Re: [AFMUG] Fireye

[Ken Hohhof]

Evidently MFA isn’t foolproof.

https://arstechnica.com/information-technology/2020/12/solarwinds-hackers-have-a-clever-way-to-bypass-multi-factor-authentication/

 

 

From: AF  On Behalf Of Steve Jones
Sent: Wednesday, December 16, 2020 12:58 AM
To: AnimalFarm Microwave Users Group 
Subject: Re: [AFMUG] Fireye

 

Yeah I read about the cname updates and all that. I dont think its malicious, I 
just think it's odd that microsoft, or any single private company  has an 
authority that technically no nation was supposed to have. I assume somewhere 
in the bylaws was a mechanism to corral a troublesome domain.

 

I have no faith this was Russia because fire eye says it was, they cant even 
identify suspicious traffic leaving their own network, and that's literally 
their purpose in life. We will never know the depth of this thing.

 

Saw another article that solarwinds update server was identified exposed last 
year with an account password of solarwinds123. The article alluded that that 
was likely the time of the initial hijack.

 

It's crazy to think the billions invested among the 18000 impacted 
organizations on security and it was that thin of a wall between "us" and 
"them". A critical component with single factor authentication and no password 
complexity policy. Even my Casey's app wants multifactor authentication now 
(sending the code to the same device logging in always seems funny to me).

 

Ope

 

On Wed, Dec 16, 2020, 12:24 AM Ken Hohhof mailto:af...@kwisp.com> > wrote:

I think they’re saying what they do is go to a court or a government security 
agency.

 

The domain points to an IP address that is the command and control server for 
the malware.  They know the IP address, but I assume it’s important to take 
over the domain name so they can’t just change the IP address.  Many huge 
botnets have been shut down by taking over the domain name used for the C 
servers.  Those operations are almost always months long projects with 
government security agencies working with big companies like Microsoft.

 

You don’t always have to assume evil motives.  They aren’t trying to use the 
malware to snoop on people, they are trying to ID the compromised systems and 
notify the owners so they can do mitigation.  Don’t expect them to unearth a 
treasure trove of documents, it’s the Russians who probably got those.  You 
were hoping for Hillary’s emails, weren’t you.  And Jaime was hoping for 
Trump’s tax returns.

 

From: AF mailto:af-boun...@af.afmug.com> > On Behalf 
Of Steve Jones
Sent: Tuesday, December 15, 2020 11:34 PM
To: AnimalFarm Microwave Users Group mailto:af@af.afmug.com> >
Subject: Re: [AFMUG] Fireye

 

I still dont understand how a private company gets the authority. It's good 
that someone does, but it defeats the concept of no direct ownership of dns. I 
take great exception to microsoft or any firm being able to collect any info 
that isnt immediately shared, victim identifying info excluded.

 

On Tue, Dec 15, 2020, 9:52 PM Ken Hohhof mailto:af...@kwisp.com> > wrote:

This article discusses the domain takeover.

https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/

 

 

 

From: AF mailto:af-boun...@af.afmug.com> > On Behalf 
Of Steve Jones
Sent: Tuesday, December 15, 2020 9:34 PM
To: AnimalFarm Microwave Users Group mailto:af@af.afmug.com> >
Subject: Re: [AFMUG] Fireye

 

How does Microsoft wield the authority to take over domains?

 

On Mon, Dec 14, 2020, 9:58 PM Steve Jones mailto:thatoneguyst...@gmail.com> > wrote:

Wow

I wonder if Orion allowed disabling the quality improvement. I always disable 
it on anything that let's me. 

I'm not quite sure why fire eye still is leading this charge, it's kind of like 
letting a leper check your prostate

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

 

On Mon, Dec 14, 2020, 2:35 PM Steve Jones mailto:thatoneguyst...@gmail.com> > wrote:

Lol, doublecheck for what though?

 

 

So now fireye says it was solar wind hacking that breached them

 

https://www.usatoday.com/story/tech/2020/12/14/fireeye-solarwinds-hack-breach-cybersecurity-attack/6538645002/

 

Granted I doubt USA today "journalists" know much about what they're writing 
about.

 

This makes the "russia did it" claims on fireye part even more suspect, since 
they dont have the forensics of solar wind, unless they are the security of 
solar wind.

 

This is going to be a fascinating thing to watch play out.

 

I dont think most in the media realize this isnt a read only thing. The Orion 
components we were looking at required write access and administrative 
credentials. And that's a tiny podunk wisp.

 

On Mon, Dec 14, 2020, 2:08 PM Ryan Ray mailto:ryan...@gmail.com> > wrote:

Lots of stuff runs under Orion.

 

Application Centric Monitor (ACM)

Re: [AFMUG] Fireye

[Steve Jones]

Yeah I read about the cname updates and all that. I dont think its
malicious, I just think it's odd that microsoft, or any single private
company  has an authority that technically no nation was supposed to have.
I assume somewhere in the bylaws was a mechanism to corral a troublesome
domain.

I have no faith this was Russia because fire eye says it was, they cant
even identify suspicious traffic leaving their own network, and that's
literally their purpose in life. We will never know the depth of this thing.

Saw another article that solarwinds update server was identified exposed
last year with an account password of solarwinds123. The article alluded
that that was likely the time of the initial hijack.

It's crazy to think the billions invested among the 18000 impacted
organizations on security and it was that thin of a wall between "us" and
"them". A critical component with single factor authentication and no
password complexity policy. Even my Casey's app wants multifactor
authentication now (sending the code to the same device logging in always
seems funny to me).

Ope

On Wed, Dec 16, 2020, 12:24 AM Ken Hohhof  wrote:

> I think they’re saying what they do is go to a court or a government
> security agency.
>
>
>
> The domain points to an IP address that is the command and control server
> for the malware.  They know the IP address, but I assume it’s important to
> take over the domain name so they can’t just change the IP address.  Many
> huge botnets have been shut down by taking over the domain name used for
> the C servers.  Those operations are almost always months long projects
> with government security agencies working with big companies like Microsoft.
>
>
>
> You don’t always have to assume evil motives.  They aren’t trying to use
> the malware to snoop on people, they are trying to ID the compromised
> systems and notify the owners so they can do mitigation.  Don’t expect them
> to unearth a treasure trove of documents, it’s the Russians who probably
> got those.  You were hoping for Hillary’s emails, weren’t you.  And Jaime
> was hoping for Trump’s tax returns.
>
>
>
> *From:* AF  *On Behalf Of *Steve Jones
> *Sent:* Tuesday, December 15, 2020 11:34 PM
> *To:* AnimalFarm Microwave Users Group 
> *Subject:* Re: [AFMUG] Fireye
>
>
>
> I still dont understand how a private company gets the authority. It's
> good that someone does, but it defeats the concept of no direct ownership
> of dns. I take great exception to microsoft or any firm being able to
> collect any info that isnt immediately shared, victim identifying info
> excluded.
>
>
>
> On Tue, Dec 15, 2020, 9:52 PM Ken Hohhof  wrote:
>
> This article discusses the domain takeover.
>
>
> https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/
>
>
>
>
>
>
>
> *From:* AF  *On Behalf Of *Steve Jones
> *Sent:* Tuesday, December 15, 2020 9:34 PM
> *To:* AnimalFarm Microwave Users Group 
> *Subject:* Re: [AFMUG] Fireye
>
>
>
> How does Microsoft wield the authority to take over domains?
>
>
>
> On Mon, Dec 14, 2020, 9:58 PM Steve Jones 
> wrote:
>
> Wow
>
> I wonder if Orion allowed disabling the quality improvement. I always
> disable it on anything that let's me.
>
> I'm not quite sure why fire eye still is leading this charge, it's kind of
> like letting a leper check your prostate
>
>
> https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
>
>
>
> On Mon, Dec 14, 2020, 2:35 PM Steve Jones 
> wrote:
>
> Lol, doublecheck for what though?
>
>
>
>
>
> So now fireye says it was solar wind hacking that breached them
>
>
>
>
> https://www.usatoday.com/story/tech/2020/12/14/fireeye-solarwinds-hack-breach-cybersecurity-attack/6538645002/
>
>
>
> Granted I doubt USA today "journalists" know much about what they're
> writing about.
>
>
>
> This makes the "russia did it" claims on fireye part even more suspect,
> since they dont have the forensics of solar wind, unless they are the
> security of solar wind.
>
>
>
> This is going to be a fascinating thing to watch play out.
>
>
>
> I dont think most in the media realize this isnt a read only thing. The
> Orion components we were looking at required write access and
> administrative credentials. And that's a tiny podunk wisp.
>
>
>
> On Mon, Dec 14, 2020, 2:08 PM Ryan Ray  wrote:
>
> Lots of stuff runs under Orion.
>
>
>
> Application Centric Monitor (ACM)
>
> Database Performance Analyzer Integration Module (DPAIM)
>
> Enterprise Operations Console (EOC)
>
> High Av

Re: [AFMUG] Fireye

[Ken Hohhof]

I think they’re saying what they do is go to a court or a government security 
agency.

 

The domain points to an IP address that is the command and control server for 
the malware.  They know the IP address, but I assume it’s important to take 
over the domain name so they can’t just change the IP address.  Many huge 
botnets have been shut down by taking over the domain name used for the C 
servers.  Those operations are almost always months long projects with 
government security agencies working with big companies like Microsoft.

 

You don’t always have to assume evil motives.  They aren’t trying to use the 
malware to snoop on people, they are trying to ID the compromised systems and 
notify the owners so they can do mitigation.  Don’t expect them to unearth a 
treasure trove of documents, it’s the Russians who probably got those.  You 
were hoping for Hillary’s emails, weren’t you.  And Jaime was hoping for 
Trump’s tax returns.

 

From: AF  On Behalf Of Steve Jones
Sent: Tuesday, December 15, 2020 11:34 PM
To: AnimalFarm Microwave Users Group 
Subject: Re: [AFMUG] Fireye

 

I still dont understand how a private company gets the authority. It's good 
that someone does, but it defeats the concept of no direct ownership of dns. I 
take great exception to microsoft or any firm being able to collect any info 
that isnt immediately shared, victim identifying info excluded.

 

On Tue, Dec 15, 2020, 9:52 PM Ken Hohhof mailto:af...@kwisp.com> > wrote:

This article discusses the domain takeover.

https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/

 

 

 

From: AF mailto:af-boun...@af.afmug.com> > On Behalf 
Of Steve Jones
Sent: Tuesday, December 15, 2020 9:34 PM
To: AnimalFarm Microwave Users Group mailto:af@af.afmug.com> >
Subject: Re: [AFMUG] Fireye

 

How does Microsoft wield the authority to take over domains?

