Decompiling the SolarWinds Orion software with the embedded SUNBURST backdoor use to hack nearly the entire Gov, first thing I find: <enforceFIPSPolicy enabled="false"/>

So the US Government is running software with FIPS disabled? Isn't that a violation of a Number of Laws?
Note to self: Wide open web service running on port 17777 on localhost. @CodeMonkeyZ This could be a candidate for #DominionVotingSystems forensic audits.
He nothing like the most secure election ever running servers with DB Admin permissions and execute permission on dynamic sql. Yeah! And Nevermind DLL indexing on dbm_TimeSerieLegacyDDL. Misspelled table name, also called legacy. What could be wrong there?
Hey look. Solaris is Security Minded after all. They have library to prevent against Cross Site Scripting Attacks. But oops. That's pretty ancient Web sure has changed alot since 2012 (don't mind that modified date): https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjXovHzw8_tAhV6GFkFHQJpDO8QFjAAegQIARAC&url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D28589&usg=AOvVaw08DlTyPzYgXwAzdahP-mwm) This library also has security issues.
Hey look. Solaris is Security Minded after all. They have library to prevent against Cross Site Scripting Attacks. But oops. That's pretty ancient Web sure has changed alot since 2012 (don't mind that modified date): https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjXovHzw8_tAhV6GFkFHQJpDO8QFjAAegQIARAC&url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D28589&usg=AOvVaw08DlTyPzYgXwAzdahP-mwm) This library also has security issues.
Hey look. Solaris is Security Minded after all. They have library to prevent against Cross Site Scripting Attacks. But oops. That's pretty ancient Web sure has changed alot since 2012 (don't mind that modified date): https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjXovHzw8_tAhV6GFkFHQJpDO8QFjAAegQIARAC&url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D28589&usg=AOvVaw08DlTyPzYgXwAzdahP-mwm) This library also has security issues.
Another ancient library: Antlr3. I wonder what they need for this is? Hope it is for straight grammar parsing and not dynamic code generation. This version going back to 2012 also has many well-known vulnerabilities. https://www.google.com/search?client=firefox-b-1-d&q=anltr3+cve

Source Code : https://github.com/antlr/antlr3 
antlr/antlr3

antlr v3 repository (pulled from p4 with history from //depot/code/antlr/antlr3-main - antlr/antlr3

https://www.google.com/search?client=firefox-b-1-d&amp;q=anltr3+cve
And here is the APM (typically stands for App manager) admin Url: /Orion/APM/Admin.sitemap

Wonder if the legacies url still works: /Orion/APM/Admin/Default.aspx

Should definitely test these on #DominionVotingSystems machines to make sure they aren't open.
Old EnitityFramework.dll not updated in nearly 8 years. All kinds of nasties in this one to exploit.
Really? An ActiveX control to do a PING? No one should be running ActiveX controls in a web browser. Especially not US Government networks that are supposed to be highly secure.
Some more endpoints for Forensic Auditors to probe or be added to vulnerability scripts and penetration testing software for script kiddies to use (looking at you @metasploit and @kalilinux )
Really? Using CDO for sending email? How old is this library. This is just insane. This one also has vulnerabilities, as unmanaged code, including buffer overflows.
And more ancient DLLs notorious for vulnerabilities and accessing unsafe, unmanaged system code. I haven't seen this stuff in years:

A COM+/DCOM Wrapper.
Old OLE Library
Old Windows Firewall Manager Wrapper.
COM+ Automation "Library" for OLD versions of Internet Explorer
And here we are. The configuration to access the embedded SUNBURST backdoor found in (SolarWinds.Orion.Core.BusinessLayer.dll.config)

Settings of interest:
And here we are. The configuration to access the embedded SUNBURST backdoor found in (SolarWinds.Orion.Core.BusinessLayer.dll.config)Settings of interest:
And here we are. The configuration to access the embedded SUNBURST backdoor found in (SolarWinds.Orion.Core.BusinessLayer.dll.config)Settings of interest:
Security settings for the WCF services:

Note no credentials required for the update notification service:
WSHttpBinding_IMaintUpdateNotifySvc
More work on de-compiling the SolarWinds Orion software here along with URLS to download the code and research into which versions have the exploit: https://twitter.com/KyleHanslovan/status/1338358831722749953
Another point of interest for Forensic Auditors: SNMPWalk.exe, set up to scan SNMP services running on port 161 by default.
51 ActiveX components in the SolarWinds Orion Suite:
In addition to the 51 ActiveX components there are 23 System Modules.

