Security Bits Logo no alpha channel

Security Bits — 3 Jan 2021

Feedback & Followups

Steve asked a question for Bart in our Slack podfeet.com/slack:

In your discussion of the SolarWinds attack in the latest Security Bits, you mentioned the attack only affected Windows domain networks, albeit that probably impacts a high percentage of businesses out there. I infer this means that the few organizations that are not using a Windows domain network are definitely not impacted by this attack, correct?

Bart answered:

Not quite, remember SolarWinds Orion is just one vector being used by this specific Advanced Persistent Threat (Fancy Bear), all-be-it the most prominent one. If you’re a valuable enough target to this APT you can’t assume all is grand just because you don’t run Orion/Windows. CISA would have told you what to look for in the Indicators of Compromise. Secondly, while SolarWinds can be tightly integrated into Windows, it doesn’t only manage Windows.

Bruce Wilson also answered in our Slack:

SolarWinds Orion often has high-level credentials, including Windows domain credentials, as well as ssh keys to log into privileged accounts on both Linux and network hardware. Orion runs on Windows but is used to monitor and manage servers (Windows and Linux), applications, and network gear. A lot depends on what accounts are given to Orion and what privileges are given to those accounts. Tailoring that access to give those accounts what’s needed and no more can be time-consuming. I’ve definitely seen people decide to just give the Orion accounts unrestricted sudo, rather than sort out exactly what commands it does need to run. And it matters a lot if someone is using Orion to just monitor or if they (were) using it to monitor and manage. So, the point here is that multiple adversaries compromised Orion and got the ability to run code as the Orion process, and (thereby) using any credential to which Orion had access.

  • Discussion of Kernel Extensions (KEXTs)
    • Audio Capture Engine (ACE) from Rogue Amoeba is being treated like a KEXT (even though it is not a KEXT) so on macOS Big Sur we have to do the extreme dance where you boot into Recovery and reduce your security level to where you would have been in Catalina. But Paul Kafasis says you can put it back up after the installation.
      • is this true for other extensions
      • Can you delete KEXTs – give Steve’s example, needing a driver for DJI Phantom?
      • look at www.maketecheasier.com/… but these instructions are before the new Big Sur security levels
      • Kernel extensions are in System/Library/Extensions look for .kext
      • Might need to boot into recovery and use Terminal command kext unload [full path to the kext]

Worthy Warnings

Notable News

Top Tips

Palate Cleansers

  • The physics of cameras and lenses like you’ve never seen it before — it’s a long read, but the article is peppered with interactive ‘diagrams’ that really help you see what’s going on — ciechanow.ski/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top