 

On Mon, Dec 14, 2020, 9:58 PM Steve Jones mailto:thatoneguyst...@gmail.com> > wrote:

Wow

I wonder if Orion allowed disabling the quality improvement. I always disable 
it on anything that let's me. 

I'm not quite sure why fire eye still is leading this charge, it's kind of like 
letting a leper check your prostate

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

 

On Mon, Dec 14, 2020, 2:35 PM Steve Jones mailto:thatoneguyst...@gmail.com> > wrote:

Lol, doublecheck for what though?

 

 

So now fireye says it was solar wind hacking that breached them

 

https://www.usatoday.com/story/tech/2020/12/14/fireeye-solarwinds-hack-breach-cybersecurity-attack/6538645002/

 

Granted I doubt USA today "journalists" know much about what they're writing 
about.

 

This makes the "russia did it" claims on fireye part even more suspect, since 
they dont have the forensics of solar wind, unless they are the security of 
solar wind.

 

This is going to be a fascinating thing to watch play out.

 

I dont think most in the media realize this isnt a read only thing. The Orion 
components we were looking at required write access and administrative 
credentials. And that's a tiny podunk wisp.

 

On Mon, Dec 14, 2020, 2:08 PM Ryan Ray mailto:ryan...@gmail.com> > wrote:

Lots of stuff runs under Orion.

 

Application Centric Monitor (ACM)

Database Performance Analyzer Integration Module (DPAIM)

Enterprise Operations Console (EOC)

High Availability (HA)

IP Address Manager (IPAM)

Log Analyzer (LA)

Network Automation Manager (NAM)

Network Configuration Manager (NCM)

Network Operations Manager (NOM)

Network Performance Monitor (NPM)

Network Traffic Analyzer (NTA)

Server & Application Monitor (SAM)

Server Configuration Monitor (SCM)

Storage Resource Monitor (SCM)

User Device Tracker (UDT)

Virtualization Manager (VMAN)

VoIP & Network Quality Manager (VNQM)

Web Performance Monitor (WPM)

 

If you're running any of those, double check your network asap. 

 

On Mon, Dec 14, 2020 at 12:02 PM Steve Jones mailto:thatoneguyst...@gmail.com> > wrote:

Their sales folks are definitely aggressive.  At least its currently only 
limited (known) to two Orion platforms. Im really concerned about this: "...and 
intended to be a narrow, extremely targeted, and manually executed attack..." 
what does manually executed mean? Like some dude stuck a USB key in the DOS box 
running their whole operation?

 

SolarWinds asks customers with any of the below products for Orion Platform 
v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 
2020.2.1 HF 1 as soon as possible to ensure the security of your environment. 
This version is currently available at  
<https://customerportal.solarwinds.com/> customerportal.solarwinds.com. 

 

SolarWinds asks customers with any of the below products for Orion Platform 
v2019.4 HF 5 to update to 2019.4 HF 6, which w

Re: [AFMUG] Fireye

[Steve Jones]

I still dont understand how a private company gets the authority. It's good
that someone does, but it defeats the concept of no direct ownership of
dns. I take great exception to microsoft or any firm being able to collect
any info that isnt immediately shared, victim identifying info excluded.

On Tue, Dec 15, 2020, 9:52 PM Ken Hohhof  wrote:

> This article discusses the domain takeover.
>
>
> https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/
>
>
>
>
>
>
>
> *From:* AF  *On Behalf Of *Steve Jones
> *Sent:* Tuesday, December 15, 2020 9:34 PM
> *To:* AnimalFarm Microwave Users Group 
> *Subject:* Re: [AFMUG] Fireye
>
>
>
> How does Microsoft wield the authority to take over domains?
>
>
>
> On Mon, Dec 14, 2020, 9:58 PM Steve Jones 
> wrote:
>
> Wow
>
> I wonder if Orion allowed disabling the quality improvement. I always
> disable it on anything that let's me.
>
> I'm not quite sure why fire eye still is leading this charge, it's kind of
> like letting a leper check your prostate
>
>
> https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
>
>
>
> On Mon, Dec 14, 2020, 2:35 PM Steve Jones 
> wrote:
>
> Lol, doublecheck for what though?
>
>
>
>
>
> So now fireye says it was solar wind hacking that breached them
>
>
>
>
> https://www.usatoday.com/story/tech/2020/12/14/fireeye-solarwinds-hack-breach-cybersecurity-attack/6538645002/
>
>
>
> Granted I doubt USA today "journalists" know much about what they're
> writing about.
>
>
>
> This makes the "russia did it" claims on fireye part even more suspect,
> since they dont have the forensics of solar wind, unless they are the
> security of solar wind.
>
>
>
> This is going to be a fascinating thing to watch play out.
>
>
>
> I dont think most in the media realize this isnt a read only thing. The
> Orion components we were looking at required write access and
> administrative credentials. And that's a tiny podunk wisp.
>
>
>
> On Mon, Dec 14, 2020, 2:08 PM Ryan Ray  wrote:
>
> Lots of stuff runs under Orion.
>
>
>
> Application Centric Monitor (ACM)
>
> Database Performance Analyzer Integration Module (DPAIM)
>
> Enterprise Operations Console (EOC)
>
> High Availability (HA)
>
> IP Address Manager (IPAM)
>
> Log Analyzer (LA)
>
> Network Automation Manager (NAM)
>
> Network Configuration Manager (NCM)
>
> Network Operations Manager (NOM)
>
> Network Performance Monitor (NPM)
>
> Network Traffic Analyzer (NTA)
>
> Server & Application Monitor (SAM)
>
> Server Configuration Monitor (SCM)
>
> Storage Resource Monitor (SCM)
>
> User Device Tracker (UDT)
>
> Virtualization Manager (VMAN)
>
> VoIP & Network Quality Manager (VNQM)
>
> Web Performance Monitor (WPM)
>
>
>
> If you're running any of those, double check your network asap.
>
>
>
> On Mon, Dec 14, 2020 at 12:02 PM Steve Jones 
> wrote:
>
> Their sales folks are definitely aggressive.  At least its currently only
> limited (known) to two Orion platforms. Im really concerned about this:
> "...and intended to be a narrow, extremely targeted, and manually executed
> attack..." what does manually executed mean? Like some dude stuck a USB key
> in the DOS box running their whole operation?
>
>
>
> SolarWinds asks customers with any of the below products for *Orion
> Platform v2020.2 with no hotfix or 2020.2 HF 1* to upgrade to Orion
> Platform version 2020.2.1 HF 1 as soon as possible to ensure the security
> of your environment. This version is currently available at
> customerportal.solarwinds.com.
>
>
>
> SolarWinds asks customers with any of the below products for *Orion
> Platform v2019.4 HF 5* to update to *2019.4 HF 6*, which will be
> available today, December 14, 2020, at customerportal.solarwinds.com.
>
>
>
> *No other versions of Orion Platform products are known to be impacted by
> this security vulnerability. Other non-Orion products are also not known to
> be impacted by this security vulnerability. *
>
>
>
> On Mon, Dec 14, 2020 at 1:53 PM Ryan Ray  wrote:
>
> This is a big deal. Solarwinds Orion is a product used in many of the Top
> 100 companies in the world. Including tons of healthcare.
>
>
>
> I dislike Solarwinds for many reasons and refused to use them even before
> this hack. Just add another reason to the list.
>
>
>
>
>
>
>
> On Mon, Dec 14, 2020 at 11:49 AM Steve Jones 
> wrote:
>
> So Im reading this now that 

Re: [AFMUG] Fireye

[Ken Hohhof]

This article discusses the domain takeover.

https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/

 

 

 

From: AF  On Behalf Of Steve Jones
Sent: Tuesday, December 15, 2020 9:34 PM
To: AnimalFarm Microwave Users Group 
Subject: Re: [AFMUG] Fireye

 

How does Microsoft wield the authority to take over domains?

 

On Mon, Dec 14, 2020, 9:58 PM Steve Jones mailto:thatoneguyst...@gmail.com> > wrote:

Wow

I wonder if Orion allowed disabling the quality improvement. I always disable 
it on anything that let's me. 

I'm not quite sure why fire eye still is leading this charge, it's kind of like 
letting a leper check your prostate

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

 

On Mon, Dec 14, 2020, 2:35 PM Steve Jones mailto:thatoneguyst...@gmail.com> > wrote:

Lol, doublecheck for what though?

 

 

So now fireye says it was solar wind hacking that breached them

 

https://www.usatoday.com/story/tech/2020/12/14/fireeye-solarwinds-hack-breach-cybersecurity-attack/6538645002/

 

Granted I doubt USA today "journalists" know much about what they're writing 
about.

 

This makes the "russia did it" claims on fireye part even more suspect, since 
they dont have the forensics of solar wind, unless they are the security of 
solar wind.

 

This is going to be a fascinating thing to watch play out.

 

I dont think most in the media realize this isnt a read only thing. The Orion 
components we were looking at required write access and administrative 
credentials. And that's a tiny podunk wisp.

 

On Mon, Dec 14, 2020, 2:08 PM Ryan Ray mailto:ryan...@gmail.com> > wrote:

Lots of stuff runs under Orion.

 

Application Centric Monitor (ACM)

Database Performance Analyzer Integration Module (DPAIM)

Enterprise Operations Console (EOC)

High Availability (HA)

IP Address Manager (IPAM)

Log Analyzer (LA)

Network Automation Manager (NAM)

Network Configuration Manager (NCM)

Network Operations Manager (NOM)

Network Performance Monitor (NPM)

Network Traffic Analyzer (NTA)

Server & Application Monitor (SAM)

Server Configuration Monitor (SCM)

Storage Resource Monitor (SCM)

User Device Tracker (UDT)

Virtualization Manager (VMAN)

VoIP & Network Quality Manager (VNQM)

Web Performance Monitor (WPM)

 

If you're running any of those, double check your network asap. 

 

On Mon, Dec 14, 2020 at 12:02 PM Steve Jones mailto:thatoneguyst...@gmail.com> > wrote:

Their sales folks are definitely aggressive.  At least its currently only 
limited (known) to two Orion platforms. Im really concerned about this: "...and 
intended to be a narrow, extremely targeted, and manually executed attack..." 
what does manually executed mean? Like some dude stuck a USB key in the DOS box 
running their whole operation?