The SolarWinds Orion installer applies unknown Binary patches to to all those ActiveX components and these modules.

Who knows what is lurking in these patches or what the need for some of them ever are?
In addition to the 51 ActiveX components there are 23 System Modules. The SolarWinds Orion installer applies unknown Binary patches to to all those ActiveX components and these modules.Who knows what is lurking in these patches or what the need for some of them ever are?
In addition to the 51 ActiveX components there are 23 System Modules. The SolarWinds Orion installer applies unknown Binary patches to to all those ActiveX components and these modules.Who knows what is lurking in these patches or what the need for some of them ever are?
For griefs sake: Solarwinds Orion contains a binary patched "SQL Server Windows 95 Lite SCM" dll.

Windows 95? On government servers? This whole library is starting to smell like an NSA root kit. Is this software linked to the @Snowden leaks? Is it how the NSA owns everyone?
For griefs sake: Solarwinds Orion contains a binary patched "SQL Server Windows 95 Lite SCM" dll.Windows 95? On government servers? This whole library is starting to smell like an NSA root kit. Is this software linked to the @Snowden leaks? Is it how the NSA owns everyone?
For griefs sake: Solarwinds Orion contains a binary patched "SQL Server Windows 95 Lite SCM" dll.Windows 95? On government servers? This whole library is starting to smell like an NSA root kit. Is this software linked to the @Snowden leaks? Is it how the NSA owns everyone?
And Yes #DominionVotingSystems which ran "our most secure election ever per the DHS and CISA, who ironically were owned by the SolarWinds Orion hack, also runs Solarwinds. Funny thing: A backdoor wasn't even necessary. The software is insecure without one. https://twitter.com/mattpannett/status/1338639965908045824
From the embedded SolarWinds NetPerfMon website application (running .Net Web Forms) some functionality backdoor hackers have access to on the networks. Basically, "Keys to the kingdom. Access to everything"
From the embedded SolarWinds NetPerfMon website application (running .Net Web Forms) some functionality backdoor hackers have access to on the networks. Basically, "Keys to the kingdom. Access to everything"
From the embedded SolarWinds NetPerfMon website application (running .Net Web Forms) some functionality backdoor hackers have access to on the networks. Basically, "Keys to the kingdom. Access to everything"
From the embedded SolarWinds NetPerfMon website application (running .Net Web Forms) some functionality backdoor hackers have access to on the networks. Basically, "Keys to the kingdom. Access to everything"
From the embedded SolarWinds NetPerfMon website application (running .Net Web Forms) some functionality backdoor hackers have access to on the networks. Basically, "Keys to the kingdom. Access to everything"
EO.WebEngine.dll is a massive 62 MBs, a clear sign of an embedded payload and has the embedded ability to control it via a Remote Debugger. Another SolarWinds Orion backdoor here.
EO.WebEngine.dll is a massive 62 MBs, a clear sign of an embedded payload and has the embedded ability to control it via a Remote Debugger. Another SolarWinds Orion backdoor here.
EO.WebEngine.dll is a massive 62 MBs, a clear sign of an embedded payload and has the embedded ability to control it via a Remote Debugger. Another SolarWinds Orion backdoor here.
EO.WebEngine.dll is a massive 62 MBs, a clear sign of an embedded payload and has the embedded ability to control it via a Remote Debugger. Another SolarWinds Orion backdoor here.
I extracted the 62 MB embedded payload in the EO.WebEngine.dll which has a Remote Debugger backdoor in it. The payload contains a series of DLLs in binary format, including an embedded D3D compiler which makes RPC calls. In all 78 DLLs and references found in the binary payload.
I extracted the 62 MB embedded payload in the EO.WebEngine.dll which has a Remote Debugger backdoor in it. The payload contains a series of DLLs in binary format, including an embedded D3D compiler which makes RPC calls. In all 78 DLLs and references found in the binary payload.
I extracted the 62 MB embedded payload in the EO.WebEngine.dll which has a Remote Debugger backdoor in it. The payload contains a series of DLLs in binary format, including an embedded D3D compiler which makes RPC calls. In all 78 DLLs and references found in the binary payload.
I extracted the 62 MB embedded payload in the EO.WebEngine.dll which has a Remote Debugger backdoor in it. The payload contains a series of DLLs in binary format, including an embedded D3D compiler which makes RPC calls. In all 78 DLLs and references found in the binary payload.
No software running on US government servers and #DominionVotingSystems is complete without a WebEngine with a remote debugging backdoor and a module function taking #CHINESE input as an argument!

