New SUPERNOVA backdoor found in SolarWinds cyberattack analysis:
While analyzing artifacts from the SolarWinds Orion supply-chain attack, security researchers discovered another backdoor that is likely from a second threat actor.
Named SUPERNOVA, the malware is a webshell planted in the code of the Orion network and applications monitoring platform and enabled adversaries to run arbitrary code on machines running the trojanized version of the software.
The webshell is a trojanized variant of a legitimate .NET library (app_web_logoimagehandler.ashx.b6031896.dll) present in the Orion software from SolarWinds, modified in a way that would allow it to evade automated defense mechanisms.
Orion software uses the DLL to expose an HTTP API, allowing the host to respond to other subsystems when querying for a specific GIF image.
[...] The malicious code contains only one method, DynamicRun, which compiles on the fly the parameters into a .NET assembly in memory, thus leaving no artifacts on the disk of a compromised device.
This way, the attacker can send arbitrary code to the infected device and run it in the context of the user, who most of the times has high privileges and visibility on the network.
[...] The researcher adds that taking a valid .NET program as a parameter and in-memory code execution makes SUPERNOVA a rare encounter as it eliminates the need for additional network callbacks besides the initial C2 request.
(Score: 5, Insightful) by pvanhoof on Tuesday December 22 2020, @03:07PM (17 children)
One starts wondering how many thousands of organisations have planted their backdoors in SolarWinds' build infrastructure.
Maybe those actors should start using gitflow [nvie.com] and semver [semver.org] versioning techniques to ensure that their backdoor code remains API and ABI compatible with each other's hacks.
I mean. A lot of highly important organisations are reliant upon all those malwares functioning correctly such that that software doesn't become unstable. And since the release maintainers are SolarWinds are clearly a bunch of moronic fuckwits, the malware developers must take care of ensuring that their malware code doesn't conflict with the other malware developers' malwares.
But anyway. Thank you SolarWinds for such a cheap and easy opportunity for massive amounts of state-actor's spying industries to make to so extremely cheap to steal almost each and every imaginable secret that the US defense industry used to have. This had some great economic benefits. Imagine the insane amount of physical spies the world would have to keep employed to achieve the same.
SolarWinds: you are the best. Thank you for your extreme incompetence.
(Score: 4, Interesting) by DannyB on Tuesday December 22 2020, @04:08PM (16 children)
It could be management induced fright into terrain.
Or the NSA pretending to be one of the moronic engineers 'naively' introducing vulnerabilities. Ooops. My booboo. It won't happen again -- my getting caught, that is. In this case, the rudeness / criminality is on other malware vendors piggybacking upon the NSA's (or management's) deliberate accidental introduction of vulnerabilities. How rude of them.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 4, Insightful) by pvanhoof on Tuesday December 22 2020, @04:23PM (11 children)
I mentioned release maintainers when said that SolarWind's employees are moronic fuckwits.
I would think that a release maintainer, be it one that releases .NET assemblies or DLL files or shared object files or not, has multiple build machines. And that he builds using so called reproducible builds [reproducible-builds.org]. He will also sign the resulting packages (which is something SolarWinds apparently did) using a private key that is kept in a secure location (which is something SolarWinds apparently didn't).
When such a release maintainer uses a so called reproducible build, he or she (I need to satisfy the woke culture else they'll try to cancel me) can compare the resulting binaries against another build machine's binaries. If there is no match, the release maintainer starts an investigation. Because this either means that a programmer of SolarWinds's group of developers did something to the code that doesn't result in a reproducible compilation (which is ALWAYS unwanted in security software) or it means that there is malware installed unto one of the two build environments. Either case is something for the release maintainer to definitely deal with. In very imaginable case. Always. Without doubt. This is his (or her) job.
Failing to do this job is incompetence. The kind of incompetence that we should not celebrate but instead should at least fire people for. Immediately. As this should be written down as a minimal requirement in the employees' employment contract.
SolarWinds failed at every level of all of this. That makes it a management failure. This means SolarWinds' software should absolutely not be trusted to be used in industries like defense. But US defense is in fact still using it. That makes it a nation wide failure. This should mean several top people at the US defense should be sacked. Preferably immediately.
(Score: 2) by DannyB on Tuesday December 22 2020, @05:09PM (1 child)
Regardless (or is that "irregardless" on SN?) of whose incompetence it is; it remains that this incompetence could actually be deliberate vulnerability introduction into a product for
NSAsomeone to use and exploit.The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 2) by pvanhoof on Tuesday December 22 2020, @05:18PM
Absolutely. And as I mentioned, should those actors (because the NSA is clearly just one out of thousands) utilize gitflow like they already do [wikileaks.org] and semver to ensure ABI stability between different malwares being injected into SolarWinds's software.
