Search This Blog

Showing posts with label SolarWinds Attack. Show all posts

PRODAFT Accessed Servers of a SolarWinds Hacker


A Swiss cybersecurity firm says it has accessed servers utilized by a hacking group attached to the SolarWinds breach, uncovering details concerning who the attackers targeted and how they did their operation. The firm, PRODAFT, likewise said the hackers have proceeded with their campaign as the month progressed. 
PRODAFT, Proactive Defense Against Future Threats, is a cybersecurity and cyber intelligence organization providing solutions for business clients and government establishments.

PRODAFT researchers said they were able to break into the hackers' computer infrastructure and audit-proof of an enormous campaign between August and March, which targeted a great many organizations and government associations across Europe and the U.S. The point of the hacking group, named SilverFish by the researchers, was to keep an eye on victims and steal information, as per PRODAFT's report. SilverFish did an “extremely sophisticated” cyber-attack on at least 4,720 targets, including government organizations, worldwide IT providers, many banking establishments in the U.S. and EU, major auditing firms, one of the world's leading Covid-19 test kit makers, and aviation and defense companies, as per the report. 

SilverFish is centered around network reconnaissance and information exfiltration and utilizes an assortment of software and scripts for both initial and post-exploitation activities. These incorporate promptly accessible tools like Empire, Cobalt Strike, and Mimikatz, as well as customized rootkits, PowerShell, BAT, and HTA files. Prodaft says that SilverFish attackers tend to follow specific standards of conduct while specifying domains, including running orders to list domain controllers and trusted domains, as well as displaying stored credentials and admin user accounts. 

Scripts are then dispatched for post-exploit reconnaissance and information theft exercises. Hacked, legitimate domains are here and there used to reroute traffic to the C2. "The SilverFish group has designed an unprecedented malware detection sandbox formed by actual enterprise victims which enables the adversaries to test their malicious payloads on victim servers with different enterprise AV and EDR solutions, further expanding the high success rate of the SilverFish group attacks," the company says.

"SilverFish are still using relevant machines for lateral movement stages of their campaigns," the company added. "Unfortunately, despite being large critical infrastructure, most of their targets are unaware of the SilverFish group's presence on their networks."

Sunshuttle, the Latest Strain Allegedly Linked to SolarWinds Hackers


FireEye researchers have discovered a new strain of backdoor malware on the servers of an organization exploited by the SolarWinds hackers. The new strain is identified as ‘Sunshuttle’ and it was uploaded by a U.S.-based entity to a public malware repository in August 2020.

FireEye researchers Lindsay Smith, Jonathan Leathery, and Ben Read believe this new strain is connected to the hackers behind the SolarWinds supply-chain attack. Sunshuttle is a second-stage backdoor written in Go that uses HTTP to link with a command-and-control server for data exfiltration and adding a new code. 

Hacking of cybercrime forums ‘Mazafaka and Exploit’

Mysterious threat actors are targeting popular Russian language cybercrime forums ‘Mazafaka and Exploit’ and are leaking the stolen data on the dark web. On Tuesday, unknown threat actors dumped thousands of usernames, email addresses, and passwords on the dark web apparently stolen from Mazafaka. Threat actors have also leaked a 35-page PDF online which is a private encryption key allegedly used by Maza administrators. 

According to cyber intelligence firm Intel 471, “the file comprised more than 3,000 rows, containing the username, partially obfuscated passwords hashes, email addresses, and other contact details. Initial analysis of the leaked data pointed to its probable authenticity, as at least portion of the leaked user records correlated with our own data holdings.”

Antivirus Creator John McAfee charged with $13M cryptocurrency fraud 

John McAfee has been charged with securities fraud over a ‘pump-and-dump’ cryptocurrency scheme. Federal prosecutors unsealed a case against McAfee and his executive advisor and bodyguard Jimmy Gale Watson Jr. claiming the pair has raked in more than $13 million from the investors they victimized with their fraudulent schemes.

In late 2017 and early 2018, McAfee urged his hundreds of thousands of Twitter followers to invest in a number of obscure cryptocurrencies. Prosecutors say he failed to disclose his own financial stake in those tokens and in some cases outright lied about it. 

“The defendants allegedly used McAfee’s Twitter account to publish messages to his hundreds of thousands of Twitter followers touting various cryptocurrencies through false and misleading statements to conceal their true, self-interested motives,” Manhattan US Attorney Audrey Strauss stated.

US Senate's Selection Committe Raises Some Serious Concerns Regarding SolarWinds Attack


The US Senate’s select committee has blamed Russia for the massive intelligence operation that infiltrated SolarWinds, a Texas-based software company, to steal data from various governments and nearly 100 companies. Threat actors exploited the vulnerabilities in SolarWinds and Microsoft programs to penetrate the companies and government agencies. 

Some key issues were raised during a hearing of US Senate’s select committee:

• Threat actors conducting a “dry run”; 
• The true motive behind an attack; 
• Threat actors exploiting Amazon Web services vulnerabilities; 
• Improvement in cyberthreat and intelligence information sharing.

Kevin Mandia, CEO of FireEye revealed the methodology used by threat actors for conducting a “dry run” in October 2019. He stated during his testimony that “they put an innocuous build in to make sure that it made it to the [production] environment,”. He also added that his company’s engineers have worked day in, day out, spending more than 10,000 hours to analyze the source of the data breach and how it led the threat actors to the SolarWinds server.

Many witnesses blamed the Russian-based hacking group for data breach, Microsoft’s President Brad Smith testified: “We’ve seen substantial evidence that points to the Russian foreign intelligence agency and we have found no evidence that leads us anywhere else.” 

Senator Marco Rubio, the vice chairperson of the intelligence committee said there is conclusive evidence to suggest that the attack was more than a cyberespionage campaign. Hence, to draw any conclusions at this point is not justified. “While I share the concern that an operation of this scale with a disruptive intent could have caused mass chaos, those are not the facts that are in front of us. Everything we have seen thus far indicates this was an intelligence operation – a rather successful one – that was ultimately disrupted.”

Senators slammed Amazon Web Services for declining to testify given the company’s infrastructure was used in the attack. Sen. Rubio stated that “we had extended an invitation to Amazon to participate. The operation we’ll be discussing today uses their infrastructure, [and], at least in part, required it to be successful. Apparently, they were too busy to discuss that here with us today, and I hope they’ll reconsider that in future.”

Sen. Richard Burr said, Amazon Web Services hosted most of the secondary command and control nodes in the SolarWinds attack, which raised questions about how much Amazon and its executives have revealed about what they know. 

During the hearing, witnesses agreed with many of the committee members regarding the strengthening of cyberthreat and intelligence information sharing. Kevin Mandia, CEO of FireEye said that 2015 Cybersecurity Information Sharing Act should be updated which will make it easier to share intelligence and provide protection to data breach and gather the initial intelligence. Anne Neuberger, Deputy National Security Adviser said earlier this month that nine federal agencies and 100 private organizations, were compromised as part of the attack.