Live Updates: SolarWinds / Solorigate (SUNBURST) Supply-Chain Attack

Share Blog Post

An alleged Russia-backed hacking group is believed to have targeted and breached the U.S. Departments of Treasury and Commerce. According to Reuters, the breach originated from a supply chain attack that leveraged Orion - the widely-used network monitoring tool from SolarWinds, an IT company that supports several federal agencies and the U.S. military. Last week, cybersecurity company FireEye had reported a similar attack carried out via the SolarWinds platform that led to the compromise of its “red teaming” tools. It is believed that a large number of organizations that use this software might be at risk. The malware used in this widespread "UNC2452" campaign is being tracked by several names including Solorigate and SUNBURST.

Cyware has created this resource to collect and share live alerts on this campaign, impacted organizations as reported in the media, indicators of compromise (IOCs), and other relevant threat intelligence. We are actively working to keep this page updated and accurate in order to ensure that it is timely and relevant to as many people as possible.

Solutions and Countermeasures


Advisories

Indicators of Compromise (IOCs)

Threat Response Workflow

Killswitch 

Network Auditing Tool

_______________________________________________________________________________________

(January 20, 2021)


Old-guard, ‘Cowboy IT’ caused the SolarWinds supply chain compromise

According to James Stanger, chief technology evangelist, CompTIA, most organizations continue to pursue traditional measures based on a firewall-first, signature-based, trusted-partner mindset. This mindset creates toxic IT solutions and leads to the practice of making IT and cybersecurity workers continually clean up after bad code, hastily implemented platforms, and poor business procedures.

Ref - SC Media

_______________________________________________________________________________________

(January 20, 2021)


Microsoft shares details on how hackers evaded detection in SolarWinds attack

Microsoft has shared details on how the SolarWinds hackers were able to remain undetected by hiding their malicious activity inside the networks of breached companies. The report shares new details regarding the Solorigate second-stage activation, including the steps and tools used to deploy custom Cobalt Strike loaders (Teardrop, Raindrop, and others) after dropping the Solorigate (Sunburst) DLL backdoor.


_______________________________________________________________________________________

(January 20, 2021)


More details regarding Solorigate second-stage activation revealed

Microsoft detailed the hands-on-keyboard techniques that attackers employed on compromised endpoints using a powerful second-stage payload, one of several custom Cobalt Strike loaders, including the loader dubbed TEARDROP by FireEye and a variant named Raindrop by Symantec.

Ref - Microsoft

_______________________________________________________________________________________

(January 20, 2021)


Malwarebytes was targeted via Microsoft 365 API Calls

To target Malwarebytes, instead of using the SolarWinds Orion network-management system, the attackers had abused applications with privileged access to Microsoft Office 365 and Azure environments. The Microsoft Security Response Center flagged suspicious activity from a third-party email-security application used with Malwarebytes’ Microsoft Office 365 hosted service on Dec. 15.

Ref - Threatpost 

_______________________________________________________________________________________
 
(January 19, 2021)


SolarWinds attack has shown four separate paths to breach Microsoft 365 cloud

The perpetrators behind the SolarWinds supply-chain attack were observed leveraging four separate techniques to bypass identity and access management protections. These techniques include the Golden SAML attack using stolen ADFS token-signing certificates, adding a new attacker-controlled federated Identity Provider (IdP) capable of forging tokens, compromising the credentials of high-privileged on-prem accounts synced to Microsoft 365, and adding rogue credentials and exploiting their legitimate assigned permissions.

Ref - SC Media 

_______________________________________________________________________________________

(January 19, 2021)


SolarWinds hackers accessed internal emails of Malwarebytes 

Cybersecurity firm Malwarebytes confirmed that the threat actor behind the SolarWinds supply-chain attack was able to gain access to some company emails. The company did not find evidence of a compromise or unauthorized access to internal production or on-premises environments. The attackers exploited an Azure Active Directory weakness that allowed access to a limited subset of internal company emails.


_______________________________________________________________________________________

(January 19, 2021)


SolarWinds hackers used 7-Zip code to hide ‘Raindrop’

The ongoing analysis of the SolarWinds supply-chain attack uncovered a fourth malicious tool that researchers call Raindrop and was used for distribution across computers on the victim network. To hide the malicious functionality, the hackers used a modified version of the 7-Zip source code to compile Raindrop as a DLL file.


