Search This Blog

Showing posts with label SolarWinds Hack. Show all posts

Poisoned Installers Found in SolarWinds Hackers Toolkit

 

The ongoing multi-vendor investigations into the SolarWinds mega-hack took a new turn this week when additional malware artifacts were discovered that could be leveraged in future supply chain operations. 

The current session of attacks linked to the APT29/Nobelium threat actor contains a custom downloader that is part of a "poisoned update installer" for electronic keys used by the Ukrainian government, according to a recent study from anti-malware firm SentinelOne. 

Juan Andrés Guerrero-Saade, SentinelOne's principal threat researcher, detailed the latest discovery in a blog post that extends on prior Microsoft and Volexity investigations. “At this time, the means of distribution [for the poisoned update installer] are unknown. It’s possible that these update archives are being used as part of a regionally-specific supply chain attack,” Guerrero-Saade stated. 

According to Guerrero-Saade, the most recent iteration of malware related to Nobelium uses a convoluted multi-stage infection chain with five to six layers. This involves the usage of NativeZone, a booby-trapped update installer for a Ukrainian cryptographic smartkey used in government operations, which uses ‘DLL stageless' downloaders. 

The Cobalt Strike Beacon payload, according to Guerrero-Saade's analysis of the campaign, serves as an "early scout" that allows for the targeted dissemination of unique payloads directly into memory. “After years of burned iterations on custom toolkits, [this APT] has opted for maximizing return on investment by simply lowering their upfront investment.” 

Furthermore, he added, because they don't have visibility into its distribution channels, they won't call it a supply chain attack. The poisoned installer might be supplied to victims who rely on this regional solution directly. Alternatively, the attackers may have found a way to disseminate their malicious ‘update' by abusing an internal resource. 

Background 

A Russia-linked threat group was suspected of being behind the SolarWinds hack seen initiating a new campaign. The attacks involved a genuine bulk mailing service and impersonation of a government entity, and they targeted the United States and other countries.

Microsoft tracked the threat actor as Nobelium, and incident response firm Volexity, which discovered some similarities to APT29, a prominent cyberspy outfit previously linked to Russia, evaluated the recent assault. 

Government agencies, think tanks, NGOs, and consultants were among the target groups. Microsoft stated at least a quarter of the targets are involved in human rights and international development work.

JetBrains – A possible Doorway to Massive Hacking Plot?

 

JetBrains a software company based in the Czech Republic could possibly be used as a doorway by Russian hackers to secure access to United States private sector systems and federal government systems. American intelligence agencies and private Cybersecurity researchers are investigating the position of a software company that could possibly be used as a pathway by Russian hackers to inject malware that would glide to several technology firms.

JetBrains a software company established in Prague, Czech Republic has more than 1,200 employees and the company’s products are widely used across the globe by more than 300,000 companies and 9,000,000 developers which include 79 Fortune Global 100 companies and 95 Fortune 100 companiesJetBrains is widely recognized as a leading instrument for developing software.

Numerous leading companies like Citibank, Google, Netflix, HP, Twitter, Volkswagen, Expedia, NASA, Valve, Ubisoft, VMware, The New York Times, and Hewlett-Packard are among its consumers and it also has a major say in developing the software for Siemens – a leading supplier of technology in a sensitive framework such as nuclear and power plants.

Maxim Shafirov, the company’s chief executive officer stated in a post that “we have not been contacted by any government or security agency regarding this matter, nor are we aware of being under any investigation, if such an investigation is undertaken, the authorities can count on our full cooperation”.

SolarWinds, the company stationed in Austin, Texas is one of the primary consumers of JetBrains. TeamCity software is a product of JetBrains, it is a continuous integration and deployment system used for unit testing and code quality analysis. The software was utilized as a weapon by the threat actors to gain access to the SolarWinds TeamCity server by manipulating high severity vulnerabilities. However, JetBrains’ CEO denied all the allegations regarding the involvement of the company in the SolarWinds hack.

Password Guessing Used as a Weapon by SolarWinds Hackers to Breach Targets

 

Cybersecurity and Infrastructure Security Agency (CISA) informed that perpetrators of SolarWinds attack obtained confidential information via common hacker techniques like password guessing, password spraying, and illicitly acquired administrative credentials attainable via external remote access services.

The hackers manipulated the IT management company SolarWinds update to secure unauthorized entrance to government systems. The perpetrators inserted malware into an update the company shared with thousands of its clients which then initiated a command and directed the channel to an external server. Microsoft stated that the hacker’s primary aim was to secure entrance to cloud hosted infrastructure, which at many instances was possessed by the company’s Azure and Microsoft 365 environments. 

The threat actors behind the SolarWinds hack gained access by password guessing [T1101.001], password spraying [T1101.003] and were not consistently counting on the trojanized Orion app as its primary access vector.

CISA has urged the United States government agencies to upgrade the SolarWinds Orion platform to the latest version 2020.2.1HF2 and the agencies that are not willing to upgrade the SolarWinds Orion platform should take their Orion systems offline. The attackers modified several Orion app versions to attach malware and used a malware strain called Sunburst (or Solorigate) to corrupt the Orion app updates, versions 2019.4 via 2020.1 which were released between March 2020 and June 2020.

“CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform and has identified legitimate account abuse as one of these vectors (for details refer to Initial Access Vectors section), specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with the adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified” the agency stated.

The SolarWinds hack was first discovered by the US Cybersecurity company FireEye on December 8th when the cybersecurity firm released a blog revealing an attack on its systems and the attack have impacted the highest authorities of United States which includes the Department of Homeland Security, Department of Commerce, US Treasury and parts of the Pentagon. The hackers were believed to be from Russia, based on several pieces of evidence, however, Russia constantly denies the allegations.