While DHS and CISA claim this was the most secure election in history, it may be time to revamp that statement. While they deny it, Dominion Voting Systems runs SolarWinds software. DHS and CISA were hacked using the SolarWinds Orion hack. Did other actors use multiple back doors to access Dominion?
The Dominion CEO lied under oath claiming they never used SolarWinds. Except a recently hid the link which is still in source code along a side custom SolarWinds HTML tag.
Below is a technical analysis, mainly by Picus Labs which revealed the Tactics, Techniques, and Procedures (TTPs) used in the SolarWinds breach. Attackers used 20+ MITRE Attack techniques.
Some of the built-in SolarWinds Orion functionality accessible to the Backdoor hackers: – Execute arbitrary HttpRequests – Download arbitrary URLs to Disk – Installl NPM Packages – Execute arbitrary VBScript – Execute arbitrary Local and Remote Programs – Add nodes to be managed
Decompiling the SolarWinds Orion software with the embedded SUNBURST backdoor used to hack nearly the entire Gov, the first obvious thing: <enforceFIPSPolicy enabled=”false”/>
So the US Government is running software with FIPS disabled? Isn’t that a violation of a Number of Laws? FIPS 140-2 validation is mandatory for use in federal government departments that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information.
FIPS stands for the Federal Information Processing Standard. FIPS 140-2 , issued by the National Institute of Standards and Technology (NIST), is a U.S. government computer security standards program used to accredit cryptographic modules produced by private sector vendors. Validated modules go through an extensive development, testing and validation process to gain the validation certificate from NIST.
DHS says this was the most secure election ever. Of course, nothing says secure like running servers with DB Admin permissions and execute permission on dynamic sql. Nevermind the DLL indexing on dbm_TimeSerieLegacyDDL.
The company, Solar Winds is using AntiXSS to stop cross-site scripting…but this is software from 2012, with plenty of vulnerabilities:
Here they use the term APM (typically stands for App manager) admin Url: /Orion/APM/Admin.sitemap. A white hat hack should definitely be tested these on Dominion Machines to be sure they aren’t open.
In use is an old EnitityFramework.dll not updated in nearly 8 years. All kinds of exploits available here:
Here we find an ActiveX control to do a PING? ActiveX should not be running in a web browser. Especially not US Government networks that are supposed to be highly secure:
The configuration to access the embedded SUNBURST backdoor found in (SolarWinds.Orion.Core.BusinessLayer.dll.config):
To confirm, Dominion does use SolarWinds:
Tthe embedded SolarWinds NetPerfMon website application (running .Net Web Forms) some functionality backdoor hackers have access to on the networks. Basically, “Keys to the kingdom. Access to everything”:
EO.WebEngine.dll which has a Remote Debugger backdoor in it. The payload contains a series of DLLs in binary format, including an embedded D3D compiler which makes RPC calls (Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network’s details. RPC is used to call other processes on the remote systems like a local system).
The WebEngine with a remote debugging backdoor and a module function taking Chinese input as an argument:
More and more, this looks like a (NSA?) rootkit, malicious software that is extremely difficult to spot and very hard to remove. One of the most dangerous rootkits was Stuxnet. It targeted Iranian nuclear facilities, and was created by the USA and Israel and who then lost control of it.
As a side note, SolarWinds was founded by a Puerto Rican billionaire Orlando Bravo who contributed over $100k to Clinton in 2016.
The other owners of SolarWinds is Silver Lake Partners (SLP). SLP Co-founder Glenn Hutchins is a former advisor to Bill Clinton and is currently on the board of the Obama Foundation.
I have done quite a bit of coding in my life and reading this “article” made me chuckle. It is clearly written to get you “deep state” peoples panties in a wad.
Where to I begin?
1. More than likely this application has over a million lines of code and here we are suppose to cry foul on a couple of lines.
2. The article doesn’t tell you whether the code is in use. Sure, it’s in the file but does it get executed? A program or utility that was written but not used.
3. In the first example of the code in the article we see lines 1 to 6 then 59 – 63. Notice the + next to the 6 and the – next to the 59 – these are 2 different loops. The FIPS policy might be turned off based valid specific conditions (like only on a test server)
4. The localhost issue? We are told what that service does. We aren’t told what restrictions there are for port 17777 on the firewall, Port 17777 could be open to only a specific IP address.
5. The issue with the DDL. Well that code only runs if the product version is 11 but we don’t know what this program is used for or if the product version is now higher than 11 it won’t run
6 “A misspelled table name” LOL, I love this one. Who is to say that the table isn’t spelled that way? Without the proof that the table is spell differently than this call – it means nothing
7 Vulnerabilities – there are bulletins releases all the time. Who’s to say they didn’t apply the batch? Internet Explorer has a copyright of 2019 but was patched as recently as a few months ago
8.EnitityFramework.dll – that means it’s on the system and it was last executed on Dec 15th. Would have been nice to know or told when it was executed prior to that.
9 Active X. These are activated through a web browser, mainly IE. We are told where on what folder these items are in. Just because it’s there doesn’t mean it can run. For all we know this is in the Trash folder
10. Try using the wayback machine to get a picture of the page with the solarwinds graphic – it’s not there. (let me guess – it’s because of some worldwide conspiracy)
Hate to say it (actually, I don’t) this is all BS. Instead of wasting your energy following another bogus claim why don’t you sit back and enjoy a beer
Note: Sorry, but this all just the tip of the iceberg (I would recommend reading the actual report, I agree, this article just touched on a few points). Also, how the heck did Solarwinds, which is used so extensively, get hacked so easily??? Not a bogus claim, is it? You’re not even a little curious about that? Sad. If you are don’t think this stuff is fun, I can’t help you…I love it! And I don’t drink beer, only martinis. And you should work on your writing skills and grammar…hope your spaghetti code is cleaner, but I doubt it.
To bring up the page with the SolarWinds graphic on web.archive.org, just use your phone. I just did and it’s there, just as posted in this article.
You just gave us a very impressive list of “how abouts,” T Hall, but “how abouts,” while perhaps making one consider them, as I did yours, but your “how abouts” are conclusive of absolutely nothing, which means it was you who failed to convince the jury, and T Hall, the fact is that the hack really did occur.
Are you saying that is false?
The commenters below took the long route to say SW is in the system and it can be utilized.