This on top of the OTHER #SUNBURST backdoor in the #SolarWinds #Orion software!
An embedded web-based com SQL engine in Interop.C1Query80.dll that uses the embedded internet explore COM objects as a GUI.
An embedded web-based com SQL engine in Interop.C1Query80.dll that uses the embedded internet explore COM objects as a GUI.
An embedded web-based com SQL engine in Interop.C1Query80.dll that uses the embedded internet explore COM objects as a GUI.
Why the need for MSDATASRC, a VB6 ActiveX Com object for remote data sources?
This explains the SNMP scanner: A complete SNMP managements suite embedded within SolarWinds Orion. Backdoor hackers must have had a field day with this.

Retrieving users passwords is always a great security idea.
This explains the SNMP scanner: A complete SNMP managements suite embedded within SolarWinds Orion. Backdoor hackers must have had a field day with this. Retrieving users passwords is always a great security idea.
This explains the SNMP scanner: A complete SNMP managements suite embedded within SolarWinds Orion. Backdoor hackers must have had a field day with this. Retrieving users passwords is always a great security idea.
Some of the built-in SolarWinds Orion functionality accessible to the Backdoor hackers:

- Execute arbitrary HttpRequests
- Download arbitrary URLs to Disk
- Installl NPM Packages
- Execute arbitrary VBScript
- Execute arbitrary Local and Remote Programs
- Add nodes to be managed
For anything hackers couldn't accomplish using SNMP SolarWinds Orion also provides a complete WMI management suite: Remote back doors, arbitrary file downloads and executions and complete SNMP/WMI management suites. A perfect Trifecta.
Technical analysis: Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach - Ten different MITRE ATT&CK tactics, including Lateral Movement, Command and Control, and Data Exfiltration. https://twitter.com/PicusSecurity/status/1338866931567226880
Literally can't make this up: #Dominion CEO LIED under oath today and claiming they NEVER used SolarWinds. Except this recently HID the link which is still in source code along a side custom SolarWinds HTML tag

Site: https://dvsfileshare.dominionvoting.com/Web%20Client/Mobile/MLogin.htm
Archive: : https://archive.is/MPVo8 
Literally can't make this up: #Dominion CEO LIED under oath today and claiming they NEVER used SolarWinds. Except this recently HID the link which is still in source code along a side custom SolarWinds HTML tagSite: https://dvsfileshare.dominionvoting.com/Web%20Client/Mobile/MLogin.htmArchive: : https://archive.is/MPVo8 
Literally can't make this up: #Dominion CEO LIED under oath today and claiming they NEVER used SolarWinds. Except this recently HID the link which is still in source code along a side custom SolarWinds HTML tagSite: https://dvsfileshare.dominionvoting.com/Web%20Client/Mobile/MLogin.htmArchive: : https://archive.is/MPVo8 
The plot thickens. SolarWinds owned by Clinton tied Billionare who donated 100k in 2016. https://twitter.com/CarrollQuigley1/status/1338898072772947970?s=19
Password: "solarwinds123" 🤦‍♂️

Software with this level of access and this level of distribution coming with a default admin password! https://twitter.com/zackwhittaker/status/1338934516111564805?s=19
Company name followed by 123 This password definitely does not meet basic complexity requirements. No uppercase or special characters. And way too short. Yet it's embedded for a critical service account. Sorry but a state actor like Russia was not required for this attack.
But the password didn't even need to be hacked. It was widely available on the internet. It was an open secret backdoor for the NSA for anyone running the sofware.
For all the Trolls complaining the screen shot disabling FIPS shows the DB maintenance config:

13 applications explicitly disable the enableFIPSPolicy in their configuration file. This is also disabled by default for apps without this setting.
NPM Web Backup in the NetPerfMon sets the default Admin and Guest password to Blank in NetPerfMon_Initial_Configuration.NPMWebBackup
Look at what 4 states, among others, are using SolarWinds. https://twitter.com/JPMediaBoss/status/1338363313395122176?s=19
Default SQL Server Account Database Password:

User Id=SolarWinds
Password=thepassword
More vulnerabilities in Database upgrade module:

The application runs with "root" dbo permissions as evidenced by this hard coded connection string.

