***THREAD***

I’ve been on the phone with colleagues about the hack all morning. None of us can figure out why #CISA chose this particular response to the breach. Couple of things struck us as curious.

The agencies targeted are not responding how you might expect... https://twitter.com/cisagov/status/1338348931571445762

First, you would expect this sort of directive to be internally facing. While there are very obvious and standard mitigation steps, you do not want to telegraph mitigation steps especially when your point of your attack vectors are dll files.

File(s) could have existed for months and sent information and updates back to infected nodes, effectively modifying the machine state and images. The directive states agencies should, “Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.”

That’s great and normally it would be prudent to start from a fresh image that is not effected by the errant dll file. In some cases, there are agencies without master or backup of the original.

Why is this a problem?

Two reasons:

1. Noncompliance
2. Vulnerabilities

But what is more likely to happen in cases such as this? Agencies rely on tools like solarwinds to monitor networks.

Answer: they restore from a previous version. These versions (or a point in time) can contain unknown/manipulated registry files that can infect nodes.

Since twatter broke up the most important part of my thread... https://twitter.com/midnightride21/status/1338483945529348103

@threadreaderapp unroll

I’m not the only one saying the CISA directive is odd. It should have been released internally.

@CodeMonkeyZ is spot on as always. https://twitter.com/codemonkeyz/status/1338433326558769152