Much has already been said about the recently reported SolarWinds compromise. In this post, we are not attempting to further investigate the attack, but rather, to provide a SecDevOps perspective on a few of the underlying software and development processes that are reported to have been involved in the initial compromise at SolarWinds. These processes are not unique to SolarWinds, and in fact, are often considered best practices in software development.
The Recon incident response team recently worked an intrusion case involving a ManageEngine Desktop Central server that was affected by CVE-2020-10189.
The Recon incident response team recently worked an intrusion case involving a Confluence web application server that was affected by CVE-2019-3396.
US-CERT posted a new Tactical Alert (TA18-106A) based on a combined intelligence effort between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC). It provided an alert on network devices being exploited by Russian state-sponsored actors. Network device targets include but are not limited to government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. The TA outlines details on the tactics, techniques, and procedures (TTPs) used by Russian state actors. The purpose of the TA was to inform the public about the Russian government campaign.