 

SolarWinds asks customers with any of the below products for Orion Platform 
v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 
2020.2.1 HF 1 as soon as possible to ensure the security of your environment. 
This version is currently available at  
<https://customerportal.solarwinds.com/> customerportal.solarwinds.com. 

 

SolarWinds asks customers with any of the below products for Orion Platform 
v2019.4 HF 5 to update to 2019.4 HF 6, which will be available today, December 
14, 2020, at  <https://customerportal.solarwinds.com/> 
customerportal.solarwinds.com. 

 

No other versions of Orion Platform products are known to be impacted by this 
security vulnerability. Other non-Orion products are also not known to be 
impacted by this security vulnerability. 

 

On Mon, Dec 14, 2020 at 1:53 PM Ryan Ray mailto:ryan...@gmail.com> > wrote:

This is a big deal. Solarwinds Orion is a product used in many of the Top 100 
companies in the world. Including tons of healthcare.

 

I dislike Solarwinds for many reasons and refused to use them even before this 
hack. Just add another reason to the list.

 

 

 

On Mon, Dec 14, 2020 at 11:49 AM Steve Jones mailto:thatoneguyst...@gmail.com> > wrote:

So Im reading this now that Solar Winds updates have been delivering payloads 
since june or july. Solar winds having crazy levels of access to interior 
infrastructures.

 

Im not sure what this is saying, it sounds like what fireye isnt saying 
outwardly is their toolset was stolen prior to that and that was how they were 
able to circumvent the solarwinds security infrastructure, as solar winds 
relied on fireye?

 

Anybody come across any good detail on solar winds impacted software? Like if 
you downloaded the free subnet calculator, will they be taking your google home 
account too? Imma be pretty pissed if they mess with my google play playlists.

 

I wonder if the disruptions with office365 and the weird spam filter changes 
lately are related to cleanup prior to publicati

Re: [AFMUG] Fireye

[Steve Jones]

>>>>>
>>>>>> So Im reading this now that Solar Winds updates have been delivering
>>>>>> payloads since june or july. Solar winds having crazy levels of access to
>>>>>> interior infrastructures.
>>>>>>
>>>>>> Im not sure what this is saying, it sounds like what fireye
>>>>>> isnt saying outwardly is their toolset was stolen prior to that and that
>>>>>> was how they were able to circumvent the solarwinds security
>>>>>> infrastructure, as solar winds relied on fireye?
>>>>>>
>>>>>> Anybody come across any good detail on solar winds impacted software?
>>>>>> Like if you downloaded the free subnet calculator, will they be taking 
>>>>>> your
>>>>>> google home account too? Imma be pretty pissed if they mess with my 
>>>>>> google
>>>>>> play playlists.
>>>>>>
>>>>>> I wonder if the disruptions with office365 and the weird spam filter
>>>>>> changes lately are related to cleanup prior to publication.
>>>>>>
>>>>>> We are a tiny company and got withing a hair of pulling the trigger
>>>>>> on various solarwinds offerings over the years. Thats with tiny company
>>>>>> tiny budgets. I cant imagine CTO voicemails going down around the world
>>>>>> today, depending on budget, you hand the keys over to solarwinds, and by
>>>>>> design, each key you hand over makes sense to spend a little more and 
>>>>>> hand
>>>>>> over another key. How would you even begin to clean up your organization
>>>>>> when your systems that would provide you your forensics are the systems
>>>>>> that did the damage?
>>>>>>
>>>>>> Is this just mediahype and more russia russia russia, or is this as
>>>>>> big of a deal as it seems
>>>>>>
>>>>>> On Mon, Dec 14, 2020 at 9:01 AM dave  wrote:
>>>>>>
>>>>>>> DA HUMANITY!!
>>>>>>>
>>>>>>>
>>>>>>> On 12/14/20 8:58 AM, Ken Hohhof wrote:
>>>>>>>
>>>>>>> I had a customer this morning complaining she couldn’t “sign on” to
>>>>>>> the Internet.  I mentioned that Google had an outage this morning, but 
>>>>>>> she
>>>>>>> responded that she doesn’t use any Google services.  Of course her email
>>>>>>> was from a Gmail address.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *From:* AF   *On
>>>>>>> Behalf Of *Mike Hammett
>>>>>>> *Sent:* Monday, December 14, 2020 6:54 AM
>>>>>>> *To:* AnimalFarm Microwave Users Group 
>>>>>>> 
>>>>>>> *Subject:* Re: [AFMUG] Fireye
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> "I know I'm next, they're coming after my google home mini and my
>>>>>>> netflix account."
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> a  Google is broken this morning.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -
>>>>>>> Mike Hammett
>>>>>>> Intelligent Computing Solutions <http://www.ics-il.com/>
>>>>>>> <https://www.facebook.com/ICSIL>
>>>>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>>>>>>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>>>>>>> <https://twitter.com/ICSIL>
>>>>>>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>>>>>>> <https://www.facebook.com/mdwestix>
>>>>>>> <https://www.linkedin.com/company/midwest-internet-exchange>
>>>>>>> <https://twitter.com/mdwestix>
>>>>>>> The Brothers WISP <http://www.thebrotherswisp.com/>
>>>>>>> <https://www.facebook.com/thebrotherswisp>
>>>>>>>

Re: [AFMUG] Fireye

[Steve Jones]

>
>>>>> Anybody come across any good detail on solar winds impacted software?
>>>>> Like if you downloaded the free subnet calculator, will they be taking 
>>>>> your
>>>>> google home account too? Imma be pretty pissed if they mess with my google
>>>>> play playlists.
>>>>>
>>>>> I wonder if the disruptions with office365 and the weird spam filter
>>>>> changes lately are related to cleanup prior to publication.
>>>>>
>>>>> We are a tiny company and got withing a hair of pulling the trigger on
>>>>> various solarwinds offerings over the years. Thats with tiny company tiny
>>>>> budgets. I cant imagine CTO voicemails going down around the world today,
>>>>> depending on budget, you hand the keys over to solarwinds, and by design,
>>>>> each key you hand over makes sense to spend a little more and hand over
>>>>> another key. How would you even begin to clean up your organization when
>>>>> your systems that would provide you your forensics are the systems that 
>>>>> did
>>>>> the damage?
>>>>>
>>>>> Is this just mediahype and more russia russia russia, or is this as
>>>>> big of a deal as it seems
>>>>>
>>>>> On Mon, Dec 14, 2020 at 9:01 AM dave  wrote:
>>>>>
>>>>>> DA HUMANITY!!
>>>>>>
>>>>>>
>>>>>> On 12/14/20 8:58 AM, Ken Hohhof wrote:
>>>>>>
>>>>>> I had a customer this morning complaining she couldn’t “sign on” to
>>>>>> the Internet.  I mentioned that Google had an outage this morning, but 
>>>>>> she
>>>>>> responded that she doesn’t use any Google services.  Of course her email
>>>>>> was from a Gmail address.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* AF   *On
>>>>>> Behalf Of *Mike Hammett
>>>>>> *Sent:* Monday, December 14, 2020 6:54 AM
>>>>>> *To:* AnimalFarm Microwave Users Group 
>>>>>> 
>>>>>> *Subject:* Re: [AFMUG] Fireye
>>>>>>
>>>>>>
>>>>>>
>>>>>> "I know I'm next, they're coming after my google home mini and my
>>>>>> netflix account."
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> a  Google is broken this morning.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -
>>>>>> Mike Hammett
>>>>>> Intelligent Computing Solutions <http://www.ics-il.com/>
>>>>>> <https://www.facebook.com/ICSIL>
>>>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>>>>>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>>>>>> <https://twitter.com/ICSIL>
>>>>>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>>>>>> <https://www.facebook.com/mdwestix>
>>>>>> <https://www.linkedin.com/company/midwest-internet-exchange>
>>>>>> <https://twitter.com/mdwestix>
>>>>>> The Brothers WISP <http://www.thebrotherswisp.com/>
>>>>>> <https://www.facebook.com/thebrotherswisp>
>>>>>>
>>>>>>
>>>>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>>>>>> --
>>>>>>
>>>>>> *From: *"Steve Jones" 
>>>>>> *To: *"AnimalFarm Microwave Users Group" 
>>>>>> *Sent: *Sunday, December 13, 2020 9:57:21 PM
>>>>>> *Subject: *Re: [AFMUG] Fireye
>>>>>>
>>>>>> Nope, per fireye, the toolset had to be released because of it being
>>>>>> stolen, was not "in the wild"
>>>>>>
>>>>>>
>>>>>>
>>>>>> Going to get really interesting to see what comes of this, two
>>>>>> federal agencies just happen to get hit shortly after. You can do plenty
>>>>>> when you know how you would have otherwise been caught.
>>>>>>
>>>>>>
>>>>>>
>>>>>> And that's all fireye admits to having been breached. I'm gonna go
>>>>>> ahead and not take their word on it definitively having been russia 
>>>>>> either.
>>>>>> Convenient timing after iran specifically has stated they're going to
>>>>>> retaliate for the dead scientist. China will probably confirm this 
>>>>>> shortly
>>>>>>
>>>>>>
>>>>>>
>>>>>> Pretty sure this is far from over and pretty sure this company is
>>>>>> just the first to go public.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I know I'm next, they're coming after my google home mini and my
>>>>>> netflix account.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sun, Dec 13, 2020, 9:10 PM Ken Hohhof  wrote:
>>>>>>
>>>>>> Not saying you are wrong.
>>>>>>
>>>>>>
>>>>>>
>>>>>> But I think I read somewhere that the Fireye tools that were stolen
>>>>>> were a collection of malware already in the wild that they used for 
>>>>>> testing
>>>>>> of client networks.  So it was stuff already available, just neatly
>>>>>> packaged.
>>>>>>
>>>>>>
>>>>>>
>>>>>> The guys who really f’d up were the “Equation Group” (cough, cough,
>>>>>> NSA) who lost novel and very powerful hacking tools like Eternal Blue to
>>>>>> the Shadow Brokers group.
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* AF  *On Behalf Of *Steve Jones
>>>>>> *Sent:* Sunday, December 13, 2020 8:45 PM
>>>>>> *To:* AnimalFarm Microwave Users Group 
>>>>>> *Subject:* [AFMUG] Fireye
>>>>>>
>>>>>>
>>>>>>
>>>>>> These guys F'd up beyond belief.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Inept as jaime would say
>>>>>>
>>>>>> --
>>>>>> AF mailing list
>>>>>> AF@af.afmug.com
>>>>>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>>>>>>
>>>>>>
>>>>>> --
>>>>>> AF mailing list
>>>>>> AF@af.afmug.com
>>>>>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> AF mailing list
>>>>>> AF@af.afmug.com
>>>>>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>>>>>>
>>>>> --
>>>>> AF mailing list
>>>>> AF@af.afmug.com
>>>>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>>>>>
>>>> --
>>>> AF mailing list
>>>> AF@af.afmug.com
>>>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>>>>
>>> --
>>> AF mailing list
>>> AF@af.afmug.com
>>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>>>
>> --
>> AF mailing list
>> AF@af.afmug.com
>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>>
> --
> AF mailing list
> AF@af.afmug.com
> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>
-- 
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com

Re: [AFMUG] Fireye

[Steve Jones]

holy fuck, thats scorched earth response. That almost seems like a response
that doesnt need to be made public knowlege. Collection, monitoring and
central management will be down. Chaos and confusion as new processes are
onboarded.

