Supply chain attack

I was think about the supply chain attack video Tom made while reading this article this morning.

I have the write ups posted here Solarwinds Orion Supply Chain Attack

1 Like

Great workup @LTS_Tom. My email has been blowing up from SW for the past day or so about this. They say RMM is not affected, but only time will tell. As an MSP with a specialization is Cyber Sec, I am paying close attention as this was a sophisticated attack indeed. A couple of things that jump out at me off the bat;

  1. It lays dormant for 2 weeks before it takes action.

  2. The sophistication in which it takes place; sigs, HTTP traffic (header trickery)

  3. When it started (March)

  4. SAML Via Cloud (Whoa buddy – Yeah, we all been saying for years “The cloud is just someones else’s computer” I hope people are listening now?!)

In any case, without sounding like a crazy cyber sec guy, I will wager a guess here;

RMM and other such services on the SW platform may be already had, we won’t know for sometime yet.

Going off of my Point #1, this is without a doubt state-sponsored. My spidey senses based solely on how long it hangs out ( 2 weeks ) till it kicks off and the level of sophistication to spread reminds me of a similar “Virus” that we all suffered around the world at around the same point in time, ahem “Covid” Ahem “March 2020”. My complete and utterly baseless guess would be it as sponsored by China.

A cyber-attack that damage an organization by targeting less-secure elements in the supply chain is known as supply chain attack.

I work for a municipally owned electric and water utility, so I’ve been involved in a few conference calls this week on both the government and utility side, even though we don’t use Solarwinds for anything, I do want to learn from this. Multiple people from various agencies calling this the worst attack they’ve ever seen, and on an electric utility industry security “emergency” call today, there is indication there may have been more vectors besides Solarwinds, but no details at the moment…

Yes, this was part of the CISA announcement from Dec 17 2020

"CISA is investigating other initial access vectors in addition to the SolarWinds Orion supply chain compromise. "
1 Like