_______________________________________________________________________________________

(January 19, 2021)


SolarWinds attack showed a new dimension in cyber-espionage tactics

The epic SolarWinds attack signals a new normal for cyber espionage. The recent campaign illustrates how nation-state attackers are going after real-time information and how challenging it is for targeted organizations to detect it. It’s a new dimension of nation-state hacking with all of the Office 365 and Azure AD Cloud out there.


_______________________________________________________________________________________

(January 19, 2021)


Remediation and hardening strategies to defend against UNC2452

Recent research has disclosed the methodologies used by UNC2452 and other threat actors to move laterally from on-premises networks to the Microsoft 365 cloud. It also provides details about how organizations can proactively harden their environments and remediate environments where similar techniques have been observed.

Ref - FireEye

_______________________________________________________________________________________

(January 19, 2021)


Symantec researchers discover fourth malware strain used in SolarWinds attack

Researchers from cyber-security firm Symantec have identified another malware strain, dubbed Raindrop, that was used during the SolarWinds supply chain attack. The other already discovered malware are Sunspot, Sunburst (Solorigate), and Teardrop. Raindrop was used as a loader for the Cobalt Strike Beacon, which the intruders later used to escalate and broaden their access inside a hacked IT network.

Ref - ZDNet
 
_______________________________________________________________________________________

(January 19, 2021)


Tactics used by the SolarWinds hackers may be copied by other groups as well

After the SolarWinds attack, researchers are bracing for an increase in the popularity of supply chain attacks among other attackers. Other actors will obviously adapt these techniques because they go after what works. SAML token manipulation is a risk for virtually all cloud users, not just those on Azure, as happened in the case of SolarWinds attack.

Ref - Wired 

_______________________________________________________________________________________

(January 18, 2021)


Planned supply chain attacks may have devastating effects

Well planned supply chain attacks can have a devastating real-world impact on a large number of organizations within the blast radius of the original compromise, like the case of the recent SolarWinds attacks. Detecting the SUNBURST backdoor implanted in SolarWinds Orion is difficult to accomplish with existing automated capabilities because the backdoor was delivered through a legitimate software update to a known monitoring and management tool. Many organizations do not keep access logs long enough to determine whether or not a successful compromise occurred.

Ref - Zscaler 

_______________________________________________________________________________________

(January 18, 2021)


Google Cloud: We do use some SolarWinds, but we weren't affected by mega hack

Google Cloud's first chief information security office (CISO) Phil Venables has said that Google's cloud venture does use software from vendor SolarWinds, but it is used in a limited and contained manner. Besides using security layers, such as Titan Chips for Google host machines and Shielded Virtual Machines, Google also verifies that software is built and signed in an approved isolated build environment from properly checked-in code that has been reviewed and tested.

Ref - ZDNet 

_______________________________________________________________________________________

(January 18, 2021)


SolarWinds hack is quickly reshaping Congress’s cybersecurity agenda

In the wake of the discovery of the SolarWinds breach, the incoming Biden administration committed to making cybersecurity a top priority. The Biden team has announced a Rescue Plan that calls for around $10 billion in cybersecurity spending, including $690 million for CISA to improve security monitoring and incident response at the agency.

Ref - CSO Online 

_______________________________________________________________________________________

(January 18, 2021)


New updates in Infinity SOC can pinpoint the presence of Sunburst infection

CheckPoint has updated its Infinity SOC offering, enabling it to pinpoint the presence of the Sunburst incident of compromise across the client’s network. According to CheckPoint, administrators can leverage the cloud-based platform to search for Sunburst indicators within network, cloud, and endpoint environments. The solution also provides event investigation tools to drill-down into findings to validate and plan remediation steps.

Ref - CheckPoint 

_______________________________________________________________________________________

(January 18, 2021)


Monetary Authority of Singapore (MAS) announces new rules for the financial sector after SolarWinds breach

All financial services and e-payment firms in Singapore must, from Jan 18, follow a new set of central banking rules to better mitigate technology risks in the wake of a recent cyberattack that impacted organizations around the world. MAS now requires all financial institutions to assess the suppliers of their technology vendors.