On Mon, Dec 14, 2020 at 2:34 PM Robert Andrews 
wrote:

> Read through some of this and it will confirm how big a deal it is.  And
> if a service you were wondering about isn't working, there is a decent
> chance that this is why...
>
> https://cyber.dhs.gov/ed/21-01/
>
>
>
> On 12/14/2020 11:52 AM, Ryan Ray wrote:
> > This is a big deal. Solarwinds Orion is a product used in many of the
> > Top 100 companies in the world. Including tons of healthcare.
> >
> > I dislike Solarwinds for many reasons and refused to use them even
> > before this hack. Just add another reason to the list.
> >
> >
> >
> > On Mon, Dec 14, 2020 at 11:49 AM Steve Jones  > > wrote:
> >
> > So Im reading this now that Solar Winds updates have been delivering
> > payloads since june or july. Solar winds having crazy levels of
> > access to interior infrastructures.
> >
> > Im not sure what this is saying, it sounds like what fireye
> > isnt saying outwardly is their toolset was stolen prior to that and
> > that was how they were able to circumvent the solarwinds security
> > infrastructure, as solar winds relied on fireye?
> >
> > Anybody come across any good detail on solar winds impacted
> > software? Like if you downloaded the free subnet calculator, will
> > they be taking your google home account too? Imma be pretty pissed
> > if they mess with my google play playlists.
> >
> > I wonder if the disruptions with office365 and the weird spam filter
> > changes lately are related to cleanup prior to publication.
> >
> > We are a tiny company and got withing a hair of pulling the trigger
> > on various solarwinds offerings over the years. Thats with tiny
> > company tiny budgets. I cant imagine CTO voicemails going down
> > around the world today, depending on budget, you hand the keys over
> > to solarwinds, and by design, each key you hand over makes sense to
> > spend a little more and hand over another key. How would you even
> > begin to clean up your organization when your systems that would
> > provide you your forensics are the systems that did the damage?
> >
> > Is this just mediahype and more russia russia russia, or is this as
> > big of a deal as it seems
> >
> > On Mon, Dec 14, 2020 at 9:01 AM dave  > > wrote:
> >
> > DA HUMANITY!!
> >
> >
> > On 12/14/20 8:58 AM, Ken Hohhof wrote:
> >>
> >> I had a customer this morning complaining she couldn’t “sign
> >> on” to the Internet.  I mentioned that Google had an outage
> >> this morning, but she responded that she doesn’t use any
> >> Google services.  Of course her email was from a Gmail
> >> address.
> >>
> >> __ __
> >>
> >> __ __
> >>
> >> *From:* AF 
> >>  *On Behalf Of *Mike Hammett
> >> *Sent:* Monday, December 14, 2020 6:54 AM
> >> *To:* AnimalFarm Microwave Users Group 
> >> 
> >> *Subject:* Re: [AFMUG] Fireye
> >>
> >> __ __
> >>
> >> "I know I'm next, they're coming after my google home mini and
> >> my netflix account."
> >>
> >> __ __
> >>
> >> __ __
> >>
> >> a  Google is broken this morning.
> >>
> >> __ __
> >>
> >>
> >>
> >> -
> >> Mike Hammett
> >> Intelligent Computing Solutions 
> >> <
> https://plus.google.com/+IntelligentComputingSolutionsDeKalb><
> https://www.linkedin.com/company/intelligent-computing-solutions><
> https://twitter.com/ICSIL>
> >> Midwest Internet Exchange 
> >> <
> https://www.linkedin.com/company/midwest-internet-exchange><
> https://twitter.com/mdwestix>
> >> The Brothers WISP 
> >> 
> >>
> >>
> >> 
> >>
> >>
>  
> >>
> >> *From: *"Steve Jones"  >> >
> >> *To: *"AnimalFarm Microwave Users Group"  >> >
> >> *Sent: *Sunday, December 13, 2020 9:57:21 PM
> >> *Subject: *Re: [AFMUG] Fireye
> >>
> >> Nope, per fireye, the toolset had to be released because of it
> >> being stolen, was not "in the wild"
> >>
> >> __ __
> >>
> >> Going to get really 

Re: [AFMUG] Fireye

[Steve Jones]

d over makes sense to spend a little more and hand over
>>>> another key. How would you even begin to clean up your organization when
>>>> your systems that would provide you your forensics are the systems that did
>>>> the damage?
>>>>
>>>> Is this just mediahype and more russia russia russia, or is this as big
>>>> of a deal as it seems
>>>>
>>>> On Mon, Dec 14, 2020 at 9:01 AM dave  wrote:
>>>>
>>>>> DA HUMANITY!!
>>>>>
>>>>>
>>>>> On 12/14/20 8:58 AM, Ken Hohhof wrote:
>>>>>
>>>>> I had a customer this morning complaining she couldn’t “sign on” to
>>>>> the Internet.  I mentioned that Google had an outage this morning, but she
>>>>> responded that she doesn’t use any Google services.  Of course her email
>>>>> was from a Gmail address.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *From:* AF   *On
>>>>> Behalf Of *Mike Hammett
>>>>> *Sent:* Monday, December 14, 2020 6:54 AM
>>>>> *To:* AnimalFarm Microwave Users Group 
>>>>> 
>>>>> *Subject:* Re: [AFMUG] Fireye
>>>>>
>>>>>
>>>>>
>>>>> "I know I'm next, they're coming after my google home mini and my
>>>>> netflix account."
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> a  Google is broken this morning.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -
>>>>> Mike Hammett
>>>>> Intelligent Computing Solutions <http://www.ics-il.com/>
>>>>> <https://www.facebook.com/ICSIL>
>>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>>>>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>>>>> <https://twitter.com/ICSIL>
>>>>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>>>>> <https://www.facebook.com/mdwestix>
>>>>> <https://www.linkedin.com/company/midwest-internet-exchange>
>>>>> <https://twitter.com/mdwestix>
>>>>> The Brothers WISP <http://www.thebrotherswisp.com/>
>>>>> <https://www.facebook.com/thebrotherswisp>
>>>>>
>>>>>
>>>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>>>>> --
>>>>>
>>>>> *From: *"Steve Jones" 
>>>>> *To: *"AnimalFarm Microwave Users Group" 
>>>>> *Sent: *Sunday, December 13, 2020 9:57:21 PM
>>>>> *Subject: *Re: [AFMUG] Fireye
>>>>>
>>>>> Nope, per fireye, the toolset had to be released because of it being
>>>>> stolen, was not "in the wild"
>>>>>
>>>>>
>>>>>
>>>>> Going to get really interesting to see what comes of this, two federal
>>>>> agencies just happen to get hit shortly after. You can do plenty when you
>>>>> know how you would have otherwise been caught.
>>>>>
>>>>>
>>>>>
>>>>> And that's all fireye admits to having been breached. I'm gonna go
>>>>> ahead and not take their word on it definitively having been russia 
>>>>> either.
>>>>> Convenient timing after iran specifically has stated they're going to
>>>>> retaliate for the dead scientist. China will probably confirm this shortly
>>>>>
>>>>>
>>>>>
>>>>> Pretty sure this is far from over and pretty sure this company is just
>>>>> the first to go public.
>>>>>
>>>>>
>>>>>
>>>>> I know I'm next, they're coming after my google home mini and my
>>>>> netflix account.
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Dec 13, 2020, 9:10 PM Ken Hohhof  wrote:
>>>>>
>>>>> Not saying you are wrong.
>>>>>
>>>>>
>>>>>
>>>>> But I think I read somewhere that the Fireye tools that were stolen
>>>>> were a collection of malware already in the wild that they used for 
>>>>> testing
>>>>> of client networks.  So it was stuff already available, just neatly
>>>>> packaged.
>>>>>
>>>>>
>>>>>
>>>>> The guys who really f’d up were the “Equation Group” (cough, cough,
>>>>> NSA) who lost novel and very powerful hacking tools like Eternal Blue to
>>>>> the Shadow Brokers group.
>>>>>
>>>>>
>>>>>
>>>>> *From:* AF  *On Behalf Of *Steve Jones
>>>>> *Sent:* Sunday, December 13, 2020 8:45 PM
>>>>> *To:* AnimalFarm Microwave Users Group 
>>>>> *Subject:* [AFMUG] Fireye
>>>>>
>>>>>
>>>>>
>>>>> These guys F'd up beyond belief.
>>>>>
>>>>>
>>>>>
>>>>> Inept as jaime would say
>>>>>
>>>>> --
>>>>> AF mailing list
>>>>> AF@af.afmug.com
>>>>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>>>>>
>>>>>
>>>>> --
>>>>> AF mailing list
>>>>> AF@af.afmug.com
>>>>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> AF mailing list
>>>>> AF@af.afmug.com
>>>>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>>>>>
>>>> --
>>>> AF mailing list
>>>> AF@af.afmug.com
>>>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>>>>
>>> --
>>> AF mailing list
>>> AF@af.afmug.com
>>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>>>
>> --
>> AF mailing list
>> AF@af.afmug.com
>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>>
> --
> AF mailing list
> AF@af.afmug.com
> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>
-- 
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com

Re: [AFMUG] Fireye

[Robert Andrews]

Read through some of this and it will confirm how big a deal it is.  And 
if a service you were wondering about isn't working, there is a decent 
chance that this is why...


https://cyber.dhs.gov/ed/21-01/



On 12/14/2020 11:52 AM, Ryan Ray wrote:
This is a big deal. Solarwinds Orion is a product used in many of the 
Top 100 companies in the world. Including tons of healthcare.


I dislike Solarwinds for many reasons and refused to use them even 
before this hack. Just add another reason to the list.




