image of breaking badness
Breaking Badness
Breaking Badness

155. Sunburst Your Bubble

Coming up this week on Breaking Badness: Keep It on the .dll, Better Regulate Than Never, and Gold, Guidance, and Grievances.


Here are a few highlights from each article we discussed:

Keep It on the .dll

  • We’re talking about new details of the boldest supply-chain attack to date – the SolarWinds investigation
  • SolarWinds is a massive IT software company with a bunch of network, systems, and infrastructure solutions
    • In this particular case we’re talking about their Orion platform, which does network and resource monitoring as well as some virtualization and other functions
  • Getting into the meat of the story, Mandiant released a statement saying they had been breached, but couldn’t yet prove how the intruders got in
    • We think Mandiant did the right thing in ringing the alarm bell to let the industry and their customers know something was in progress
    • If you wait – and sometimes companies have waited months or even years – you’re sending the message that you don’t care what these attackers may be doing in other networks, perhaps as a follow-on effect of Mandiant being hacked
    • Mandiant got what information was at hand, organized it, and then rang the bell so other organizations could adjust their posture and check their own backyard
  • When SolarWinds was looped into the story by Mandiant, one of their initial tasks was to collect data and logs to reveal potential hacker activity, but logs they needed didn’t exist because they didn’t track everything, which could be due to a resourcing or fundamentals issue
    • It can also be a product of a few other processes, such as wide sweeping acquisitions without proper resourcing to integration, among other things
    • A lot of organizations have this issue and we’re not going to claim we’re completely immune from it either, but we think it’s important to make the effort to identify your unknowns and work through them progressively, especially if you’re in a position like SolarWinds – a possible (and eventual) vector for massive malware to incredibly important institutions
  • A big element of this story is that we now know a former SolarWinds employee raised the concern of the vulnerability in 2017, but the claim appears to be more general than the specific Orion vulnerability and more in the way of “SolarWinds lax security makes a breach inevitable.”
    • You’ll hear this in about every organization under the sun – Often it’s true, because breaches are all but inevitable for most companies
    • SolarWinds could have done a lot of things better – should have done a lot of things better, given its client list – but we need to be careful about preaching from our unhackable ivory towers. The important aspect here is to learn and adapt as we move forward
  • There was one element to this story that investigators consider the linchpin, which is what was found on the virtual machine (VM)
    • The VM was essentially an artifact of the application build process that failed at the time, and it contained a particular malicious file that backdoored Orion once compiled into the code
    • It gave them a possible starting date of the wider compromise and the mechanisms by which the bad actors worked. Reverse-engineering it shed a whole lot more light on the investigation
    • We wouldn’t say that investigators would have nothing without it, but it sure as heck provided a big piece of the puzzle
  • The most shocking shocking revelation was that someone from the FBI mentioned they pointed out the rogue traffic to SolarWinds 6 months before anyone else and it was brushed off as no big deal
    • Six months before the whole situation blew up, the Department of Justice (DOJ) detected suspicious network activity and traced it back to a SolarWinds Orion server they had been trialing
    • DOJ contacted SolarWinds, who shrugged and responded with “we can’t find a vulnerability.” It looks like the matter was dropped without a resolution, and then the DOJ purchased Orion without that resolution
      • There are probably some implementation goals involved here – someone’s KPIs would have been affected by not launching software in a certain time period, or something, and the Orion trial was probably easier to just push into production
  • The word that sticks out most when discussing the cybercriminals behind this hack is “patient”
    • Our old friend Lao Tzu illustrated the value of patience in a very, very relevant way to us in cybersecurity: he conceived of searching for something in muddy water
    • Action for action’s sake is the wrong move there, it just kicks up more sediment and makes things harder
    • The right action is to be patient and let the mud settle so that the water is clear
    • That’s a heck of an analogy as far as information attacks go: sometimes the chaos can work with you, but in more sensitive scenarios patience is your ally, letting the mud settle before you pivot internally
    • Patience is a scary weapon 
  • Additional Resources: 
  • Unraveling Network Infrastructure Linked to the SolarWinds Hack
  • Change in Perspective on the Utility of SUNBURST-Related Network Indicators

Better Regulate Than Never

  • First, a disclaimer. These show notes were composed by ChatGPT (just kidding, of course!) 
  • Politicians and companies alike agree that AI should be regulated, but does that mean lax rules are forthcoming?
    • We’re in an environment of overall friendliness to large corporations—traditionally in the US, with Democrats in control of the White House and the Senate, we’d expect to see more regulation than when Republicans are – but over the last few years it’s been evident that DC doesn’t have much of an appetite for regulation of the largest industries and enterprises
    • What’s more, we also are a country that collectively does not support a very large social safety net
    • What does that have to do with the current concerns about AI? Some of the more dire forecasts suggest that there are going to be big hits on jobs for certain categories of workers
    • We also aren’t doing a great job overall with public education—which has huge implications not only in preparing students for earning a healthy living, but more immediately, for preparing public educational institutions to deal with how large language models (LLMs) and related technologies are going to impact instruction
  • The challenges of jurisdiction regarding copyright and AI is really thorny
    • Malicious online activity can be perpetrated by an actor in Iran, using hosting in the Netherlands, targeting American victims
    • What is the jurisdiction of standing? Works created by AI might not be quite as geographically distributed as that example, but yes, we can see that copyright as well as other implications of this technology may be tricky to adjudicate
  • There is a forthcoming AI Act from the EU
    • It is a relatively broad regulation (proposed) that is trying to set up a legal framework for the development, deployment, and use of AI systems in the EU
    • It’s aiming for transparency and responsible development and use of these technologies, and it lays out the categories of systems that it aims to regulate—such as transportation systems (think self-driving cars), biometrics, education, employment, marketing, law enforcement, social scoring (now there’s a dystopian concept) and others
    • It also looks to classify AI systems (and the contexts in which they operate) in terms of risk—higher risk vs lower risk areas
    • It also proposes compliance frameworks for the safe production and integration of these systems, and accountability and monitoring of the entities bringing AI into our lives
    • It also establishes a European Artificial Intelligence Board, which will be responsible for overseeing the implementation and enforcement of the regulation across the EU
  • So this was just a hearing, but where do we go from here?
    • This was just an opening act—maybe even more a prelude than Act I
    • LLMs are not themselves the AI that’s going to become self-aware and kill us
      • But on the other hand, AI already is killing us (see: autonomous car crashes, Clearview AI misidentifying people with law enforcement, which in and of itself has led more to false arrests than to deaths, but consider what it’s like to be a Black person in the US criminal justice system, and it’s not too much of a stretch to see that leading to fatalities sooner or later)
      • So this is where the EU approach makes a lot of sense, looking at various categories of AI and where they are applied

This Week’s Hoodie/Goodie Scale

Keep It on the .dll

[Ian]: 8.9/10 Hoodies
[Tim]: 9.8/10 Hoodies

Better Regulate Than Never

[Ian]: 9.0/10 Hoodies
[Tim]: 9.953333/10 Hoodies


That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!