_______________________________________________________________________________________

(January 17, 2021)

Cyber threat intel analysis of SolarWinds' identified indicators of compromise

Owing to the scale of the SolarWinds breach, several cybersecurity organizations, principally FireEye, and other companies such as Open Source Context, released lists of indicators of compromise (IoCs). A majority of the IoCs, 14 out of 18 to be exact, were first registered more than five years ago.

Ref - CircleID

_______________________________________________________________________________________

(January 15, 2021)


Some UW campuses could have been exploited in Solarwinds breach

The national cyberattack that targeted the SolarWinds computer network monitoring software could have impacted some University of Wisconsin (UW) System campuses that use it. The UW system officials won't say which campuses use solar winds or whether they were impacted by a suspected Russian hack.

Ref - WPR

_______________________________________________________________________________________

(January 15, 2021)


Understanding third-party attacks after SolarWinds breach

The SolarWinds hack is just one example of a third-party, supply chain compromise. And while the scale of the SolarWinds hack is certainly novel, third-party compromises are not. In addition, third-party compromises are just 1-of-6 common root causes of breaches. The other root causes are phishing, malware, unencrypted data, software vulnerabilities, and inadvertent employee mistakes.


_______________________________________________________________________________________

(January 15, 2021)


SolarWinds Orion vulnerability - SonicWall product notification

SonicWall Capture Labs threat researchers have investigated the SolarWinds Orion vulnerability. They published four signatures that identify malicious activity against affected SolarWinds Orion versions, and two additional application notifications that detect if an organization has SolarWinds Orion deployed within its network. These signatures are applied automatically to SonicWall firewalls with active security subscriptions.

Ref - SonicWall 

_______________________________________________________________________________________

(January 15, 2021)


SolarWinds fallout making secure communications the first line of defense

After the SolarWinds breach, the Operational Security measures addressing sensitive communications are imperative as a critical first line of defense. This ensures that enterprises and government agencies can defend themselves against further compromise and to establish strong, resilient crisis response plans to prevent and mitigate future intrusions.

Ref - FCW

_______________________________________________________________________________________

(January 15, 2021)

SolarWinds close to figuring out how cyberattack occurred

Austin-based SolarWinds, the software company at the center of what is considered one of the most sophisticated cyberattacks in U.S. history, said it believes it is closer to understanding how the attack was carried out. The company has reverse-engineered the code used in the attack to better understand how it was deployed.

Ref - GT

_______________________________________________________________________________________

(January 15, 2021)


SUNBURST - No one saw it coming

The attack on SolarWinds, dubbed Sunburst, loaded a Trojan into the SolarWinds Orion Platforms, thus compromising the networks of SolarWinds’ clients. US-based organizations were targets of nearly 80% of the attacks, though organizations based in other countries including Belgium, Canada, Israel, Mexico, Spain, and the UAE were also affected. Now organizations must consider that more threat actors are likely to mimic the success of the Sunburst attack.

Ref - NTT 

_______________________________________________________________________________________

(January 15, 2021)


SolarWinds attack - What has been done right and what has gone wrong

The “good” thing about SUNBURST is that it is created in .NET language, making it relatively easy to decompile and know what the attacker has programmed. There have been reactions that have worked, such as Microsoft hijacking the domain under which the whole attack is based (avsavmcloud.com).


_______________________________________________________________________________________

(January 14, 2021)


Dell product response to SolarWinds

Dell has disclosed that the SolarWinds attack does not impact its products. In wake of the recent SolarWinds attacks, Dell has revealed that it does not embed or deliver the SolarWinds Orion software within any of its Dell or Dell EMC products.

Ref - Dell 

_______________________________________________________________________________________

(January 14, 2021)


SolarWinds SUNSPOT malware - Threat advisory

The developers of SUNSPOT were very careful in designing the malware. They made sure that the code would be properly inserted and remained undetected. Upon entering the system, SUNSPOT starts to spawn a new thread to determine if the Orion software is being built and, if so, hijack the build operation to inject SUNBURST.

Ref - Cyber Florida  

_______________________________________________________________________________________

(January 14, 2021)


The SolarWinds attack poses a challenge for contractors

The SolarWinds incident could just as easily have occurred with a construction management company or general contractor using the construction industry’s various project management software programs. Such digital attacks can intercept sensitive information, divert funds, and hold hostage a company’s computer systems.


