Hello, welcome to the Monday, December 14th, 2020 edition of the Sandcent Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, I actually already had this podcast recorded and sort of ready to go when we had some late breaking news related to the Fire Eye incident

of last week. Turns out that this particular incident was actually part of a larger problem.

Turns out that the root of the compromise of Fire Eye was actually a compromise of Solar Winds.

Solar Winds is a company that makes monitoring software and management software for networks

and their Orion product apparently was compromised and used to infect selected customers with backdoors.

This compromise happened between March and July and looks like not all customers of Solar

Wind are affected, but instead only specific customers were supplied with tailored back doors.

The basic backdoor was used here was of course good old Cobalt strike, but some of the details

like for example the exact DLL being injected,

changed from customer to customer.

And right now it's not clear how many customers are affected.

But it looks like the targets are either government networks

or networks of related, again, suppliers,

like for example, Fire Eye. Now, this is still very much

a developing story and I put up a quick diary with what we essentially know at this point.

There will be very likely a special webcast on Monday evening, Eastern time,

likely around 5.30 p.m. Eastern, but that's still being exactly worked out.

So watch our website, watch our Twitter feeds for any updates.

Now sticking with Fire Eye here for another story, one of the issues with Fire Eye's release

regarding the breach last week was that they didn't really specify how they exactly got

compromised. I guess now we know a little bit more

...