Categories
security

A preliminary look into who was hacked in the Sunburst attack

At Prevasio, we started to narrow down those potentially affected by the Solarwinds hack as the Sunburst used a DGA (Domain Generation Algorithm) that gives us a glimpse into who may have been infected.

The list (with disclaimers) follows:

Decoded DomainMapping (Could Be Inaccurate)
hgvc.comHilton Grand Vacations
AmerisafAMERISAFE, Inc.
kcpl.comKansas City Power and Light Company
SFBALLETSan Francisco Ballet
scif.comState Compensation Insurance Fund
LOGOSTECLogostec Ventilação Industrial
ARYZTA.CARYZTA Food Solutions
bmrn.comBioMarin Pharmaceutical Inc.
AHCCCS.SArizona Health Care Cost Containment System
nnge.orgNext Generation Global Education
cree.comCree, Inc (semiconductor products)
calsb.orgThe State Bar of California
rbe.sk.caRegina Public Schools
cisco.comCisco Systems
pcsco.comProfessional Computer Systems
barrie.caCity of Barrie
ripta.comRhode Island Public Transit Authority
uncity.dkUN City (Building in Denmark)
bisco.intBoambee Industrial Supplies (Bisco)
haifa.eduUniversity of Haifa
smsnet.plSMSNET, Poland
fcmat.orgFiscal Crisis and Management Assistance Team
wiley.comWiley (publishing)
ciena.comCiena (networking systems)
belkin.comBelkin
spsd.sk.caSaskatoon Public Schools
pqcorp.comPQ Corporation
ftfcu.corpFirst Tech Federal Credit Union
bop.com.pkThe Bank of Punjab
nvidia.comNVidia
insead.orgINSEAD (non-profit, private university)
usd373.orgNewton Public Schools
agloan.adsAmerican AgCredit
pageaz.govCity of Page
jarvis.labErich Jarvis Lab
ch2news.tvChannel 2 (Israeli TV channel)
bgeltd.comBradford / Hammacher Remote Support Software
dsh.ca.govCalifornia Department of State Hospitals
dotcomm.orgDouglas Omaha Technology Commission
sc.pima.govArizona Superior Court in Pima County
itps.uk.netInfection Prevention Society (IPS)
moncton.locCity of Moncton
acmedctr.adAlameda Health System
csci-va.comComputer Systems Center Incorporated
Redacted(law firm – redacted)
keyano.localKeyano College
uis.kent.eduKent State University
alm.brand.dkSydbank Group (Banking, Denmark)
ironform.comIronform (metal fabrication)
corp.ncr.comNCR Corporation
ap.serco.comSerco Asia Pacific
int.sap.corpSAP
mmhs-fla.orgCleveland Clinic Martin Health
nswhealth.netNSW Health
mixonhill.comMixon Hill (intelligent transportation systems)
bcofsa.com.arBanco de Formosa
ci.dublin.ca.Dublin, City in California
siskiyous.eduCollege of the Siskiyous
weioffice.comWalton Family Foundation
ecobank.groupEcobank Group (Africa)
corp.sana.comSana Biotechnology
med.ds.osd.miUS Gov Information System
wz.hasbro.comHasbro (Toy company)
its.iastate.edIowa State University
amr.corp.intelIntel
cds.capilanou.Capilano University
e-idsolutions.IDSolutions (video conferencing)
helixwater.orgHelix Water District
detmir-group.rDetsky Mir (Russian children’s retailer)
int.lukoil-intLUKOIL (Oil and gas company, Russia)
ad.azarthritisArizona Arthritis and Rheumatology Associates
net.vestfor.dkVestforbrænding
allegronet.co.Allegronet (Cloud based services, Israel)
us.deloitte.coDeloitte
central.pima.gPima County Government
city.kingston.Kingston City, Australia
staff.technionTechnion – Israel Institute of Technology
airquality.orgSacramento Metropolitan Air Quality Management District
phabahamas.orgPublic Hospitals Authority, Caribbean
parametrix.comParametrix (Engineering)
ad.checkpoint.Check Point
corp.riotinto.Rio Tinto (Mining company, Australia)
intra.rakuten.Rakuten
us.rwbaird.comRobert W. Baird & Co. (Financial services)
ville.terrebonnVille de Terrebonne
woodruff-sawyerWoodruff-Sawyer & Co., Inc.
fisherbartonincFisher Barton Group
banccentral.comBancCentral Financial Services Corp.
taylorfarms.comTaylor Fresh Foods
neophotonics.coNeoPhotonics (optoelectronic devices)
gloucesterva.neGloucester County
magnoliaisd.locMagnolia Independent School District
zippertubing.coZippertubing (Manufacturing)
milledgeville.lMilledgeville (City in Georgia)
digitalreachincDigital Reach, Inc.
deniz.denizbankDenizBank
thoughtspot.intThoughtSpot (Business intelligence)
lufkintexas.netLufkin (City in Texas)
digitalsense.coDigital Sense (Cloud Services)
wrbaustralia.adW. R. Berkley Insurance Australia
christieclinic.Christie Clinic Telehealth
signaturebank.lSignature Bank
dufferincounty.Dufferin County
mountsinai.hospMount Sinai Hospital
securview.localSecurview Victory (Video Interface technology)
weber-kunststofWeber Kunststoftechniek
parentpay.localParentPay (Cashless Payments)
europapier.inteEuropapier International AG
molsoncoors.comMolson Coors Beverage Company
fujitsugeneral.Fujitsu General
cityofsacramentoCity of Sacramento
ninewellshospitaNinewells Hospital
fortsmithlibraryFort Smith Public Library
dokkenengineerinDokken Engineering
vantagedatacenteVantage Data Centers
friendshipstatebFriendship State Bank
clinicasierravisClinica Sierra Vista
ftsillapachecasiApache Casino Hotel
voceracommunicatVocera (clinical communications)
mutualofomahabanMutual of Omaha Bank

