While DHS and CISA claim this was the most secure election in history, it may be time to revamp that statement. While they deny it, Dominion Voting Systems runs SolarWinds software. DHS and CISA were hacked using the SolarWinds Orion hack. Did other actors use multiple back doors to access Dominion?
The Dominion CEO lied under oath claiming they never used SolarWinds. Except a recently hid the link which is still in source code along a side custom SolarWinds HTML tag.
Below is a technical analysis, mainly by Picus Labs which revealed the Tactics, Techniques, and Procedures (TTPs) used in the SolarWinds breach. Attackers used 20+ MITRE Attack techniques.
Some of the built-in SolarWinds Orion functionality accessible to the Backdoor hackers: – Execute arbitrary HttpRequests – Download arbitrary URLs to Disk – Installl NPM Packages – Execute arbitrary VBScript – Execute arbitrary Local and Remote Programs – Add nodes to be managed
Decompiling the SolarWinds Orion software with the embedded SUNBURST backdoor used to hack nearly the entire Gov, the first obvious thing: <enforceFIPSPolicy enabled=”false”/>
So the US Government is running software with FIPS disabled? Isn’t that a violation of a Number of Laws? FIPS 140-2 validation is mandatory for use in federal government departments that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information.
FIPS stands for the Federal Information Processing Standard. FIPS 140-2 , issued by the National Institute of Standards and Technology (NIST), is a U.S. government computer security standards program used to accredit cryptographic modules produced by private sector vendors. Validated modules go through an extensive development, testing and validation process to gain the validation certificate from NIST.
DHS says this was the most secure election ever. Of course, nothing says secure like running servers with DB Admin permissions and execute permission on dynamic sql. Nevermind the DLL indexing on dbm_TimeSerieLegacyDDL.
The company, Solar Winds is using AntiXSS to stop cross-site scripting…but this is software from 2012, with plenty of vulnerabilities:
Here they use the term APM (typically stands for App manager) admin Url: /Orion/APM/Admin.sitemap. A white hat hack should definitely be tested these on Dominion Machines to be sure they aren’t open.
In use is an old EnitityFramework.dll not updated in nearly 8 years. All kinds of exploits available here:
Here we find an ActiveX control to do a PING? ActiveX should not be running in a web browser. Especially not US Government networks that are supposed to be highly secure:
The configuration to access the embedded SUNBURST backdoor found in (SolarWinds.Orion.Core.BusinessLayer.dll.config):
To confirm, Dominion does use SolarWinds:
Tthe embedded SolarWinds NetPerfMon website application (running .Net Web Forms) some functionality backdoor hackers have access to on the networks. Basically, “Keys to the kingdom. Access to everything”:
EO.WebEngine.dll which has a Remote Debugger backdoor in it. The payload contains a series of DLLs in binary format, including an embedded D3D compiler which makes RPC calls (Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network’s details. RPC is used to call other processes on the remote systems like a local system).
The WebEngine with a remote debugging backdoor and a module function taking Chinese input as an argument:
More and more, this looks like a (NSA?) rootkit, malicious software that is extremely difficult to spot and very hard to remove. One of the most dangerous rootkits was Stuxnet. It targeted Iranian nuclear facilities, and was created by the USA and Israel and who then lost control of it.
As a side note, SolarWinds was founded by a Puerto Rican billionaire Orlando Bravo who contributed over $100k to Clinton in 2016.
The other owners of SolarWinds is Silver Lake Partners (SLP). SLP Co-founder Glenn Hutchins is a former advisor to Bill Clinton and is currently on the board of the Obama Foundation.