Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label SolarWinds Hack. Show all posts
United States
APT actors malware Microsoft SolarWinds Hack Sunshuttle United States

Newly Discovered 'Tomiris’ Backdoor Linked to SolarWinds Attack Malware

 

Kaspersky security researchers have unearthed a new backdoor likely designed by the Nobelium advanced persistent threat (APT) behind last year's SolarWinds supply chain attack. 

The new malware, dubbed Tomiris, was first identified in June 2021 from samples dating back to February, a month before the “sophisticated second stage backdoor” Sunshuttle was spotted by FireEye and linked to Nobelium. Nobelium is also known by the monikers UNC2452, SolarStorm, StellarParticle, Dark Halo, and Iron Ritual. 

"While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims. Evidence gathered so far indicates that Dark Halo spent six months inside Orion IT's networks to perfect their attack and make sure that their tampering of the build chain wouldn't cause any adverse effects,” Kaspersky researchers stated. 

Moscow-headquartered firm Kaspersky identified Tomiris while examining a series of DNS hijacking attacks mounted against multiple government organizations in a CIS member state between December 2020 and January 2021, which allowed threat actors to redirect traffic from government mail servers to devices under their possession.

Their victims were redirected to webmail login pages that helped hackers steal their email credentials and, in some cases, tricked them into installing a malware update that instead downloaded the Tomiris backdoor. 

“During these times, the authoritative DNS servers for the above zones were switched to attacker-controlled resolvers. Most of these hijackings were relatively brief and appear to have primarily targeted the mail servers of the affected organizations. We don’t know how the threat author was able to achieve this, but we assume that he somehow obtained credentials from the Registrar’s control panel used by the victims,” researchers added. 

Multiple similarities between Tomiris and Sunshuttle malware 

Researchers discovered multiple similarities between the Sunshuttle and Tomiris backdoors (e.g., both developed in GB, persistence through scheduled tasks, the same coding scheme for C2 communications, automated sleep triggers to reduce network noise). They also spotted the Kazuar backdoor, a .NET-based backdoor linked to the Turla group which shares multiple features with the Sunburst malware used in the SolarWinds attack on the same network as Tomiris. 

Earlier this year in March 2021, Microsoft and FireEye describe Sunshuttle as a Golang-based malware that acts as a command-and-control backdoor, establishing a secure connection with an attacker-controlled server to fetch and execute arbitrary commands on the exploited device as well as exfiltrate files from the system to the server. 

Despite this, researchers have not established a conclusive link between the new backdoor and Russia-backed Nobelium state hackers due to the possibility of a false flag attack designed to mislead researchers. 

The revelation comes days after Microsoft released the details of a passive and highly targeted implant dubbed ‘FoggyWeb’ that was employed by the Nobelium hacking group to deploy additional payloads and steal sensitive information from Active Directory Federation Services (ADFS) servers.
Read more »
User Security
Autodesk Data Breach Russian Hackers SolarWinds Hack User Data User Data Leak User Privacy User Security

Autodesk Disclosed it was Targeted in SolarWinds Hack

 

Autodesk has disclosed that it was also targeted by the Russian state hackers behind the large-scale SolarWinds Orion supply-chain assault, nearly nine months after finding that one of its servers had been compromised with Sunburst malware. 

It is an American multinational software corporation that makes software products and services for the architecture, engineering, construction, manufacturing, media, education, and entertainment industries. 

In a recent 10-Q SEC filing, Autodesk stated, "We identified a compromised SolarWinds server and promptly took steps to contain and remediate the incidents." 

"While we believe that no customer operations or Autodesk products were disrupted as a result of this attack, other, similar attacks could have a significant negative impact on our systems and operations." 

While the company went on to state that there was no additional damage to its systems, the company's announcement of the breach in its most recent quarterly results serves as a reminder to the world of how widespread the SolarWinds supply chain breach was. 

An Autodesk spokesperson told BleepingComputer that the attackers did not deploy any other malware besides the Sunburst backdoor, likely because it was not selected for second stage exploitation or the threat actors didn't act quickly enough before they were detected. 

The spokesperson stated, "Autodesk identified a compromised SolarWinds server on December 13. Soon after, the server was isolated, logs were collected for forensic analysis, and the software patch was applied. Autodesk’s Security team has concluded their investigation and observed no malicious activity beyond the initial software installation." 

One of 18000 tech firms targeted in a large-scale cyber attack

SolarWinds' infrastructure was hacked as a result of a supply-chain assault conducted by the Russian Foreign Intelligence Service's hacking division (aka APT29, The Dukes, or Cozy Bear). 

The attackers trojanized the Orion Software Platform source code and build issued between March 2020 and June 2020 after obtaining access to the company's internal systems. These malicious builds were then used to deploy the Sunburst backdoor to around 18,000 clients, but fortunately, the threat actors only chose a small number of people for second-stage exploitation. 

Before the assault was revealed, SolarWinds stated to have 300,000 clients globally, including over 425 US Fortune 500 firms and all top 10 US telecom corporations. 

A long list of government agencies was also among the company's clients (the US Military, the US Pentagon, the State Department, NASA, NSA, Postal Service, NOAA, the US Department of Justice, and the Office of the President of the United States). 

The US Department of Justice was the latest US official agency to reveal that during last year's SolarWinds global hacking spree, 27 US Attorneys' offices were compromised. 

Although Autodesk was not the only big corporation attacked in the SolarWinds breach, other companies such as Cisco, VMware, Intel, and Nvidia revealed similar issues in December.  
Read more »
Ukraine
Cyber Security Investigation SolarWinds Hack Ukraine

Poisoned Installers Found in SolarWinds Hackers Toolkit

 

The ongoing multi-vendor investigations into the SolarWinds mega-hack took a new turn this week when additional malware artifacts were discovered that could be leveraged in future supply chain operations. 