On Mon, Dec 14, 2020 at 11:49 AM Steve Jones > wrote:


So Im reading this now that Solar Winds updates have been delivering
payloads since june or july. Solar winds having crazy levels of
access to interior infrastructures.

Im not sure what this is saying, it sounds like what fireye
isnt saying outwardly is their toolset was stolen prior to that and
that was how they were able to circumvent the solarwinds security
infrastructure, as solar winds relied on fireye?

Anybody come across any good detail on solar winds impacted
software? Like if you downloaded the free subnet calculator, will
they be taking your google home account too? Imma be pretty pissed
if they mess with my google play playlists.

I wonder if the disruptions with office365 and the weird spam filter
changes lately are related to cleanup prior to publication.

We are a tiny company and got withing a hair of pulling the trigger
on various solarwinds offerings over the years. Thats with tiny
company tiny budgets. I cant imagine CTO voicemails going down
around the world today, depending on budget, you hand the keys over
to solarwinds, and by design, each key you hand over makes sense to
spend a little more and hand over another key. How would you even
begin to clean up your organization when your systems that would
provide you your forensics are the systems that did the damage?

Is this just mediahype and more russia russia russia, or is this as
big of a deal as it seems

On Mon, Dec 14, 2020 at 9:01 AM dave mailto:dmilho...@wletc.com>> wrote:

DA HUMANITY!!


On 12/14/20 8:58 AM, Ken Hohhof wrote:


I had a customer this morning complaining she couldn’t “sign
on” to the Internet.  I mentioned that Google had an outage
this morning, but she responded that she doesn’t use any
Google services.  Of course her email was from a Gmail
address.

__ __

__ __

*From:* AF 
 *On Behalf Of *Mike Hammett
*Sent:* Monday, December 14, 2020 6:54 AM
*To:* AnimalFarm Microwave Users Group 

*Subject:* Re: [AFMUG] Fireye

__ __

"I know I'm next, they're coming after my google home mini and
my netflix account."

__ __

__ __

a  Google is broken this morning.

__ __



-
Mike Hammett
Intelligent Computing Solutions 


Midwest Internet Exchange 


The Brothers WISP 







*From: *"Steve Jones" mailto:thatoneguyst...@gmail.com>>
*To: *"AnimalFarm Microwave Users Group" mailto:af@af.afmug.com>>
*Sent: *Sunday, December 13, 2020 9:57:21 PM
*Subject: *Re: [AFMUG] Fireye

Nope, per fireye, the toolset had to be released because of it
being stolen, was not "in the wild"

__ __

Going to get really interesting to see what comes of this, two
federal agencies just happen to get hit shortly after. You can
do plenty when you know how you would have otherwise been
caught.

__ __

And that's all fireye admits to having been breached. I'm
gonna go ahead and not take their word on it definitively
having been russia either. Convenient timing after iran
specifically has stated they're going to retaliate for the
dead scientist. China will probably confirm this shortly

__ __

Pretty sure this is far from over and pretty sure this company
is just the first to go public.

__ __

I know I'm next, they're coming after my google home mini and
my netflix 

Re: [AFMUG] Fireye

[Ryan Ray]

Lots of stuff runs under Orion.

Application Centric Monitor (ACM)

Database Performance Analyzer Integration Module (DPAIM)

Enterprise Operations Console (EOC)

High Availability (HA)

IP Address Manager (IPAM)

Log Analyzer (LA)

Network Automation Manager (NAM)

Network Configuration Manager (NCM)

Network Operations Manager (NOM)

Network Performance Monitor (NPM)

Network Traffic Analyzer (NTA)

Server & Application Monitor (SAM)

Server Configuration Monitor (SCM)

Storage Resource Monitor (SCM)

User Device Tracker (UDT)

Virtualization Manager (VMAN)

VoIP & Network Quality Manager (VNQM)

Web Performance Monitor (WPM)


If you're running any of those, double check your network asap.

On Mon, Dec 14, 2020 at 12:02 PM Steve Jones 
wrote:

> Their sales folks are definitely aggressive.  At least its currently only
> limited (known) to two Orion platforms. Im really concerned about this:
> "...and intended to be a narrow, extremely targeted, and manually executed
> attack..." what does manually executed mean? Like some dude stuck a USB key
> in the DOS box running their whole operation?
>
>
> SolarWinds asks customers with any of the below products for Orion
> Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion
> Platform version 2020.2.1 HF 1 as soon as possible to ensure the security
> of your environment. This version is currently available at
> customerportal.solarwinds.com.
>
>
>
> SolarWinds asks customers with any of the below products for Orion
> Platform v2019.4 HF 5 to update to 2019.4 HF 6, which will be available
> today, December 14, 2020, at customerportal.solarwinds.com.
>
>
>
> No other versions of Orion Platform products are known to be impacted by
> this security vulnerability. Other non-Orion products are also not known to
> be impacted by this security vulnerability.
>
> On Mon, Dec 14, 2020 at 1:53 PM Ryan Ray  wrote:
>
>> This is a big deal. Solarwinds Orion is a product used in many of the Top
>> 100 companies in the world. Including tons of healthcare.
>>
>> I dislike Solarwinds for many reasons and refused to use them even before
>> this hack. Just add another reason to the list.
>>
>>
>>
>> On Mon, Dec 14, 2020 at 11:49 AM Steve Jones 
>> wrote:
>>
>>> So Im reading this now that Solar Winds updates have been delivering
>>> payloads since june or july. Solar winds having crazy levels of access to
>>> interior infrastructures.
>>>
>>> Im not sure what this is saying, it sounds like what fireye isnt saying
>>> outwardly is their toolset was stolen prior to that and that was how they
>>> were able to circumvent the solarwinds security infrastructure, as solar
>>> winds relied on fireye?
>>>
>>> Anybody come across any good detail on solar winds impacted software?
>>> Like if you downloaded the free subnet calculator, will they be taking your
>>> google home account too? Imma be pretty pissed if they mess with my google
>>> play playlists.
>>>
>>> I wonder if the disruptions with office365 and the weird spam filter
>>> changes lately are related to cleanup prior to publication.
>>>
>>> We are a tiny company and got withing a hair of pulling the trigger on
>>> various solarwinds offerings over the years. Thats with tiny company tiny
>>> budgets. I cant imagine CTO voicemails going down around the world today,
>>> depending on budget, you hand the keys over to solarwinds, and by design,
>>> each key you hand over makes sense to spend a little more and hand over
>>> another key. How would you even begin to clean up your organization when
>>> your systems that would provide you your forensics are the systems that did
>>> the damage?
>>>
>>> Is this just mediahype and more russia russia russia, or is this as big
>>> of a deal as it seems
>>>
>>> On Mon, Dec 14, 2020 at 9:01 AM dave  wrote:
>>>
>>>> DA HUMANITY!!
>>>>
>>>>
>>>> On 12/14/20 8:58 AM, Ken Hohhof wrote:
>>>>
>>>> I had a customer this morning complaining she couldn’t “sign on” to the
>>>> Internet.  I mentioned that Google had an outage this morning, but she
>>>> responded that she doesn’t use any Google services.  Of course her email
>>>> was from a Gmail address.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From:* AF   *On
>>>> Behalf Of *Mike Hammett
>>>> *Sent:* Monday, December 14, 2020 6:54 AM
>>>> *To:* AnimalFarm Microwave Users Group 
>>>> 
>&g

Re: [AFMUG] Fireye

[Steve Jones]

fireye offering auditing services?

On Mon, Dec 14, 2020 at 2:01 PM Ryan Ray  wrote:

> Solarwinds says 18,000 customers got the malware. Basically whoever
> orchestrated this hack now has intimate details of all 18,000 of those
> customers' networks. They better make sure the rest of their network is up
> to snuff because it will make it a lot easier for them to be attacked going
> into the future. The hackers will probably lay dormant for a bit and pick
> their targets carefully and orchestrate the same attacks now they they know
> their network inside and out.
>
> I'd be very worried if I was an Orion user who got this. You'd need to
> hire a security auditing firm right now to go over your network with a fine
> tooth comb.
>
>
> On Mon, Dec 14, 2020 at 11:52 AM Ryan Ray  wrote:
>
>> This is a big deal. Solarwinds Orion is a product used in many of the Top
>> 100 companies in the world. Including tons of healthcare.
>>
>> I dislike Solarwinds for many reasons and refused to use them even before
>> this hack. Just add another reason to the list.
>>
>>
>>
>> On Mon, Dec 14, 2020 at 11:49 AM Steve Jones 
>> wrote:
>>
>>> So Im reading this now that Solar Winds updates have been delivering
>>> payloads since june or july. Solar winds having crazy levels of access to
>>> interior infrastructures.
>>>
>>> Im not sure what this is saying, it sounds like what fireye isnt saying
>>> outwardly is their toolset was stolen prior to that and that was how they
>>> were able to circumvent the solarwinds security infrastructure, as solar
>>> winds relied on fireye?
>>>
>>> Anybody come across any good detail on solar winds impacted software?
>>> Like if you downloaded the free subnet calculator, will they be taking your
>>> google home account too? Imma be pretty pissed if they mess with my google
>>> play playlists.
>>>
>>> I wonder if the disruptions with office365 and the weird spam filter
>>> changes lately are related to cleanup prior to publication.
>>>
>>> We are a tiny company and got withing a hair of pulling the trigger on
>>> various solarwinds offerings over the years. Thats with tiny company tiny
>>> budgets. I cant imagine CTO voicemails going down around the world today,
>>> depending on budget, you hand the keys over to solarwinds, and by design,
>>> each key you hand over makes sense to spend a little more and hand over
>>> another key. How would you even begin to clean up your organization when
>>> your systems that would provide you your forensics are the systems that did
>>> the damage?
>>>
>>> Is this just mediahype and more russia russia russia, or is this as big
>>> of a deal as it seems
>>>
>>> On Mon, Dec 14, 2020 at 9:01 AM dave  wrote:
>>>
>>>> DA HUMANITY!!
>>>>
>>>>
>>>> On 12/14/20 8:58 AM, Ken Hohhof wrote:
>>>>
>>>> I had a customer this morning complaining she couldn’t “sign on” to the
>>>> Internet.  I mentioned that Google had an outage this morning, but she
>>>> responded that she doesn’t use any Google services.  Of course her email
>>>> was from a Gmail address.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From:* AF   *On
>>>> Behalf Of *Mike Hammett
>>>> *Sent:* Monday, December 14, 2020 6:54 AM
>>>> *To:* AnimalFarm Microwave Users Group 
>>>> 
>>>> *Subject:* Re: [AFMUG] Fireye
>>>>
>>>>
>>>>
>>>> "I know I'm next, they're coming after my google home mini and my
>>>> netflix account."
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> a  Google is broken this morning.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -
>>>> Mike Hammett
>>>> Intelligent Computing Solutions <http://www.ics-il.com/>
>>>> <https://www.facebook.com/ICSIL>
>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>>>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>>>> <https://twitter.com/ICSIL>
>>>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>>>> <https://www.facebook.com/mdwestix>
>>>> <https://www.linkedin.com/company/midwest-internet-exchange>
>>>> <https://twitter.com/mdwestix>
>>

Re: [AFMUG] Fireye

[Steve Jones]

Their sales folks are definitely aggressive.  At least its currently only
limited (known) to two Orion platforms. Im really concerned about this:
"...and intended to be a narrow, extremely targeted, and manually executed
attack..." what does manually executed mean? Like some dude stuck a USB key
in the DOS box running their whole operation?


