What’s Happened?
There has been a massive and very sophisticated supply chain cyberattack, recently discovered in the US, allegedly perpetrated by an adversary nation-state using compromised Orion business software of US based IT management software firm ‘SolarWinds’, which was targeted against the US government, its agencies and several other private companies. This is now likely becoming a global cyberattack as various companies continue to analyse and discover their exposure and extent of hack.
How did it Happen?
This global intrusion campaign involved hackers compromising the infrastructure of SolarWinds through a series of events as mentioned below:
- The attackers gained access to elevated credentials through the vulnerable source code of the Orion platform of SolarWinds. The Orion Platform is used by US federal agencies and many Fortune 500 companies to monitor the health of their IT networks.
- Once in the network, the attacker acquires administrative permissions to forge trusted SAML tokens to impersonate any of the organization’s existing users and accounts and make API calls with the permission assigned to that application.
- The attackers further used this access to distribute trojanized software updates to SolarWinds customers. This trojanized component called SUNBURST is digitally signed and contains a backdoor that communicates with third-party servers controlled by the attackers.
- The backdoor was used to deliver a malware dropper called TEARDROP, which after an initial dormant period, started retrieving and executing commands by masquerading its network traffic and blending in with the legitimate SolarWinds activity.
- To avoid detection, attackers used temporary file replacement techniques to remotely execute their tools by following the delete-create-execute-delete-create pattern and keeping their malware footprint very low during lateral movement.
- As customers install this counterfeit update, the malware will attempt to resolve a Command and Control (C2) domain, mimicking normal SolarWinds API communications. Thus, compromising millions of machines across the globe successfully.
- Hacked networks were seen communicating with a malicious domain name registered under GoDaddy. avsvmcloud[.]com – was one of several domains the attackers had set up to control affected systems.
Mitigation Strategy
FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections. Domain seizure was part of a collaborative effort to prevent networks that may have been affected by the compromised SolarWinds software update from communicating with the attackers.
The control over the domain was transferred to Microsoft and the domain was reconfigured to act as a “killswitch” that would prevent the malware from continuing to operate under some circumstances, i.e.: Depending on the IP address returned when the malware resolves avsvmcloud[.]com, the malware would terminate itself and prevent further execution.
The attacker infrastructure leaks its configured hostname in RDP SSL certificates, which is identifiable in internet-wide scan data. Therefore, uncovering the malicious IP addresses that may be masquerading as the organization.
Examination of SMB logs reveal the access to legitimate directories and follow a delete-create-execute-delete-create pattern in a short amount of time using variable file names.
SolarWinds issued a security advisory urging its customers to update to version 2020.2 HF 1 of its Orion Platform. It also released an additional hotfix 2020.2.1 HF 2 on Orion.
Recommendations
- We should consider mapping your attack surface since major business partners (Microsoft, CISCO, Intel) were compromised in the supply chain attack.
- Limit destinations on the edge, i.e.: DNS, proxy and think Zero-Trust networking.
- Threat Intel team to conduct threat hunts across the length and breadth of the corporate network and prioritize unusual activities logged during volumetric analysis of events.
- Sensor Management Team to alert on events by creating new SIEM rules based on the signatures revealed by FireEye, CISA and several public institutions to manage our attack surface better.
- SOC to monitor for intrusions and log events continuously and the Incident Response team to investigate as required.
- Vulnerability Management team to patch the SaaS applications regularly to prevent supply chain attacks.
- The need for security should be considered as a part of the vendor selection process.
As someone who just tried cbd products like cbd recovery representing the at the outset heyday, I requirement bring up I’m genuinely impressed! I’ve been hearing adjacent to CBD in place of or like cbd for sleep a while seldom, but I was a particle skeptical thither how it would touch me. I irrefutable to examine a small dosage of CBD fuel to reflect on if it would avoid with my chronic mix with pang and anxiety, and the results were more certain than I anticipated.
As someone who just tried cbd products like cbd recovery for the foremost heyday, I be required to say I’m genuinely impressed! I’ve been hearing nearby CBD in place of or like https://greenrevolutioncbd.com/product/cbd-cbg-tincture/ a while now, but I was a particle skeptical thither how it would affect me. I marked to have a stab a niggardly prescribe of CBD oil to appreciate if it would serve with my chronic ostracize distress and anxiety, and the results were more reliable than I anticipated.
As someone who principled tried cbd products like cbd recovery with a view the at the outset dilly-dally, I requirement bruit about I’m genuinely impressed! I’ve been hearing nearby CBD in search or like https://greenrevolutioncbd.com/choose-experience/cbd-for-energy/ a while seldom, but I was a crumb skeptical thither how it would upset me. I marked to try a negligible administer of CBD lubricant to appreciate if it would avoid with my long-lasting shoulder hurt and desire, and the results were more express than I anticipated.
As someone who fair-minded tried cbd products like cbd recovery representing the first heyday, I requirement bring up I’m genuinely impressed! I’ve been hearing about CBD in search or like a while now, but I was a bit skeptical almost how it would upset me. I marked to have a stab a lesser dosage of CBD fuel to appreciate if it would avoid with my chronic arm in arm distress and foreboding, and the results were more express than I anticipated.
Zaproxy dolore alias impedit expedita quisquam.
Excellent insights! Your breakdown of the topic is clear and concise. For further exploration, I recommend visiting: READ MORE. Keen to hear everyone’s opinions!
I like the helpful info you provide in your articles.
I will bookmark your blog and check again here
regularly. I am quite sure I will learn many new stuff right here!
Good luck for the next!
Very good article. I absolutely appreciate this site. Keep writing!
There is certainly a great deal to find out about this topic. I love all of the points you have made.
Hi, I do believe this is an excellent web site. I stumbledupon it 😉 I will return once again since i have book marked it. Money and freedom is the best way to change, may you be rich and continue to help others.
Howdy, I do think your website could be having web browser compatibility problems. Whenever I look at your web site in Safari, it looks fine however, if opening in I.E., it’s got some overlapping issues. I simply wanted to give you a quick heads up! Aside from that, fantastic website!
Your style is unique compared to other folks I have read stuff from. Thanks for posting when you have the opportunity, Guess I’ll just bookmark this web site.
I blog quite often and I genuinely appreciate your content. The article has truly peaked my interest. I’m going to book mark your website and keep checking for new details about once a week. I subscribed to your Feed as well.
I’m pretty pleased to uncover this web site. I want to to thank you for your time for this fantastic read!! I definitely enjoyed every little bit of it and I have you bookmarked to see new information in your website.
An impressive share! I have just forwarded this onto a coworker who was doing a little research on this. And he actually ordered me lunch because I discovered it for him… lol. So allow me to reword this…. Thanks for the meal!! But yeah, thanx for spending some time to discuss this matter here on your blog.
I quite like reading an article that can make men and women think. Also, thanks for allowing for me to comment.
bookmarked!!, I love your website.
I need to to thank you for this very good read!! I certainly enjoyed every little bit of it. I’ve got you saved as a favorite to check out new stuff you post…