The module then runs arbitrary sql scripts either from a directory, parsed from CSharp code or read from a loaded assembly (DLL)
More vulnerabilities in Database upgrade module:The application runs with "root" dbo permissions as evidenced by this hard coded connection string. The module then runs arbitrary sql scripts either from a directory, parsed from CSharp code or read from a loaded assembly (DLL)
More vulnerabilities in Database upgrade module:The application runs with "root" dbo permissions as evidenced by this hard coded connection string. The module then runs arbitrary sql scripts either from a directory, parsed from CSharp code or read from a loaded assembly (DLL)
More vulnerabilities in Database upgrade module:The application runs with "root" dbo permissions as evidenced by this hard coded connection string. The module then runs arbitrary sql scripts either from a directory, parsed from CSharp code or read from a loaded assembly (DLL)
More vulnerabilities in Database upgrade module:The application runs with "root" dbo permissions as evidenced by this hard coded connection string. The module then runs arbitrary sql scripts either from a directory, parsed from CSharp code or read from a loaded assembly (DLL)
Given the hackers access to download remote urls and save them to disk it would then be trivial to run any scripts against the database server using the upgrade module and then delete any logs of the event after.
Known products affected by the hack
Attack surface in settings.aspx allows user to specify a url or file which can then be loaded into memory or saved on the server as 'nologo.gif', with the ability to disable auditing.

This serves as perfect place to hide a binary exploit payload
Attack surface in settings.aspx allows user to specify a url or file which can then be loaded into memory or saved on the server as 'nologo.gif', with the ability to disable auditing.This serves as perfect place to hide a binary exploit payload
Attack surface in settings.aspx allows user to specify a url or file which can then be loaded into memory or saved on the server as 'nologo.gif', with the ability to disable auditing.This serves as perfect place to hide a binary exploit payload
Attack surface in settings.aspx allows user to specify a url or file which can then be loaded into memory or saved on the server as 'nologo.gif', with the ability to disable auditing.This serves as perfect place to hide a binary exploit payload
Attack surface in settings.aspx allows user to specify a url or file which can then be loaded into memory or saved on the server as 'nologo.gif', with the ability to disable auditing.This serves as perfect place to hide a binary exploit payload
The settings.aspx vulnerability couples with ImageUploadHandler.ashx allowing downloads of any exploited data loaded into 'nologo.gif'

"Browsers can figure it out if it's wrong, they have for years - PC"

Nope. You're a just a dumb ass begging for data leaks or backdoor webshell
Here we are: FireEye confirms my analysis of the nologo.gif exploit in the SolarWinds Orion.

In fact, they report it was used as a .NET web shell back door known as #SuperNova.

How many #backdoors do we have now besides #SUNBURST?

https://twitter.com/kr3at/status/1339730351632097280
To counter propaganda that the #SolarWinds hack is so widespread because it is "difficult to detect", here's a link to my fork of the FireEye's #Sunburst countermeasures with literally hundreds of detection rules for everything from Snort to ClamAV. https://github.com/alexhiggins732/sunburst_countermeasures
alexhiggins732/sunburst_countermeasures

Contribute to alexhiggins732/sunburst_countermeasures development by creating an account on GitHub.

https://github.com/alexhiggins732/sunburst_countermeasures
In this thread I outline DoD standards regarding software and explain why the Solarwinds Orion hack making it onto so many sensitive DoD networks stinks to high hell!

We are our journalists? Why aren't they doing their job? https://twitter.com/kr3at/status/1339766512811388928?s=19
The SolarWinds orion hack just went DOOMSDAY level. CISA's latest alert reveals HARDWARE and FIRMWARE supply chain has been compromised.

That means going from re-imaging computers to needing to re-manufacturer hardware and starting over from scratch. https://twitter.com/kr3at/status/1340423811032879105
The CISA update lists the Hardware and Firmware supply chain as attack vectors warning that backdoors can be embedded into the chips of various devices such as "services, workstations, network infrastructure or peripherals"

Github - Latest attack vectors:
https://gist.github.com/alexhiggins732/4414236f49805223201ac5e600ed31a0
For The Trolls Arguing This Does Not Impact Chips:

"Hardware backdoor" - Hardware backdoors are backdoors in hardware, such as code inside hardware or firmware of computer chips.

https://en.wikipedia.org/wiki/Hardware_backdoor
You can follow @kr3at.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.