† In this case, the company in question has reached out to me directly and asked that they not be listed. The company had performed a forensic review and believes they are not affected. In the interest of transparency, I can provide more details if contacted directly.

Categories
security

The Sh*tstorm of the Solardwinds hack

Pretty simple hack in concept – alleged Russian actors hacked an update package for Solarwinds Orion software (a sophisticated software for enterprise and institutional managing network resources).

This is an extremely crafty hack. An update package from Solarwinds Orion is uploaded onto the Solarwinds site. It’s even digitally signed.

According to Fireeye’s excellent writeup:

The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on system configuration). After a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com. The DNS response will return a CNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications. The list of known malicious infrastructure is available on FireEye’s GitHub page.

And now, it looks like the US Government may have been seriously compromised.

This is kind of a big deal…

Malwarebytes also has some good coverage as well, as does Prevasio

Categories
security

Is Docker secure? We executed all the containers in the Docker Hub to find out. What we found was troubling.


Docker – a way of building applications using containers (micro-apps that are used in Lego-block fashion to build larger programs) – is taking the enterprise world by storm. With customers that count among the top technology-forward companies in the world (Netflix, AT&T, PayPal, Snowflake, Verizon, Target, and many others), it’s become the new standard in deploying highly robust and distributed applications. At the core is Docker Hub, the main universe of Docker containers, with over 4 million container images*.

So with so many enterprises and institutions running Docker, security is a concern, and we have seen the growth of security vendors like StackRox, Aqua and Snyk to answer the call. And I’m sure plenty of these vendors have done analysis of containers, but in the end, these analyses will only be a static analysis, without taking into account all of the complexities and actions that occur when one actually runs a container.

So I’m happy that today, Prevasio, a company that I’m advising, has launched the results of the first and only analysis of the entire Docker Hub. What Prevasio did is new and important: They actually went through the entire Docker Hub and ran each container to see what happens.

This is not a small task; the company spent tens of thousands of dollars in computing power to perform this task. And the way the Prevasio Analyzer works is different than any other solution on the market: At its core is a sandbox which “detonates” (executes) a container to see what actually occurs during the runtime process. This sandboxing action allows us to get a unique view into what actually occurs when one executes a container. (This is the difference between behavior analysis and static analysis – a static analysis will use a signature to determine maliciousness but can never tell what an application will actually do. For a real look, one needs to analyze behavior.)

Some of the results are troubling:

  • 51 percent of all containers had “critical” vulnerabilities, while 13 percent were classified as “high” and four percent as “moderate” vulnerabilities.
  • Six thousand containers were riddled with cryptominers, hacking tools/pen testing frameworks, and backdoor trojans. While many cryptominers and hacking tools may not be malicious per se, they present a potentially unwanted issue to an enterprise.
  • Over 400 examples (with over 500,000 pulls) of weaponized Windows malware crossing over into the world of Linux. This crossover is directly due to the proliferation of cross-platform code (e.g. GoLang, .NET Core and PowerShell Core).

The full whitepaper is here, and Prevasio’s blog post is here.

But if you want to have some fun, Prevasio has all the data publicly available live on their site, at malware.prevasio.com. Feel free to look at the results for yourself.

*A container image is the template that creates the actual Docker containers.