Where "the old ways" bite us again



Where "the old ways" bite us again

It's Wednesday, December 16th. As of this writing, FireEye has not explained how they caught the attackers, and SolarWinds has not released any information about how they were compromised. The discussion on Twitter among infosec professionals is ranging from various hand-wavy threat intelligence topics concerning APT groups, to policy level band-aids that describe enshrining new rules and policies.

At the end of the week, though, I imagine the popular sound bytes from these discussions will survive the melee of the public Twitter forum, and the folks who still have energy to debate on the internet will continue to do so.

Problem is, though, none of that "actually helps". It makes people feel smarter for a little while, sure, but it doesn't address the root of the problem - there are a layer of people present in most businesses, and in our government who intentionally misdirect efforts of a computer security nature towards compliance and policy "solutions", which often times are little more than "some corporate policy phrases in a wiki", and an extra wheelbarrow of money to insurance carriers.

These efforts literally do not solve anything. They protect "the money" in the event that a business or a leg of the government gets sued - but they do literally nothing to prevent "another instance of an attacker breaking into systems and detonating ransomware or stealing data, or eavesdropping for months".

Phobos Group was founded on the principle that compliance and security are not the same. One cannot be substituted for the other. In fact, by our measure, the strongest possible position to be in is to first have a strong security apparatus, and then examine that existing apparatus through a compliance lens if need be.

The core reason for these issues we continue to experience is because many businesses elect to do "only what the compliance auditors are going to look for, and literally nothing else" - and this gets directly into the meat: the security evaluations of vendors fall into this category. If businesses are electing to evaluate vendors based on the results of "sending that vendor an excel spreadsheet and hoping the vendor does not simply fill it with lies and send it back", it's pretty obvious what's happening.

HackingTeam was compromised by Phineas Phisher - and since he never said HOW he did it, only that it was "through compromising an appliance on their wan" - the only two I found at the time were their firewall and a Barracuda anti-spam appliance. Several years ago at 44con, a German security researcher discovered that by sending a 7zip file to a FireEye PX device, he could overwrite the parser for certain types of files because of how 7zip files were extracted (absolute paths, uncompressing as root would overwrite system files if you could snipe the path), and that by sending another email to then cause the overwritten parser to fire, he could (and did on stage) get a root shell on the appliance by sending two emails.

For years, security professionals have warned about the potential for security tools and automation software being used against their owners because "people treat them like they're a VCR". It's critical to understand that these appliance are "just computers that you don't have access to, which in some cases you've put on your LAN - in a very sensitive place". In many cases they're ancient linux kernels running on ancient hardware. It's incredibly rare for us as a vendor ourselves to meet a colleague or customer who has done a security evaluation against a vendor who sells an appliance.

In the case of SolarWinds, the entrypoint wasn't an appliance - it was a software package that gets installed onto a windows system - and in an overwhelming majority of cases - onto a domain-joined computer. This puts the software in an incredibly useful position for any would-be attackers who could 'ride it into the network'.


For years, I've been speaking at conferences and pointing out the things that some businesses seem entirely comfortable putting on the internet. From those efforts, we have derived various patterns of behavior and those patterns give us insight into the behavior of a given company. For example, in this screenshot we can see that SolarWinds has IIS 8.5 servers in production. That version of IIS was released in 2013. Purely the fact that this host is present and "in production" should tell you something about SolarWinds.

Orbital was originally built so that the Phobos Group red team could use it on engagements to cut down the lengthy recon stages of a given engagement - the side effect turned out to be our ability to discover patterns of behavior and map "things we found on their perimeter" to "things we found inside the LAN or datacenter networks".

Simply put: The chances are high that the same people who setup the perimeter and external assets are the same people that setup the internal network and assets.

A companies perimeter will give you insight into what's happening behind the scenes - and this is more valuable intel about a company than whatever they put into a spreadsheet questionnaire.

And yes, the next question is "can we use Orbital to scan our vendors to assess how risky they are" - we're working on what the pricing model of that will be, but in the meantime, a cheatcode for that is "if the vendor you wish to assess has sold you hardware, and that hardware is on your network, it's in-scope already"