(Score: 2) by RS3 on Tuesday December 22 2020, @07:17PM (1 child)
Thanks for your insight. I pretty much agree, but I don't fully understand.
If the malware is introduced in source through a newer code revision, the binaries obviously won't compare to older ones. So how can the release maintainer prevent the malware from being included in the shipping product?
(Score: 2) by pvanhoof on Tuesday December 22 2020, @07:36PM
Afaik the malware was not introduced into the sources as a git commit. But rather added sideways during the build itself.
With a secondary build machine, the second build machine wouldn't have this flaw. Resulting in two different binaries.
Would the malware be introduced into the sources as a git commit, then review should have caught it.
(Score: 2, Interesting) by throckmorten on Tuesday December 22 2020, @07:22PM (4 children)
How many companies use multiple build machines, and compare binaries that are produced?
I'd wager it's actually very few, so although it sounds perfectly reasonable it's something that (as far as I'm aware of) no-one actually does.
(Score: 2) by pvanhoof on Tuesday December 22 2020, @07:41PM (2 children)
Many morons just makes that there are many morons. It doesn't mean the individual ain't a moron because many others are also morons. No. It just means that there are many morons. And that the individual might be part of the larger group of morons.
It's basically morons all the way down.
But each and every individual is a complete utter moron nonetheless. Just many many many of them. Huge amounts of morons.
The one individual that must make security software for all those morons must not be a moron itself. Else you get what SolarWinds' software is.
(Score: 3, Insightful) by linuxrocks123 on Tuesday December 22 2020, @08:56PM (1 child)
Some people and organizations find build reproducibility a "nice-to-have" feature, but it is by no means a standard across the industry to have this as a goal and it is by no means necessary to have it as a goal in order to develop good software. You are demanding that an entire industry adopt an expensive reform of dubious utility and are calling everybody else a moron for not doing what you want. Other people are not the morons here.
Debian has a nice graph of which packages have reproducible on the most common architectures. It's over 50%, but nowhere near all, and there's a substantial fraction of packages that FTBFS. They release anyway and the world doesn't end.
https://wiki.debian.org/ReproducibleBuilds [debian.org]
SolarWinds is indeed composed of fuckwits. Their customers are the "enterprise software" idiots who parasitize the industry. More specifically, their customers are system administrators who can't script their way out of a paper bag but can manage to get large purchase orders approved for shitware like SolarWinds that partially masks their own incompetence. I have no doubt SolarWinds' coders are also bottom of the barrel shitheads just like their customers are. That said, your proposed silver bullet isn't a silver bullet and wouldn't have saved them. The idiots would just have gotten both build machines hacked in an identical way. There is no institutional process or safeguard that can fix sufficiently advanced stupidity.
(Score: 2) by pvanhoof on Tuesday December 22 2020, @09:04PM
Yes. I agree with (all of) that ...
(Score: 0) by Anonymous Coward on Wednesday December 23 2020, @12:10AM
We do. Helps catch Heisenbugs in the build process and allows for different tests to be run in parallel from controllable states. We are already investing a large amount of time into the build and tests so a simple exchange of artifacts and checking for errors is relatively cheap. It has already caught bugs in upstream projects as well. It also helps when dumps occur, upgrading infrastructure, auditing paperwork, scaling, and cross-compile situations.
(Score: 0) by Anonymous Coward on Wednesday December 23 2020, @06:01PM
To err is human. To screw up this badly takes a computer.
(Score: 0) by Anonymous Coward on Wednesday December 23 2020, @07:47PM
They outsourced it, bro.
Dude was a contractor. Maybe even an H1-B.
Employees, and continuity, are SO 20th century. Get with the times, bro! Join the 'gig' economy!
~childo
(Score: 2) by leon_the_cat on Tuesday December 22 2020, @09:08PM (3 children)
No organization is that stupid. This is OBVIOUSLY criminal from the inside.
(Score: 2) by TheReaperD on Tuesday December 22 2020, @09:55PM
The problem is, if he works for the NSA, as expected, he won't be labeled a criminal, but a patriot by the powers that be. The only thing they'd be upset about is that they got caught.
Ad eundum quo nemo ante iit
(Score: 2) by DannyB on Tuesday December 22 2020, @10:41PM (1 child)
Entire Organizations don't have to be stupid. Just managers do. It's their job description.
But then there is the other theory about NSA deliberately planting this incompetence for later use.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 0) by Anonymous Coward on Wednesday December 23 2020, @08:12AM
It's not incompetence when you fulfill the job description.