_______________________________________________________________________________________

(January 14, 2021)


Key lessons from SolarWinds attacks

The most important learning from the SolarWinds attack is that all computer systems are vulnerable to hacking. The second important learning is that security is not just about technology, but also about governance, policies, processes, and people. Thirdly, security should be baked into the software development life cycle and not be bolted on after the fact.

Ref - Forbes

_______________________________________________________________________________________

(January 14, 2021)


Analyzing SolarWinds exposure with Cisco Endpoint Security Analytics

While digging out of the Solarwinds mess, Cisco researchers were able to connect local Windows processes to domains that were reported in the IOC lists. Cisco Endpoint Security Analytics (CESA) allows users to associate what endpoint accessed what domain, as well as what software processes and protocols were used

Ref - Cisco

_______________________________________________________________________________________

(January 14, 2021)


SolarWinds hack forces reckoning with supply-chain security

After working in recent weeks to assess their exposure to the attack on the software provider, businesses have turned to probing their other vendors’ security, re-evaluating vetting processes for partners, and even pausing updates to applications. The fallout from the SolarWinds hack is pressuring firms to more aggressively review their technology.

Ref - WSJ

_______________________________________________________________________________________

(January 14, 2021)


SolarWinds breach could cost cyber insurance firms around $90 million

Cyber insurance vendors are expected to spend $90 million on incident response and forensic services for clients who were compromised by the SolarWinds hackers. Although the SolarWinds attack is a cyber catastrophe from a national security perspective, insurers may have narrowly avoided a catastrophic financial incident to their businesses.

Ref - CRN

_______________________________________________________________________________________

(January 14, 2021)


How to avoid SolarWinds type attacks

The Linux Foundation has provided some suggestions on how to avoid SolarWinds type attacks. It includes hardening software build environments, moving towards verified reproducible builds, changing tools & interfaces so unintentional vulnerabilities are less likely, educating developers, using vulnerability detection tools when developing software, improving widely-used OSS, implementing OpenChain, and others.

Ref - ZDNet

_______________________________________________________________________________________

(January 14, 2021)


Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender

According to Microsoft, the 365 Defender, and Azure Defender can deliver unified, intelligent, and automated security across domains for end-to-end threat visibility for SolarWinds type of attacks. In addition, for having comprehensive visibility and rich investigation tools, Microsoft 365 Defender, and Azure Defender can help organizations continuously improve security posture.

Ref - Microsoft

_______________________________________________________________________________________

(January 14, 2021)


FireEye not ready to ascribe SolarWinds hack to Russia

The cybersecurity firm FireEye said Tuesday that it has not seen enough evidence to positively identify the hackers behind the ongoing SolarWinds Orion hack to Russian entities. FireEye is credited as the first to detect an intrusion in SolarWinds Orion, an IT management software. Although FireEye is not attributing the attack to Russia yet.

Ref - FCW

_______________________________________________________________________________________

(January 13, 2021)


SolarLeaks website offering files allegedly obtained from SolarWinds breach 

Someone has set up a website named SolarLeaks where they are offering to sell gigabytes of files allegedly obtained as a result of the recently disclosed SolarWinds breach. The SolarLeaks website offering source code allegedly obtained from Microsoft, Cisco, SolarWinds, and FireEye.


_______________________________________________________________________________________

(January 13, 2021)

More SolarWinds victims are expected

The number of federal agencies hit by the SolarWinds Orion breach will likely surpass the White House’s tally of 10, according to the director of the National Counterintelligence and Security Center. The number of organizations affected by the SolarWinds hack will likely rise as investigators continue to manage the fallout.

Ref - GCN

_______________________________________________________________________________________

(January 13, 2021)


SolarWinds attackers could have targeted Mimecast pursuing multiple paths

The discovery of a data breach at email service provider Mimecast could indicate attackers behind the massive SolarWinds incident may have pursued multiple paths to infiltrate target organizations. However, Mimecast no longer uses the SolarWinds Orion network management software.


