SolarWinds供应链攻击事件“趣闻”

①.目前公开的报告都是有限披露

②.基于事件背后的威胁行为体的TTPs发现更隐蔽的入侵事件

③.#归因困境 #APT 分析转折点 ，没有组织（包括官方机构）能看到攻击全貌，不是资源和能力的问题！（这点需进一步观察）

④.安全圈目前所做的分析也许攻击者早就已经预见了吧（#虚拟推演 #兵棋推演 我另一面）

⑤.米国情报界各个方向的人都出来讨论了

⑦.“本案”最大的悬疑，那么多企业那么久都没有发现C2？？？（此次事件中，C2本身并不复杂）

来源：https://www.xxx.com/technology/2020/12/15/solarwinds-russia-breach-stock-trades/

FireEye's security system sent alert to the employee and to company's security team saying a new device had just been registered to the company's MFA system as if it belonged to the employee. This prompted FireEye to investigate.

As FireEye was trying to determine how the hackers obtained the employee's credentials to register their device, this led them to uncover the SolarWinds breach into their network. The hackers may have obtained the employee's credentials once inside FireEye's network.

Just want to emphasize there's no evidence a FireEye employee was duped into revealing their credentials to the hackers, as has been previously reported. The hackers could have obtained credentials for this and other employees once they breached got into FireEye via SolarWinds.

“This tells us the actor had access to SolarWinds’ environment much earlier than this yr. We know at minimum they had access Oct. 10, 2019...that intrusion has to originate probably at least a couple of months before that — probably at least mid-2019 [if not earlier].”

Two congressional staffers briefed on the intrusion said FireEye representatives, who met with multiple lawmakers and their staffers this week to discuss the hack, disclosed a potentially embarrassing detail: that the hackers had exploited a security feature called two-factor authentication to gain access to FireEye’s network by duping an employee into revealing his or her credentials.

In a 2016 blog post, FireEye laid out how such an attack might be carried out, noting that while “two-factor authentication is a best practice for securing remote access, it is also a Holy Grail for a motivated red team” — a reference to security professionals hired to find clients’ weak points — who can “use the most straightforward method to acquire the credentials we need: ask the victim to enter them for us. The perfect trap happens to be the simplest to set.”

Asked for comment, however, FireEye officials denied the congressional staffers’ account, insisting that none of its employees were tricked and that the company caught the breach when the hackers tried to register a new device on FireEye’s system. A spokesperson also reiterated that the SolarWinds compromise was itself the source of the attack against FireEye.

“We’re thinking they wanted to test whether or not it was going to work and whether it would be detected. So it was more or less a dry run,” a source familiar with the investigation told Yahoo News. “They took their time. They decided to not go out with an actual backdoor right away. That signifies that they’re a little bit more disciplined and deliberate.”

目前尚不知道受感染受害者的具体人数，但据报道，2020年春季文件中违反的一些受害者包括：美国财政部和商务部，国土安全部，为能源部工作的国家实验室，以及监督国家核武器库存的国家核安全局。在商业领域，安全公司FireEye也通过SolarWinds软件遭到黑客的攻击，微软周二晚间承认，它也在网络上也发现了恶意的SolarWinds文件。并非所有SolarWinds客户都下载了恶意更新。

在发现网络中的黑客之后，FireEye于12月8日在博客中首次揭露了间谍活动，尽管它没有提到SolarWinds是其网络漏洞的源头。消息人士称，直到发布其帖子后，该公司才意识到SolarWinds的连接。

Investigators have so far found no evidence the attackers did anything to infected machines once the malicious Oct 2019 SolarWinds software was installed; suggests this was just a dry-run to test that their malicious files would deliver to customer machines and not be detected.

— Kim Zetter (@KimZetter) December 18, 2020

https://news.yahoo.com/hackers-last-year-conducted-a-dry-run-of-solar-winds-breach-215232815.html

https://www.xxx.com/news/2020/12/16/russian-hackers-fireeye-cyberattack-447226

If so, then that's evidence of perhaps a simultaneous compromise of SolarWinds itself.

Otherwise, it's evidence of SolarWinds instances themselves being attacked.

For what it's worth, none my SolarWinds updates that DO have a compromised SolarWinds.Orion.Core.BusinessLayer.dll also have a backdoored App_Web_logoimagehandler.ashx.b6031896.dll.I'd say that these SolarWinds *instances* were probably compromised directly vs. supply chain.

来源：@wdormann