SolarWinds asks customers with any of the below products for Orion Platform
v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version
2020.2.1 HF 1 as soon as possible to ensure the security of your
environment. This version is currently available at
customerportal.solarwinds.com.



SolarWinds asks customers with any of the below products for Orion Platform
v2019.4 HF 5 to update to 2019.4 HF 6, which will be available today,
December 14, 2020, at customerportal.solarwinds.com.



No other versions of Orion Platform products are known to be impacted by
this security vulnerability. Other non-Orion products are also not known to
be impacted by this security vulnerability.

On Mon, Dec 14, 2020 at 1:53 PM Ryan Ray  wrote:

> This is a big deal. Solarwinds Orion is a product used in many of the Top
> 100 companies in the world. Including tons of healthcare.
>
> I dislike Solarwinds for many reasons and refused to use them even before
> this hack. Just add another reason to the list.
>
>
>
> On Mon, Dec 14, 2020 at 11:49 AM Steve Jones 
> wrote:
>
>> So Im reading this now that Solar Winds updates have been delivering
>> payloads since june or july. Solar winds having crazy levels of access to
>> interior infrastructures.
>>
>> Im not sure what this is saying, it sounds like what fireye isnt saying
>> outwardly is their toolset was stolen prior to that and that was how they
>> were able to circumvent the solarwinds security infrastructure, as solar
>> winds relied on fireye?
>>
>> Anybody come across any good detail on solar winds impacted software?
>> Like if you downloaded the free subnet calculator, will they be taking your
>> google home account too? Imma be pretty pissed if they mess with my google
>> play playlists.
>>
>> I wonder if the disruptions with office365 and the weird spam filter
>> changes lately are related to cleanup prior to publication.
>>
>> We are a tiny company and got withing a hair of pulling the trigger on
>> various solarwinds offerings over the years. Thats with tiny company tiny
>> budgets. I cant imagine CTO voicemails going down around the world today,
>> depending on budget, you hand the keys over to solarwinds, and by design,
>> each key you hand over makes sense to spend a little more and hand over
>> another key. How would you even begin to clean up your organization when
>> your systems that would provide you your forensics are the systems that did
>> the damage?
>>
>> Is this just mediahype and more russia russia russia, or is this as big
>> of a deal as it seems
>>
>> On Mon, Dec 14, 2020 at 9:01 AM dave  wrote:
>>
>>> DA HUMANITY!!
>>>
>>>
>>> On 12/14/20 8:58 AM, Ken Hohhof wrote:
>>>
>>> I had a customer this morning complaining she couldn’t “sign on” to the
>>> Internet.  I mentioned that Google had an outage this morning, but she
>>> responded that she doesn’t use any Google services.  Of course her email
>>> was from a Gmail address.
>>>
>>>
>>>
>>>
>>>
>>> *From:* AF   *On
>>> Behalf Of *Mike Hammett
>>> *Sent:* Monday, December 14, 2020 6:54 AM
>>> *To:* AnimalFarm Microwave Users Group 
>>> 
>>> *Subject:* Re: [AFMUG] Fireye
>>>
>>>
>>>
>>> "I know I'm next, they're coming after my google home mini and my
>>> netflix account."
>>>
>>>
>>>
>>>
>>>
>>> a  Google is broken this morning.
>>>
>>>
>>>
>>>
>>>
>>> -
>>> Mike Hammett
>>> Intelligent Computing Solutions <http://www.ics-il.com/>
>>> <https://www.facebook.com/ICSIL>
>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>>> <https://twitter.com/ICSIL>
>>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>>> <https://www.facebook.com/mdwestix>
>>> <https://www.linkedin.com/company/midwest-internet-exchange>
>>> <https://twitter.com/mdwestix>
>>> The Brothers WISP <http://www.thebrotherswisp.com/>
>>> <https://

Re: [AFMUG] Fireye

[Ryan Ray]

Solarwinds says 18,000 customers got the malware. Basically whoever
orchestrated this hack now has intimate details of all 18,000 of those
customers' networks. They better make sure the rest of their network is up
to snuff because it will make it a lot easier for them to be attacked going
into the future. The hackers will probably lay dormant for a bit and pick
their targets carefully and orchestrate the same attacks now they they know
their network inside and out.

I'd be very worried if I was an Orion user who got this. You'd need to hire
a security auditing firm right now to go over your network with a fine
tooth comb.


On Mon, Dec 14, 2020 at 11:52 AM Ryan Ray  wrote:

> This is a big deal. Solarwinds Orion is a product used in many of the Top
> 100 companies in the world. Including tons of healthcare.
>
> I dislike Solarwinds for many reasons and refused to use them even before
> this hack. Just add another reason to the list.
>
>
>
> On Mon, Dec 14, 2020 at 11:49 AM Steve Jones 
> wrote:
>
>> So Im reading this now that Solar Winds updates have been delivering
>> payloads since june or july. Solar winds having crazy levels of access to
>> interior infrastructures.
>>
>> Im not sure what this is saying, it sounds like what fireye isnt saying
>> outwardly is their toolset was stolen prior to that and that was how they
>> were able to circumvent the solarwinds security infrastructure, as solar
>> winds relied on fireye?
>>
>> Anybody come across any good detail on solar winds impacted software?
>> Like if you downloaded the free subnet calculator, will they be taking your
>> google home account too? Imma be pretty pissed if they mess with my google
>> play playlists.
>>
>> I wonder if the disruptions with office365 and the weird spam filter
>> changes lately are related to cleanup prior to publication.
>>
>> We are a tiny company and got withing a hair of pulling the trigger on
>> various solarwinds offerings over the years. Thats with tiny company tiny
>> budgets. I cant imagine CTO voicemails going down around the world today,
>> depending on budget, you hand the keys over to solarwinds, and by design,
>> each key you hand over makes sense to spend a little more and hand over
>> another key. How would you even begin to clean up your organization when
>> your systems that would provide you your forensics are the systems that did
>> the damage?
>>
>> Is this just mediahype and more russia russia russia, or is this as big
>> of a deal as it seems
>>
>> On Mon, Dec 14, 2020 at 9:01 AM dave  wrote:
>>
>>> DA HUMANITY!!
>>>
>>>
>>> On 12/14/20 8:58 AM, Ken Hohhof wrote:
>>>
>>> I had a customer this morning complaining she couldn’t “sign on” to the
>>> Internet.  I mentioned that Google had an outage this morning, but she
>>> responded that she doesn’t use any Google services.  Of course her email
>>> was from a Gmail address.
>>>
>>>
>>>
>>>
>>>
>>> *From:* AF   *On
>>> Behalf Of *Mike Hammett
>>> *Sent:* Monday, December 14, 2020 6:54 AM
>>> *To:* AnimalFarm Microwave Users Group 
>>> 
>>> *Subject:* Re: [AFMUG] Fireye
>>>
>>>
>>>
>>> "I know I'm next, they're coming after my google home mini and my
>>> netflix account."
>>>
>>>
>>>
>>>
>>>
>>> a  Google is broken this morning.
>>>
>>>
>>>
>>>
>>>
>>> -
>>> Mike Hammett
>>> Intelligent Computing Solutions <http://www.ics-il.com/>
>>> <https://www.facebook.com/ICSIL>
>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>>> <https://twitter.com/ICSIL>
>>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>>> <https://www.facebook.com/mdwestix>
>>> <https://www.linkedin.com/company/midwest-internet-exchange>
>>> <https://twitter.com/mdwestix>
>>> The Brothers WISP <http://www.thebrotherswisp.com/>
>>> <https://www.facebook.com/thebrotherswisp>
>>>
>>>
>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>>> --
>>>
>>> *From: *"Steve Jones" 
>>> *To: *"AnimalFarm Microwave Users Group" 
>>> *Sent: *Sunday, December 13, 2020 9:57:21 PM
>>> *Subject: *Re: [AFMUG] Fireye
>>>
&g

Re: [AFMUG] Fireye

[Ryan Ray]

This is a big deal. Solarwinds Orion is a product used in many of the Top
100 companies in the world. Including tons of healthcare.

I dislike Solarwinds for many reasons and refused to use them even before
this hack. Just add another reason to the list.