_______________________________________________________________________________________

(January 13, 2021)

Microsoft President: SolarWinds attack violated ‘norms and rules’ of government activities

In a pre-recorded keynote address during the digital CES 2021 conference, Microsoft President Brad Smith has called on governments of the world to hold to a higher standard to prevent supply chain attacks similar to SolarWinds Orion. In addition, the tech industry will need to work with both government and non-governmental agencies to address such critical cybersecurity issues.

Ref - CRN

_______________________________________________________________________________________

(January 13, 2021)


SolarWinds hack followed years of warnings of weak cybersecurity

The Cyberspace Solarium Commission, which was created to develop strategies to thwart sizable cyber-attacks, had presented a set of recommendations to Congress in March that included additional safeguards to ensure more trusted supply chains. More than 75 of the highest priority recommendations were not fully addressed by the agencies.

Ref - Bloomberg

_______________________________________________________________________________________

(January 13, 2021)


SolarWinds risk assessment resources for Microsoft 365 and Azure

Several government and private organizations, including Microsoft, have released a wealth of information and tools to assess risk from SolarWinds-like attacks. These resources can help organizations prepare themselves to respond to SolarWinds attack-related appropriately.

Ref - CSO Online 

_______________________________________________________________________________________

(January 12, 2021)


SolarWinds claimed to have found the source of a massive cyberattack

Security software provider SolarWinds revealed that it has found the source of a highly sophisticated malicious code injection that it believes was used by the perpetrators of the recent cyberattack on the company and its clients, including federal government agencies. It was able to reverse engineer the code, allowing it to learn more about the tool that was developed and deployed into the built environment.


_______________________________________________________________________________________

(January 12, 2021)


SolarWinds attack - Involvement of Mimecast customers further escalate the risks

The Mimecast hackers used tools and techniques that link them to the hackers who broke into Austin, Texas-based SolarWinds Corp. This new revelation by Mimecast potentially adds thousands of victims to the years-long intelligence operation and likely aimed at gaining access to email systems.


_______________________________________________________________________________________

(January 12, 2021)


New findings in SolarWinds attack fills out the timeline of Russia-linked campaign

Based on a continuing investigation, SolarWinds Corp. has said that the Russia-linked hackers, who accessed U.S. government systems and corporate networks via SolarWinds Orion supply chain attacks, were accessing its systems since early September 2019. A month later, a version of the company’s Orion Platform software was found, that appears to have contained modifications designed to test the hacker’s ability to insert malicious code into the system.


_______________________________________________________________________________________

(January 12, 2021)


Cisco’s response towards the SolarWinds Orion platform attack

Cisco has provided updates on the investigation process, answers to common questions, available Indicators of Compromise (IOCs), and recommendations for its customers around the recent SolarWinds attacks. Cisco said that it was using Orion installations with a small number of Cisco assets.

Ref - Cisco 

_______________________________________________________________________________________

(January 12, 2021)


SUNSPOT and new malware family associations

In its recent update, Rapid7 talks about two recent developments regarding the SolarWinds attacks. First is about CrowdStrike’s technical analysis of the "SUNSPOT" malware that was used to insert the SUNBURST backdoor into SolarWinds Orion software builds. Another is the technical analysis from researchers at Kaspersky about their discovery of feature overlap between the SUNBURST malware code and the Kazuar backdoor.

Ref - Rapid7

_______________________________________________________________________________________

(January 12, 2021)


The perpetrators spent months inside SolarWinds’ software

New research into the SolarWinds attack shows the perpetrators spent months inside the company’s software development labs, honing their attack before inserting malicious code into updates that SolarWinds then shipped to thousands of customers. And such insidious methods could be repurposed against many other major software providers as well.


_______________________________________________________________________________________

(January 12, 2021)


'SolarLeaks' website claims to sell data stolen in SolarWinds attacks

A website named 'SolarLeaks' is selling data they claim was stolen from companies confirmed to have been breached in the SolarWinds attack. The website hosted on the domain solarleaks[.]net claims to be selling the stolen data from Microsoft, Cisco, FireEye, and SolarWinds.


_______________________________________________________________________________________

(January 12, 2021)


Mimecast certificate was compromised by hackers for Microsoft authentication

Mimecast has disclosed that a sophisticated threat actor had compromised a Mimecast certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services.

