Read on Twitter
keep this in mind....
This was likely a multi-year operation with the solar winds thing and we're still not back to the patient zero stage. The bad DLL was signed in March 2020. How long did it take them to get in position to be able to sign AND distribute it?
This was likely a multi-year operation with the solar winds thing and we're still not back to the patient zero stage. The bad DLL was signed in March 2020. How long did it take them to get in position to be able to sign AND distribute it?
This is high level (nation state) level capability / funding / resource level stuff...
The level of effort to compromise an org, stay undetected long enough to add your own malware into legit products and have them compile and deliver it is superior operational level stuff
The level of effort to compromise an org, stay undetected long enough to add your own malware into legit products and have them compile and deliver it is superior operational level stuff
I would not be surprised to find out that some IT services firm was hacked just so they could gain access to the SW network or some other sideways attack vector.
according to : https://www.zdnet.com/article/sec-filings-solarwinds-says-18000-customers-are-impacted-by-recent-hack/
18k customers actually downloaded the bad update. Managing this number of potential callbacks is also a heavy manpower intensive thing....
18k customers actually downloaded the bad update. Managing this number of potential callbacks is also a heavy manpower intensive thing....
The 18k people turns into a watering hole sort of problem. Which targets are worthwhile now? Which targets should we infect with some sort of long term malware and come back to later?
Again, this is some high level operations level resources to deal with
Again, this is some high level operations level resources to deal with
Imagine that somebody has to make a determination on 18k callbacks as to kiss / kill / marry them and whether or not any of them have any sort of future value once things get burned
hypothetically, what if they broke down the endpoints into short / mid / long term targets and gave them each different malware / c2 infrastructure for each level?
which infrastructure did Fireeye just burn down?
which infrastructure did Fireeye just burn down?
They could have also sold off some access to other folks for cash and kept the good stuff for themselves...
or given it to other operational groups with a different focus / ttps
this is some truly scary crap to have to deal with
or given it to other operational groups with a different focus / ttps
this is some truly scary crap to have to deal with
something else which is somewhat absent from this discussion, is of those 18k customers, how many different installations of SW are there? one per branch location? one per geographical region?