this list are busy with patches? 
Seems the attackers got in by inserting malware into the SolarWinds IT management suite. The company wants you to upgrade.
Treasury is a worthy target, too; lots of money to be made if you have inside info on places like that.
I hadnāt seen the SolarWinds suite before. Looking at it, I could see how you could do that with a bunch of open source tools glued together behind a pretty web interface. What ever lies beneath, I do not envy IT managers the gratuitous ācomplexityā of current environment induced by BYOD and cloud deploymentsā¦ 
Iām sure itās broken in its own special way, but Iāll stick to OpenBSD and SSH for everything networkingā¦ but I have the luxury of fewer than 50 machines to manage.
US Treasury, Dept of Commerce hacks linked to SolarWinds IT monitoring software supply-chain attack
I was a Windows victim for a few years and occasionally have to return to that abusive relationship in my professional lifeā¦ so I think I know the answer to this questionā¦
How did the bad guys compromise the DLL signing key?
If they did, that suggests their penetration of SolarWinds is deeper than thought. Surely you would be talking about a fresh, verified installation everywhere, and how does SolarWinds know that core components of their products arenāt compromised at something like a linker or compiler level?
And I suppose thereās a wonderful side-effect (after 20 years of IPv6) of continued reliance on IPv4: the bad guys only need servers on your cloud providerās network to make it hard to filter packets at the firewall. The alternative is to keep your DNS continuously and rigorously up to date, which sucks. Thatās just another level of āhard to spotā when searching for compromised machines.
At the heart of the allegations are claims that China, using a state-controlled mobile phone operator, is directing signalling messages to US subscribers, usually while they are travelling abroad. ā¦ Signalling messages are commands that are sent by a telecoms operators across the global network, unbeknownst to a mobile phone user. They allow operators to locate mobile phones, connect mobile phone users to one another, and assess roaming charges.
5G aināt gonna solve this eitherā¦ last I heard the security flaws found in 5G were basically baked into the protocol and easily exploited. Probably a case of ābroken by designā.
5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol, in CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
How to leak data via Wi-Fi when thereās no Wi-Fi chip: Boffin turns memory bus into covert data transmitter
The increasing scale and scope of this thing is alarming, more and more domains (some may be false) getting added to the list daily. 2020 is just determined to send a final āfuck youā before the year is out huh?
DGA (Domain Generation Algorithm) of the Sunburst backdoor produces a domain name thatā¦
But looking at their analysis, this is not a āhackā per se, so much as just a program running on your computer that an insecure upstream supply chain made easy to deploy.
Alsoā¦ when are we just going to drop IPv4 so that we donāt get bad guys with servers on the same IPv4 sub-net as our/providers computers because the cloud provider dynamically allocates them from an artificially scarce supply?
It looks to me like (a) signed (or even check-summed) DLLās or (a) compile it yourself from signed source and (b) IPv6 sub-netted cloud deployments so that firewalls can block other access at Layer 3 of the network would solve the āhackā in this case.
Edit: the Trojan horse DLLās were indeed signed, then apparently these went ahead and downloaded everything else needed. There are signs that the attack is worse than currently known:
This observation suggests that there are other original access vectors besides SolarWinds Orion, and there may be others that are not yet known. Identifying the affected systems, analyzing them, and cleaning the software of the infections is likely to take months.
A similar attack was observed in July where the bad guy had apparently bypassed Multi-Factor Authentication so it seems more is going on here.
Everything about this just screams lazy practice on the part of the software provider and the victims.
Edit: Seems SolarWinds published a password, format *****123, of an upload server in a GitHub repo in Sep 2019.
Please, someone tell my Iām wrong, Iād love to be wrong, but this just all looks like the bad guys are sitting at the other end gobsmacked at how stupid their targets areā¦
[ā¦]
CVE-2020-29491 and CVE-2020-29492 are both critical flaws, managing a perfect (although unwelcome) CVSS score of 10 out of 10. The vulnerabilities, which affect all Dell Wyse Thin Clients running ThinOS versions 8.6 or earlier, allow more or less anyone to remotely run malicious code and to access arbitrary files on vulnerable devices.
[ā¦]
This is the best summary Iāve seen so far:
Although updates continue to come in:
My oh-so-humble opinion on this one is that there is no substitute for knowing your s**t. Outsource at your own risk, because this is war, and the the bad guys are playing to kill.
Many coworkers over the years have probably gotten tired of hearing me rant that āYou donāt outsource your core competencies!ā I know Iām sure as hell tired of being proven right over and over again.
Many coworkers over the years have probably gotten tired of hearing me rant that āYou donāt outsource your core competencies!"
Amenā¦ but Iāll bet you that most businesses donāt realize what their core competencies are.
If you build trains, for example, welding is sure as heck a core competency. I can point to a firm that outsourced the welding of their train cars. Their Canadian shop had to fix the disastrous resultsā¦ (one union foreman described their Canadian shop as ālike the dwarfsā forgeā because of all the banging and reworking they had to doā¦)
Banks, for example, are an āinformation technologyā; the smart ones Iāve seen know this and even audit their workstation operating systems (or did, one I know of even started to build its own hardware).
In the current environment, ādefence against aggressive nation statesā IT attacksā has to be a core competency for any company doing more than a few million bucks worth of business. Whatās sad is that this state of undeclared war leads to substantial costs.
Canada Revenue Agency sent me an email to tell me that I had an email, so I decided to set up an account rather than going in through other authentication, which was a pain.
And then I get to this screen. Oh My Fucking God!
Not only do they have idiot security questions, but theyāre from a pre-defined list. /facepalm
Do these people learn computer security from watching bad movies??
Did you test whether they sanitize their database inputs, Bobby? I mean Ricky?
No no, of course not. /whistling as I wait for that BIG refund chequeā¦