Ref - CRN 

_______________________________________________________________________________________

(January 12, 2021)


New SolarWinds CEO sets out a recovery path to pull through the major attack

According to Sudhakar Ramakrishna, the new CEO of SolarWinds, the most crucial of the next steps will involve securing SolarWinds’ internal environment through deploying additional, robust threat protection and threat hunting software on its network, particularly across developer environments.

Ref - ARNnet 

_______________________________________________________________________________________

(January 12, 2021)


Kaspersky Lab reveals evidence on SolarWinds breach

Kaspersky Lab has said that the SolarWinds hackers may have hailed from the Turla malware group, which is linked to Russia's FSB security service. Referring to the hidden backdoor secretly implanted in SolarWinds' Orion product, several features are discovered that overlap with a previously identified backdoor known as Kazuar.


_______________________________________________________________________________________

(January 12, 2021)


Third malware strain identified in SolarWinds breach

Cyber-security firm CrowdStrike said that it has identified a third malware strain directly involved in the recent SolarWinds hack. Named Sunspot, this finding adds to the previously discovered SUNBURST (Solorigate) and Teardrop malware strains. Crowdstrike believes that SUNSPOT malware was actually the first one used.

Ref - ZDNet

_______________________________________________________________________________________

(January 12, 2021)


FBI investigating Russian-linked postcard sent to FireEye CEO after uncovering SolarWinds incident

The FBI is investigating a mysterious postcard sent to the home of cybersecurity firm FireEye’s chief executive. The postcard was sent just a few days after the organization had found initial evidence of a suspected Russian hacking operation on dozens of U.S. government agencies and private American companies. U.S. officials familiar with the postcard are investigating whether it was sent by people associated with a Russian intelligence service due to its timing and content. The sender was attempting to “troll” or push the company off the trail by intimidating a senior executive.

Ref - Reuters

_______________________________________________________________________________________

(January 11, 2021)


More details revealed about the SUNBURST attack

SolarWinds claims that it has found a highly sophisticated and novel malicious code injection source the perpetrators used to insert the SUNBURST malicious code into builds of our Orion Platform software. By managing the intrusion through multiple servers based in the US and mimicking legitimate network traffic, the attackers were able to circumvent threat detection techniques employed by both SolarWinds, other private companies, and the federal government.


_______________________________________________________________________________________

(January 11, 2021)


Indicators of Compromise for SUNBURST malware

Several of the SolarWinds attack-related IOCs published by researchers published so far indicate that a backdoored SolarWinds Orion update has been installed, but there is no way to check if that backdoor was used by attackers. The network-based events suggested by Netresec indicate that a client has been actively targeted and the SUNBURST backdoor has progressed beyond the initial mode of operation. According to this research, Palo Alto was also a targeted victim of the SUNBURST attack.

Ref - Netresec

_______________________________________________________________________________________

(January 11, 2021)


SolarWinds attack one of the most sophisticated and complex attack in history

The new CEO of SolarWinds has described the recent attacks on SolarWinds as one of the most complex and sophisticated cyberattacks in history. SolarWinds, KPMG, and CrowdStrike were able to locate the malicious code injection source, and reverse-engineer it to learn more about the tool that was developed and deployed into SolarWinds’ build environment.

Ref - CRN 

_______________________________________________________________________________________

(January 11, 2021)


SolarWinds attack may cost as much as $100 billion

According to recent research, American businesses and government agencies may need to spend more than $100 billion over many months to contain and fix the damage from the Russian hack against the SolarWinds software used by so many Fortune 500 companies and U.S. government departments.

Ref - Rollcall 

_______________________________________________________________________________________

(January 11, 2021)


A stealthy code was used to launch the SolarWinds hacking attack

SolarWinds says that it has identified the malicious code that attackers used to manipulate its software and remain undetected for months. The code was designed to inject another piece of custom malicious software into Orion without arousing the suspicion of our software development and build teams.


_______________________________________________________________________________________

(January 11, 2021)


SolarWinds breach could be linked to Turla APT

New details disclosed about the Sunburst backdoor, which was used in the sprawling SolarWinds supply-chain attack, potentially link it to previously known activity by the Turla APT group. Researchers at Kaspersky have uncovered several code similarities between Sunburst and the Kazuar backdoor.


