I still dont understand how a private company gets the authority. It's good that someone does, but it defeats the concept of no direct ownership of dns. I take great exception to microsoft or any firm being able to collect any info that isnt immediately shared, victim identifying info excluded.
On Tue, Dec 15, 2020, 9:52 PM Ken Hohhof <[email protected]> wrote: > This article discusses the domain takeover. > > > https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/ > > > > > > > > *From:* AF <[email protected]> *On Behalf Of *Steve Jones > *Sent:* Tuesday, December 15, 2020 9:34 PM > *To:* AnimalFarm Microwave Users Group <[email protected]> > *Subject:* Re: [AFMUG] Fireye > > > > How does Microsoft wield the authority to take over domains? > > > > On Mon, Dec 14, 2020, 9:58 PM Steve Jones <[email protected]> > wrote: > > Wow > > I wonder if Orion allowed disabling the quality improvement. I always > disable it on anything that let's me. > > I'm not quite sure why fire eye still is leading this charge, it's kind of > like letting a leper check your prostate > > > https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html > > > > On Mon, Dec 14, 2020, 2:35 PM Steve Jones <[email protected]> > wrote: > > Lol, doublecheck for what though? > > > > > > So now fireye says it was solar wind hacking that breached them > > > > > https://www.usatoday.com/story/tech/2020/12/14/fireeye-solarwinds-hack-breach-cybersecurity-attack/6538645002/ > > > > Granted I doubt USA today "journalists" know much about what they're > writing about. > > > > This makes the "russia did it" claims on fireye part even more suspect, > since they dont have the forensics of solar wind, unless they are the > security of solar wind. > > > > This is going to be a fascinating thing to watch play out. > > > > I dont think most in the media realize this isnt a read only thing. The > Orion components we were looking at required write access and > administrative credentials. And that's a tiny podunk wisp. > > > > On Mon, Dec 14, 2020, 2:08 PM Ryan Ray <[email protected]> wrote: > > Lots of stuff runs under Orion. > > > > Application Centric Monitor (ACM) > > Database Performance Analyzer Integration Module (DPAIM) > > Enterprise Operations Console (EOC) > > High Availability (HA) > > IP Address Manager (IPAM) > > Log Analyzer (LA) > > Network Automation Manager (NAM) > > Network Configuration Manager (NCM) > > Network Operations Manager (NOM) > > Network Performance Monitor (NPM) > > Network Traffic Analyzer (NTA) > > Server & Application Monitor (SAM) > > Server Configuration Monitor (SCM) > > Storage Resource Monitor (SCM) > > User Device Tracker (UDT) > > Virtualization Manager (VMAN) > > VoIP & Network Quality Manager (VNQM) > > Web Performance Monitor (WPM) > > > > If you're running any of those, double check your network asap. > > > > On Mon, Dec 14, 2020 at 12:02 PM Steve Jones <[email protected]> > wrote: > > Their sales folks are definitely aggressive. At least its currently only > limited (known) to two Orion platforms. Im really concerned about this: > "...and intended to be a narrow, extremely targeted, and manually executed > attack..." what does manually executed mean? Like some dude stuck a USB key > in the DOS box running their whole operation? > > > > SolarWinds asks customers with any of the below products for *Orion > Platform v2020.2 with no hotfix or 2020.2 HF 1* to upgrade to Orion > Platform version 2020.2.1 HF 1 as soon as possible to ensure the security > of your environment. This version is currently available at > customerportal.solarwinds.com. > > > > SolarWinds asks customers with any of the below products for *Orion > Platform v2019.4 HF 5* to update to *2019.4 HF 6*, which will be > available today, December 14, 2020, at customerportal.solarwinds.com. > > > > *No other versions of Orion Platform products are known to be impacted by > this security vulnerability. Other non-Orion products are also not known to > be impacted by this security vulnerability. * > > > > On Mon, Dec 14, 2020 at 1:53 PM Ryan Ray <[email protected]> wrote: > > This is a big deal. Solarwinds Orion is a product used in many of the Top > 100 companies in the world. Including tons of healthcare. > > > > I dislike Solarwinds for many reasons and refused to use them even before > this hack. Just add another reason to the