The current session of attacks linked to the APT29/Nobelium threat actor contains a custom downloader that is part of a "poisoned update installer" for electronic keys used by the Ukrainian government, according to a recent study from anti-malware firm SentinelOne. 

Juan Andrés Guerrero-Saade, SentinelOne's principal threat researcher, detailed the latest discovery in a blog post that extends on prior Microsoft and Volexity investigations. “At this time, the means of distribution [for the poisoned update installer] are unknown. It’s possible that these update archives are being used as part of a regionally-specific supply chain attack,” Guerrero-Saade stated. 

According to Guerrero-Saade, the most recent iteration of malware related to Nobelium uses a convoluted multi-stage infection chain with five to six layers. This involves the usage of NativeZone, a booby-trapped update installer for a Ukrainian cryptographic smartkey used in government operations, which uses ‘DLL stageless' downloaders. 

The Cobalt Strike Beacon payload, according to Guerrero-Saade's analysis of the campaign, serves as an "early scout" that allows for the targeted dissemination of unique payloads directly into memory. “After years of burned iterations on custom toolkits, [this APT] has opted for maximizing return on investment by simply lowering their upfront investment.” 

Furthermore, he added, because they don't have visibility into its distribution channels, they won't call it a supply chain attack. The poisoned installer might be supplied to victims who rely on this regional solution directly. Alternatively, the attackers may have found a way to disseminate their malicious ‘update' by abusing an internal resource. 

Background 

A Russia-linked threat group was suspected of being behind the SolarWinds hack seen initiating a new campaign. The attacks involved a genuine bulk mailing service and impersonation of a government entity, and they targeted the United States and other countries.

Microsoft tracked the threat actor as Nobelium, and incident response firm Volexity, which discovered some similarities to APT29, a prominent cyberspy outfit previously linked to Russia, evaluated the recent assault. 

Government agencies, think tanks, NGOs, and consultants were among the target groups. Microsoft stated at least a quarter of the targets are involved in human rights and international development work.
Read more »
SolarWinds Hack
JetBrains malware Russian Hacker SolarWinds Hack

JetBrains – A possible Doorway to Massive Hacking Plot?

 

JetBrains a software company based in the Czech Republic could possibly be used as a doorway by Russian hackers to secure access to United States private sector systems and federal government systems. American intelligence agencies and private Cybersecurity researchers are investigating the position of a software company that could possibly be used as a pathway by Russian hackers to inject malware that would glide to several technology firms.

JetBrains a software company established in Prague, Czech Republic has more than 1,200 employees and the company’s products are widely used across the globe by more than 300,000 companies and 9,000,000 developers which include 79 Fortune Global 100 companies and 95 Fortune 100 companiesJetBrains is widely recognized as a leading instrument for developing software.

Numerous leading companies like Citibank, Google, Netflix, HP, Twitter, Volkswagen, Expedia, NASA, Valve, Ubisoft, VMware, The New York Times, and Hewlett-Packard are among its consumers and it also has a major say in developing the software for Siemens – a leading supplier of technology in a sensitive framework such as nuclear and power plants.

Maxim Shafirov, the company’s chief executive officer stated in a post that “we have not been contacted by any government or security agency regarding this matter, nor are we aware of being under any investigation, if such an investigation is undertaken, the authorities can count on our full cooperation”.

SolarWinds, the company stationed in Austin, Texas is one of the primary consumers of JetBrains. TeamCity software is a product of JetBrains, it is a continuous integration and deployment system used for unit testing and code quality analysis. The software was utilized as a weapon by the threat actors to gain access to the SolarWinds TeamCity server by manipulating high severity vulnerabilities. However, JetBrains’ CEO denied all the allegations regarding the involvement of the company in the SolarWinds hack.
Read more »
SolarWinds Hack
Cyber Attacks Orion Platform Password Guessing SolarWinds Hack

Password Guessing Used as a Weapon by SolarWinds Hackers to Breach Targets

 

Cybersecurity and Infrastructure Security Agency (CISA) informed that perpetrators of SolarWinds attack obtained confidential information via common hacker techniques like password guessing, password spraying, and illicitly acquired administrative credentials attainable via external remote access services.

The hackers manipulated the IT management company SolarWinds update to secure unauthorized entrance to government systems. The perpetrators inserted malware into an update the company shared with thousands of its clients which then initiated a command and directed the channel to an external server. Microsoft stated that the hacker’s primary aim was to secure entrance to cloud hosted infrastructure, which at many instances was possessed by the company’s Azure and Microsoft 365 environments. 

The threat actors behind the SolarWinds hack gained access by password guessing [T1101.001], password spraying [T1101.003] and were not consistently counting on the trojanized Orion app as its primary access vector.

CISA has urged the United States government agencies to upgrade the SolarWinds Orion platform to the latest version 2020.2.1HF2 and the agencies that are not willing to upgrade the SolarWinds Orion platform should take their Orion systems offline. The attackers modified several Orion app versions to attach malware and used a malware strain called Sunburst (or Solorigate) to corrupt the Orion app updates, versions 2019.4 via 2020.1 which were released between March 2020 and June 2020.

“CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform and has identified legitimate account abuse as one of these vectors (for details refer to Initial Access Vectors section), specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with the adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified” the agency stated.

The SolarWinds hack was first discovered by the US Cybersecurity company FireEye on December 8th when the cybersecurity firm released a blog revealing an attack on its systems and the attack have impacted the highest authorities of United States which includes the Department of Homeland Security, Department of Commerce, US Treasury and parts of the Pentagon. The hackers were believed to be from Russia, based on several pieces of evidence, however, Russia constantly denies the allegations. 
Read more »
Subscribe to: Posts (Atom)