_______________________________________________________________________________________

(January 11, 2021)


SolarWinds supply chain attack is a lesson to learn

After all the recent discoveries made about the SolarWinds hack, it is already clear that the scope is extensive, and the full impact will likely prove to be devastating. Organizations should attempt to create a "cyber kill chain" for supply chain compromises, in order to prevent, disrupt, or at least quickly detect such incidents before weaponized software has the opportunity to cause damage.


_______________________________________________________________________________________

(January 11, 2021)


There could be more undisclosed federal victims of SolarWinds breach: CISA

Brandon Wales, CISA’s acting director, has said that the number of federal agencies breached in a suspected Russian espionage campaign will likely increase as the investigation continues. Though, the number will remain extremely small because of the highly targeted nature of this campaign. And that is going to be true for both government and private-sector entities compromised.


_______________________________________________________________________________________

(January 11, 2021)


New details emerged from an investigation of SUNBURST

Security experts are providing an update on the investigation thus far and an important development that could bring closer to understanding how this serious attack was carried out. The experts believe that they have found a highly sophisticated and novel malicious code injection source the perpetrators used to insert the SUNBURST malicious code into builds of the Orion Platform software.


_______________________________________________________________________________________

(January 11, 2021)


The attacker behind the SolarWinds breach also targeted O365 accounts

The threat actors behind the SolarWinds attack appear to have also compromised Microsoft 365 and Azure Applications accounts. Once the threat actor has impersonated a privileged Azure AD account, they are likely to further manipulate the Azure/M365 environment (action on objectives in the cloud).

Ref - Duo

_______________________________________________________________________________________

(January 11, 2021)


SUNBURST backdoor having shared feature with Russian APT malware

Kaspersky researchers have found that the Sunburst backdoor shows some feature overlaps with Kazuar, a .NET backdoor tentatively linked to the Russian Turla hacking group. The group is the main suspect behind attacks targeting the Pentagon and NASA, the U.S. Central Command, and the Finnish Foreign Ministry.


_______________________________________________________________________________________

(January 11, 2021)


The SolarWinds hack is different than previous breaches

What sets the SolarWinds attack apart from previous incidents is its sheer scale. The company has over 300,000 customers worldwide, according to filings made to the U.S. Securities and Exchange Commission. Throughout 2020, SolarWinds sent out software updates to roughly 18,000 of them.


_______________________________________________________________________________________

(January 11, 2021)


Technical analysis of SUNSPOT malware

CrowdStrike is providing a technical analysis of a malicious tool (SUNSPOT) that was deployed into the built environment to inject this backdoor into the SolarWinds Orion platform without arousing the suspicion of the development team charged with delivering the product. SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.


_______________________________________________________________________________________

(January 8, 2021)


Chris Krebs and Alex Stamos team up against SolarWinds attacks

SolarWinds, which has been embroiled in a recent, wide-scale hack, has called in two security powerhouses for help: Former director of the Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs, and former Facebook security executive Alex Stamos.

Ref - Threatpost

_______________________________________________________________________________________

(January 8, 2021)


Spotting post-compromise threat activity in Microsoft Cloud Environments

CISA released an alert, stating that it has observed an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment. CISA has also seen this APT actor utilizing additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations.

Ref - US-CERT

_______________________________________________________________________________________

(January 8, 2021)


The SolarWinds attacker used password guessing and password spraying attacks

The US Cybersecurity and Infrastructure Security Agency (CISA) has stated that the threat actor behind the SolarWinds hack also used password guessing and password spraying attacks to breach targets as part of its recent hacking campaign and didn't always rely on the trojanized updates as its initial access vector.

Ref - ZDNet

_______________________________________________________________________________________

(January 7, 2021)

US Judiciary adding safeguards and security procedures after SolarWinds hack

The Administrative Office of the U.S. Courts is investigating a potential compromise of the federal courts' case management and electronic case files system. The US Judiciary is also working on immediately adding extra safeguards and security procedures to protect the highly sensitive court documents (HSDs) filed with the courts, by having security audits related to vulnerabilities, and defining new rules for storing confidential documents.


_______________________________________________________________________________________

(January 7, 2021)


A 'Severity-Zero alert' led to the discovery of SolarWinds breach

FireEye CEO shared some insight on the cyberattack on the security firm that was the first clue to a massive and wide-ranging attack campaign. He described how his company first recognized the serious attack it had suffered, describing how a newly registered phone using a FireEye user account was the first indication of malicious activity.