list. > > > > > > > > On Mon, Dec 14, 2020 at 11:49 AM Steve Jones <[email protected]> > wrote: > > So Im reading this now that Solar Winds updates have been delivering > payloads since june or july. Solar winds having crazy levels of access to > interior infrastructures. > > > > Im not sure what this is saying, it sounds like what fireye isnt saying > outwardly is their toolset was stolen prior to that and that was how they > were able to circumvent the solarwinds security infrastructure, as solar > winds relied on fireye? > > > > Anybody come across any good detail on solar winds impacted software? Like > if you downloaded the free subnet calculator, will they be taking your > google home account too? Imma be pretty pissed if they mess with my google > play playlists. > > > > I wonder if the disruptions with office365 and the weird spam filter > changes lately are related to cleanup prior to publication. > > > > We are a tiny company and got withing a hair of pulling the trigger on > various solarwinds offerings over the years. Thats with tiny company tiny > budgets. I cant imagine CTO voicemails going down around the world today, > depending on budget, you hand the keys over to solarwinds, and by design, > each key you hand over makes sense to spend a little more and hand over > another key. How would you even begin to clean up your organization when > your systems that would provide you your forensics are the systems that did > the damage? > > > > Is this just mediahype and more russia russia russia, or is this as big of > a deal as it seems > > > > On Mon, Dec 14, 2020 at 9:01 AM dave <[email protected]> wrote: > > DA HUMANITY!! > > > On 12/14/20 8:58 AM, Ken Hohhof wrote: > > I had a customer this morning complaining she couldn’t “sign on” to the > Internet. I mentioned that Google had an outage this morning, but she > responded that she doesn’t use any Google services. Of course her email > was from a Gmail address. > > > > > > *From:* AF <[email protected]> <[email protected]> *On Behalf > Of *Mike Hammett > *Sent:* Monday, December 14, 2020 6:54 AM > *To:* AnimalFarm Microwave Users Group <[email protected]> <[email protected]> > *Subject:* Re: [AFMUG] Fireye > > > > "I know I'm next, they're coming after my google home mini and my netflix > account." > > > > > > aaaaannnndddd Google is broken this morning. > > > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > > *From: *"Steve Jones" <[email protected]> > *To: *"AnimalFarm Microwave Users Group" <[email protected]> > *Sent: *Sunday, December 13, 2020 9:57:21 PM > *Subject: *Re: [AFMUG] Fireye > > Nope, per fireye, the toolset had to be released because of it being > stolen, was not "in the wild" > > > > Going to get really interesting to see what comes of this, two federal > agencies just happen to get hit shortly after. You can do plenty when you > know how you would have otherwise been caught. > > > > And that's all fireye admits to having been breached. I'm gonna go ahead > and not take their word on it definitively having been russia either. > Convenient timing after iran specifically has stated they're going to > retaliate for the dead scientist. China will probably confirm this shortly > > > > Pretty sure this is far from over and pretty sure this company is just the > first to go public. > > > > I know I'm next, they're coming after my google home mini and my netflix > account. > > > > On Sun, Dec 13, 2020, 9:10 PM Ken Hohhof <[email protected]> wrote: > > Not saying you are wrong. > > > > But I think I read somewhere that the Fireye tools that were stolen were a > collection of malware already in the wild that they used for testing of > client networks. So it was stuff already available, just neatly packaged. > > > > The guys who really f’d up were the “Equation Group” (cough, cough, NSA) > who lost novel and very powerful hacking tools like Eternal Blue to the > Shadow Brokers group. > > > > *From:* AF <[email protected]> *On Behalf Of *Steve Jones > *Sent:* Sunday, December 13, 2020 8:45 PM > *To:* AnimalFarm Microwave Users Group <[email protected]> > *Subject:* [AFMUG] Fireye > > > > These guys F'd up beyond belief. > > > > Inept as jaime would say > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > > > > > > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com >
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