On Mon, Dec 14, 2020 at 11:49 AM Steve Jones 
wrote:

> So Im reading this now that Solar Winds updates have been delivering
> payloads since june or july. Solar winds having crazy levels of access to
> interior infrastructures.
>
> Im not sure what this is saying, it sounds like what fireye isnt saying
> outwardly is their toolset was stolen prior to that and that was how they
> were able to circumvent the solarwinds security infrastructure, as solar
> winds relied on fireye?
>
> Anybody come across any good detail on solar winds impacted software? Like
> if you downloaded the free subnet calculator, will they be taking your
> google home account too? Imma be pretty pissed if they mess with my google
> play playlists.
>
> I wonder if the disruptions with office365 and the weird spam filter
> changes lately are related to cleanup prior to publication.
>
> We are a tiny company and got withing a hair of pulling the trigger on
> various solarwinds offerings over the years. Thats with tiny company tiny
> budgets. I cant imagine CTO voicemails going down around the world today,
> depending on budget, you hand the keys over to solarwinds, and by design,
> each key you hand over makes sense to spend a little more and hand over
> another key. How would you even begin to clean up your organization when
> your systems that would provide you your forensics are the systems that did
> the damage?
>
> Is this just mediahype and more russia russia russia, or is this as big of
> a deal as it seems
>
> On Mon, Dec 14, 2020 at 9:01 AM dave  wrote:
>
>> DA HUMANITY!!
>>
>>
>> On 12/14/20 8:58 AM, Ken Hohhof wrote:
>>
>> I had a customer this morning complaining she couldn’t “sign on” to the
>> Internet.  I mentioned that Google had an outage this morning, but she
>> responded that she doesn’t use any Google services.  Of course her email
>> was from a Gmail address.
>>
>>
>>
>>
>>
>> *From:* AF   *On
>> Behalf Of *Mike Hammett
>> *Sent:* Monday, December 14, 2020 6:54 AM
>> *To:* AnimalFarm Microwave Users Group 
>> 
>> *Subject:* Re: [AFMUG] Fireye
>>
>>
>>
>> "I know I'm next, they're coming after my google home mini and my netflix
>> account."
>>
>>
>>
>>
>>
>> a  Google is broken this morning.
>>
>>
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions <http://www.ics-il.com/>
>> <https://www.facebook.com/ICSIL>
>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
>> <https://www.linkedin.com/company/intelligent-computing-solutions>
>> <https://twitter.com/ICSIL>
>> Midwest Internet Exchange <http://www.midwest-ix.com/>
>> <https://www.facebook.com/mdwestix>
>> <https://www.linkedin.com/company/midwest-internet-exchange>
>> <https://twitter.com/mdwestix>
>> The Brothers WISP <http://www.thebrotherswisp.com/>
>> <https://www.facebook.com/thebrotherswisp>
>>
>>
>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
>> --
>>
>> *From: *"Steve Jones" 
>> *To: *"AnimalFarm Microwave Users Group" 
>> *Sent: *Sunday, December 13, 2020 9:57:21 PM
>> *Subject: *Re: [AFMUG] Fireye
>>
>> Nope, per fireye, the toolset had to be released because of it being
>> stolen, was not "in the wild"
>>
>>
>>
>> Going to get really interesting to see what comes of this, two federal
>> agencies just happen to get hit shortly after. You can do plenty when you
>> know how you would have otherwise been caught.
>>
>>
>>
>> And that's all fireye admits to having been breached. I'm gonna go ahead
>> and not take their word on it definitively having been russia either.
>> Convenient timing after iran specifically has stated they're going to
>> retaliate for the dead scientist. China will probably confirm this shortly
>>
>>
>>
>> Pretty sure this is far from over and pretty sure this company is just
>> the first to go public.
>>
>>
>>
>> I know I'm next, they're coming after my google home mini and my netflix
>> account.
>>
>>
>>
>> On Sun, Dec 13, 2020, 9:10 PM Ken Hohhof  wrote:
>>
>> No

Re: [AFMUG] Fireye

[Steve Jones]

So Im reading this now that Solar Winds updates have been delivering
payloads since june or july. Solar winds having crazy levels of access to
interior infrastructures.

Im not sure what this is saying, it sounds like what fireye isnt saying
outwardly is their toolset was stolen prior to that and that was how they
were able to circumvent the solarwinds security infrastructure, as solar
winds relied on fireye?

Anybody come across any good detail on solar winds impacted software? Like
if you downloaded the free subnet calculator, will they be taking your
google home account too? Imma be pretty pissed if they mess with my google
play playlists.

I wonder if the disruptions with office365 and the weird spam filter
changes lately are related to cleanup prior to publication.

We are a tiny company and got withing a hair of pulling the trigger on
various solarwinds offerings over the years. Thats with tiny company tiny
budgets. I cant imagine CTO voicemails going down around the world today,
depending on budget, you hand the keys over to solarwinds, and by design,
each key you hand over makes sense to spend a little more and hand over
another key. How would you even begin to clean up your organization when
your systems that would provide you your forensics are the systems that did
the damage?

Is this just mediahype and more russia russia russia, or is this as big of
a deal as it seems

On Mon, Dec 14, 2020 at 9:01 AM dave  wrote:

> DA HUMANITY!!
>
>
> On 12/14/20 8:58 AM, Ken Hohhof wrote:
>
> I had a customer this morning complaining she couldn’t “sign on” to the
> Internet.  I mentioned that Google had an outage this morning, but she
> responded that she doesn’t use any Google services.  Of course her email
> was from a Gmail address.
>
>
>
>
>
> *From:* AF   *On Behalf
> Of *Mike Hammett
> *Sent:* Monday, December 14, 2020 6:54 AM
> *To:* AnimalFarm Microwave Users Group  
> *Subject:* Re: [AFMUG] Fireye
>
>
>
> "I know I'm next, they're coming after my google home mini and my netflix
> account."
>
>
>
>
>
> a  Google is broken this morning.
>
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix>
> <https://www.linkedin.com/company/midwest-internet-exchange>
> <https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp>
>
>
> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> --
>
> *From: *"Steve Jones" 
> *To: *"AnimalFarm Microwave Users Group" 
> *Sent: *Sunday, December 13, 2020 9:57:21 PM
> *Subject: *Re: [AFMUG] Fireye
>
> Nope, per fireye, the toolset had to be released because of it being
> stolen, was not "in the wild"
>
>
>
> Going to get really interesting to see what comes of this, two federal
> agencies just happen to get hit shortly after. You can do plenty when you
> know how you would have otherwise been caught.
>
>
>
> And that's all fireye admits to having been breached. I'm gonna go ahead
> and not take their word on it definitively having been russia either.
> Convenient timing after iran specifically has stated they're going to
> retaliate for the dead scientist. China will probably confirm this shortly
>
>
>
> Pretty sure this is far from over and pretty sure this company is just the
> first to go public.
>
>
>
> I know I'm next, they're coming after my google home mini and my netflix
> account.
>
>
>
> On Sun, Dec 13, 2020, 9:10 PM Ken Hohhof  wrote:
>
> Not saying you are wrong.
>
>
>
> But I think I read somewhere that the Fireye tools that were stolen were a
> collection of malware already in the wild that they used for testing of
> client networks.  So it was stuff already available, just neatly packaged.
>
>
>
> The guys who really f’d up were the “Equation Group” (cough, cough, NSA)
> who lost novel and very powerful hacking tools like Eternal Blue to the
> Shadow Brokers group.
>
>
>
> *From:* AF  *On Behalf Of *Steve Jones
> *Sent:* Sunday, December 13, 2020 8:45 PM
> *To:* AnimalFarm Microwave Users Group 
> *Subject:* [AFMUG] Fireye
>
>
>
> These guys F'd up beyond belief.
>
>
>
> Inept as jaime would say
>
> --
> AF mailing list
> AF@af.afmug.com
> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>
>
> --
> AF mailing list
> AF@af.afmug.com
> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>
>
>
>
> --
> AF mailing list
> AF@af.afmug.com
> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>
-- 
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com

Re: [AFMUG] Fireye

[dave]

DA HUMANITY!!


On 12/14/20 8:58 AM, Ken Hohhof wrote:


I had a customer this morning complaining she couldn’t “sign on” to 
the Internet.  I mentioned that Google had an outage this morning, but 
she responded that she doesn’t use any Google services.  Of course her 
email was from a Gmail address.


*From:* AF  *On Behalf Of *Mike Hammett
*Sent:* Monday, December 14, 2020 6:54 AM
*To:* AnimalFarm Microwave Users Group 
*Subject:* Re: [AFMUG] Fireye

"I know I'm next, they're coming after my google home mini and my 
netflix account."


a  Google is broken this morning.



-
Mike Hammett
Intelligent Computing Solutions <http://www.ics-il.com/>
<https://www.facebook.com/ICSIL><https://plus.google.com/+IntelligentComputingSolutionsDeKalb><https://www.linkedin.com/company/intelligent-computing-solutions><https://twitter.com/ICSIL>
Midwest Internet Exchange <http://www.midwest-ix.com/>
<https://www.facebook.com/mdwestix><https://www.linkedin.com/company/midwest-internet-exchange><https://twitter.com/mdwestix>
The Brothers WISP <http://www.thebrotherswisp.com/>
<https://www.facebook.com/thebrotherswisp>


<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>



*From: *"Steve Jones" <mailto:thatoneguyst...@gmail.com>>
*To: *"AnimalFarm Microwave Users Group" <mailto:af@af.afmug.com>>

*Sent: *Sunday, December 13, 2020 9:57:21 PM
*Subject: *Re: [AFMUG] Fireye

Nope, per fireye, the toolset had to be released because of it being 
stolen, was not "in the wild"


Going to get really interesting to see what comes of this, two federal 
agencies just happen to get hit shortly after. You can do plenty when 
you know how you would have otherwise been caught.


And that's all fireye admits to having been breached. I'm gonna go 
ahead and not take their word on it definitively having been russia 
either. Convenient timing after iran specifically has stated they're 
going to retaliate for the dead scientist. China will probably confirm 
this shortly


Pretty sure this is far from over and pretty sure this company is just 
the first to go public.


I know I'm next, they're coming after my google home mini and my 
netflix account.


On Sun, Dec 13, 2020, 9:10 PM Ken Hohhof <mailto:af...@kwisp.com>> wrote:


Not saying you are wrong.

But I think I read somewhere that the Fireye tools that were
stolen were a collection of malware already in the wild that they
used for testing of client networks.  So it was stuff already
available, just neatly packaged.

The guys who really f’d up were the “Equation Group” (cough,
cough, NSA) who lost novel and very powerful hacking tools like
Eternal Blue to the Shadow Brokers group.

*From:*AF mailto:af-boun...@af.afmug.com>> *On Behalf Of *Steve Jones
*Sent:* Sunday, December 13, 2020 8:45 PM
*To:* AnimalFarm Microwave Users Group mailto:af@af.afmug.com>>
*Subject:* [AFMUG] Fireye

These guys F'd up beyond belief.

Inept as jaime would say

-- 
AF mailing list

AF@af.afmug.com <mailto:AF@af.afmug.com>
http://af.afmug.com/mailman/listinfo/af_af.afmug.com


--
AF mailing list
AF@af.afmug.com <mailto:AF@af.afmug.com>
http://af.afmug.com/mailman/listinfo/af_af.afmug.com




-- 
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com

Re: [AFMUG] Fireye

[Ken Hohhof]

I had a customer this morning complaining she couldn’t “sign on” to the 
Internet.  I mentioned that Google had an outage this morning, but she 
responded that she doesn’t use any Google services.  Of course her email was 
from a Gmail address.

 

 

From: AF  On Behalf Of Mike Hammett
Sent: Monday, December 14, 2020 6:54 AM
To: AnimalFarm Microwave Users Group 
Subject: Re: [AFMUG] Fireye

 

"I know I'm next, they're coming after my google home mini and my netflix 
account."

 

 

a  Google is broken this morning.

 



-
Mike Hammett
 <http://www.ics-il.com/> Intelligent Computing Solutions
 <https://www.facebook.com/ICSIL>  
<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>  
<https://www.linkedin.com/company/intelligent-computing-solutions>  
<https://twitter.com/ICSIL> 
 <http://www.midwest-ix.com/> Midwest Internet Exchange
 <https://www.facebook.com/mdwestix>  
<https://www.linkedin.com/company/midwest-internet-exchange>  
<https://twitter.com/mdwestix> 
 <http://www.thebrotherswisp.com/> The Brothers WISP
 <https://www.facebook.com/thebrotherswisp>  
<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> 




  _  

From: "Steve Jones" mailto:thatoneguyst...@gmail.com> >
To: "AnimalFarm Microwave Users Group" mailto:af@af.afmug.com> >
Sent: Sunday, December 13, 2020 9:57:21 PM
Subject: Re: [AFMUG] Fireye

Nope, per fireye, the toolset had to be released because of it being stolen, 
was not "in the wild"

 

Going to get really interesting to see what comes of this, two federal agencies 
just happen to get hit shortly after. You can do plenty when you know how you 
would have otherwise been caught.

 

And that's all fireye admits to having been breached. I'm gonna go ahead and 
not take their word on it definitively having been russia either. Convenient 
timing after iran specifically has stated they're going to retaliate for the 
dead scientist. China will probably confirm this shortly

 

Pretty sure this is far from over and pretty sure this company is just the 
first to go public.

 

I know I'm next, they're coming after my google home mini and my netflix 
account.

 

On Sun, Dec 13, 2020, 9:10 PM Ken Hohhof mailto:af...@kwisp.com> > wrote:

Not saying you are wrong.

 

But I think I read somewhere that the Fireye tools that were stolen were a 
collection of malware already in the wild that they used for testing of client 
networks.  So it was stuff already available, just neatly packaged.

 

The guys who really f’d up were the “Equation Group” (cough, cough, NSA) who 
lost novel and very powerful hacking tools like Eternal Blue to the Shadow 
Brokers group.

 

From: AF mailto:af-boun...@af.afmug.com> > On Behalf 
Of Steve Jones
Sent: Sunday, December 13, 2020 8:45 PM
To: AnimalFarm Microwave Users Group mailto:af@af.afmug.com> >
Subject: [AFMUG] Fireye

 

These guys F'd up beyond belief.

 

Inept as jaime would say

-- 
AF mailing list
AF@af.afmug.com <mailto:AF@af.afmug.com> 
http://af.afmug.com/mailman/listinfo/af_af.afmug.com


-- 
AF mailing list
AF@af.afmug.com <mailto:AF@af.afmug.com> 
http://af.afmug.com/mailman/listinfo/af_af.afmug.com

 

-- 
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com

Re: [AFMUG] Fireye

[Jaime Solorza]

Yep

On Sun, Dec 13, 2020, 7:46 PM Steve Jones  wrote:

> These guys F'd up beyond belief.
>
> Inept as jaime would say
> --
> AF mailing list
> AF@af.afmug.com
> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>
-- 
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com

Re: [AFMUG] Fireye

[Jaime Solorza]

https://www.newsweek.com/solar-winds-probably-hacked-russia-serves-white-house-pentagon-nasa-1554447

On Sun, Dec 13, 2020, 7:46 PM Steve Jones  wrote:

> These guys F'd up beyond belief.
>
> Inept as jaime would say
> --
> AF mailing list
> AF@af.afmug.com
> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>
-- 
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com

Re: [AFMUG] Fireye

[Mike Hammett]

" I know I'm next, they're coming after my google home mini and my netflix 
account." 




a Google is broken this morning. 





- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "Steve Jones"  
To: "AnimalFarm Microwave Users Group"  
Sent: Sunday, December 13, 2020 9:57:21 PM 
Subject: Re: [AFMUG] Fireye 


Nope, per fireye, the toolset had to be released because of it being stolen, 
was not "in the wild" 


Going to get really interesting to see what comes of this, two federal agencies 
just happen to get hit shortly after. You can do plenty when you know how you 
would have otherwise been caught. 


And that's all fireye admits to having been breached. I'm gonna go ahead and 
not take their word on it definitively having been russia either. Convenient 
timing after iran specifically has stated they're going to retaliate for the 
dead scientist. China will probably confirm this shortly 


Pretty sure this is far from over and pretty sure this company is just the 
first to go public. 


I know I'm next, they're coming after my google home mini and my netflix 
account. 


On Sun, Dec 13, 2020, 9:10 PM Ken Hohhof < af...@kwisp.com > wrote: 





Not saying you are wrong. 

But I think I read somewhere that the Fireye tools that were stolen were a 
collection of malware already in the wild that they used for testing of client 
networks. So it was stuff already available, just neatly packaged. 

The guys who really f’d up were the “Equation Group” (cough, cough, NSA) who 
lost novel and very powerful hacking tools like Eternal Blue to the Shadow 
Brokers group. 


From: AF < af-boun...@af.afmug.com > On Behalf Of Steve Jones 
Sent: Sunday, December 13, 2020 8:45 PM 
To: AnimalFarm Microwave Users Group < af@af.afmug.com > 
Subject: [AFMUG] Fireye 


These guys F'd up beyond belief. 



Inept as jaime would say -- 
AF mailing list 
AF@af.afmug.com 
http://af.afmug.com/mailman/listinfo/af_af.afmug.com 



-- 
AF mailing list 
AF@af.afmug.com 
http://af.afmug.com/mailman/listinfo/af_af.afmug.com 

-- 
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com

Re: [AFMUG] Fireye

[Ken Hohhof]

They’re coming for your cheese.

 

From: AF  On Behalf Of Steve Jones
Sent: Sunday, December 13, 2020 9:57 PM
To: AnimalFarm Microwave Users Group 
Subject: Re: [AFMUG] Fireye

 

Nope, per fireye, the toolset had to be released because of it being stolen, 
was not "in the wild"

 

Going to get really interesting to see what comes of this, two federal agencies 
just happen to get hit shortly after. You can do plenty when you know how you 
would have otherwise been caught.

 

And that's all fireye admits to having been breached. I'm gonna go ahead and 
not take their word on it definitively having been russia either. Convenient 
timing after iran specifically has stated they're going to retaliate for the 
dead scientist. China will probably confirm this shortly

 

Pretty sure this is far from over and pretty sure this company is just the 
first to go public.

 

I know I'm next, they're coming after my google home mini and my netflix 
account.

 

On Sun, Dec 13, 2020, 9:10 PM Ken Hohhof mailto:af...@kwisp.com> > wrote:

Not saying you are wrong.

 

But I think I read somewhere that the Fireye tools that were stolen were a 
collection of malware already in the wild that they used for testing of client 
networks.  So it was stuff already available, just neatly packaged.

 

The guys who really f’d up were the “Equation Group” (cough, cough, NSA) who 
lost novel and very powerful hacking tools like Eternal Blue to the Shadow 
Brokers group.

 

From: AF mailto:af-boun...@af.afmug.com> > On Behalf 
Of Steve Jones
Sent: Sunday, December 13, 2020 8:45 PM
To: AnimalFarm Microwave Users Group mailto:af@af.afmug.com> >
Subject: [AFMUG] Fireye

 

These guys F'd up beyond belief.

 

Inept as jaime would say

-- 
AF mailing list
AF@af.afmug.com <mailto:AF@af.afmug.com> 
http://af.afmug.com/mailman/listinfo/af_af.afmug.com

-- 
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com

Re: [AFMUG] Fireye

[Steve Jones]

Nope, per fireye, the toolset had to be released because of it being
stolen, was not "in the wild"

Going to get really interesting to see what comes of this, two federal
agencies just happen to get hit shortly after. You can do plenty when you
know how you would have otherwise been caught.

And that's all fireye admits to having been breached. I'm gonna go ahead
and not take their word on it definitively having been russia either.
Convenient timing after iran specifically has stated they're going to
retaliate for the dead scientist. China will probably confirm this shortly

Pretty sure this is far from over and pretty sure this company is just the
first to go public.

I know I'm next, they're coming after my google home mini and my netflix
account.

On Sun, Dec 13, 2020, 9:10 PM Ken Hohhof  wrote:

> Not saying you are wrong.
>
>
>
> But I think I read somewhere that the Fireye tools that were stolen were a
> collection of malware already in the wild that they used for testing of
> client networks.  So it was stuff already available, just neatly packaged.
>
>
>
> The guys who really f’d up were the “Equation Group” (cough, cough, NSA)
> who lost novel and very powerful hacking tools like Eternal Blue to the
> Shadow Brokers group.
>
>
>
> *From:* AF  *On Behalf Of *Steve Jones
> *Sent:* Sunday, December 13, 2020 8:45 PM
> *To:* AnimalFarm Microwave Users Group 
> *Subject:* [AFMUG] Fireye
>
>
>
> These guys F'd up beyond belief.
>
>
>
> Inept as jaime would say
> --
> AF mailing list
> AF@af.afmug.com
> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
>
-- 
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com

Re: [AFMUG] Fireye

[Ken Hohhof]

In separate but related news, NTIA got hacked, along with Treasury Dept.  And 
article mentions SolarWinds.

https://www.reuters.com/article/us-usa-cyber-treasury-exclsuive/exclusive-u-s-treasury-breached-by-hackers-backed-by-foreign-government-sources-idUSKBN28N0PG

 

 

From: AF  On Behalf Of Steve Jones
Sent: Sunday, December 13, 2020 8:45 PM
To: AnimalFarm Microwave Users Group 
Subject: [AFMUG] Fireye

 

These guys F'd up beyond belief.

 

Inept as jaime would say

-- 
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com

Re: [AFMUG] Fireye

[Ken Hohhof]

Not saying you are wrong.

 

But I think I read somewhere that the Fireye tools that were stolen were a 
collection of malware already in the wild that they used for testing of client 
networks.  So it was stuff already available, just neatly packaged.

 

The guys who really f’d up were the “Equation Group” (cough, cough, NSA) who 
lost novel and very powerful hacking tools like Eternal Blue to the Shadow 
Brokers group.

 

From: AF  On Behalf Of Steve Jones
Sent: Sunday, December 13, 2020 8:45 PM
To: AnimalFarm Microwave Users Group 
Subject: [AFMUG] Fireye

 

These guys F'd up beyond belief.

 

Inept as jaime would say

-- 
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com

[AFMUG] Fireye

[Steve Jones]

These guys F'd up beyond belief.

Inept as jaime would say
-- 
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com