_______________________________________________________________________________________

(January 7, 2021)


Sealed U.S. court records compromised in SolarWinds breach

Backdoored products by network software firm SolarWinds may have jeopardized the privacy of countless sealed court documents on file with the U.S. federal court system. An apparent compromise of the confidentiality of the Case Management/Electronic Case Files system due to some discovered vulnerabilities currently is under investigation. 


_______________________________________________________________________________________

(January 6, 2021)


SolarWinds hackers had access to Microsoft O365 email server

The US Department of Justice confirmed that the Russian state-sponsored hackers behind the SolarWinds supply chain attack targeted its IT systems, and potentially accessed the O365 mailboxes of some of the users. The number of impacted DOJ employees is currently believed to be around 3,000 to 3,450.

Ref - ZDNet

_______________________________________________________________________________________

(January 5, 2020)


Concerns over Microsoft’s source code exposure in the SolarWinds attack

Microsoft revealed that its investigation of SolarWinds breach had found no evidence of unauthorized access to its production services or customer data, but that effort did uncover another attack attempt. The tech giant has an “inner source approach” that makes source code viewable within Microsoft. Even so, such an attempt raises some important questions about the types of risks that Microsoft might still be facing as a result of this exposure.


_______________________________________________________________________________________

(January 5, 2020)


The U.S. now formally blames Russia for SolarWinds breach

Four US cyber-security agencies, including the FBI, CISA, ODNI, and the NSA, have released a joint statement today formally accusing the Russian government of orchestrating the SolarWinds supply chain attack. US officials said that an Advanced Persistent Threat (APT) actor, likely Russian in origin, was responsible for the SolarWinds hack.

Ref - ZDNet

_______________________________________________________________________________________

(January 5, 2021)


Critical infrastructure could join the list of potential targets 

Researchers have started to piece together a picture of the SolarWinds intrusion using the information found in the networks of U.S. agencies and companies. But there’s another potential group of victims who haven’t yet disclosed any attacks, in part because they may not yet know. That is America’s critical infrastructure, which includes everything from bridges and airports to the electrical grid and hydroelectric dams.

Ref - Bloomberg

_______________________________________________________________________________________

(January 5, 2021)


SolarWinds breach raises concerns over Windows updates

Recently, Microsoft announced that its Windows source code had been viewed by the Solarwinds attackers, raising concerns among Microsoft customers. The SolarWinds attack has raised serious questions about how safe companies (and government agencies) are when OS or software updates roll out.


_______________________________________________________________________________________

(January 4, 2021)


SolarWinds facing a class-action lawsuit for alleged securities violations

The first class-action lawsuit brought against SolarWinds following its breach accuses the company of making materially false and misleading statements about its security posture throughout 2020. The suit alleges that SolarWinds, outgoing CEO and CFO made false and/or misleading statements in regulatory filings with the U.S. Securities and Exchange Commission in February, May, August, and November of 2020.

Ref - CRN

_______________________________________________________________________________________

(January 4, 2021)


SolarWinds confirms malware targeted crocked Orion product

The extent and impact of the SolarWinds hack have become even more apparent and terrifying over the holiday break. SolarWinds identified the malware that exploited the flaws introduced to Orion products. The SUPERNOVA malware was separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product.


_______________________________________________________________________________________

(January 4, 2021)


SolarWinds hack - Microsoft’s software blueprints acquired but not altered

The latest results of an ongoing investigation by Microsoft revealed that the sophisticated attackers behind the SolarWinds cyber-espionage operation were able to use compromised accounts to access the blueprints of Microsoft’s software. Attackers were able to acquire the blueprints, but they could not alter them, Microsoft said.


_______________________________________________________________________________________

(January 4, 2021)


The SolarWinds attack could be worse than expected

The SolarWinds attack may prove to be even more damaging to the U.S. national security and business prosperity. The latest reports reveal that Russians may even have accessed the crown-jewels of Microsoft software stack: Windows and Office. Though there were no explosions, no deaths, this incident was like the Pearl Harbor of American IT.

Ref - ZDNet

______________________________________________________________________________________

(January 4, 2021)


SolarWinds hack - A global attack

Recent evidence suggests that a number of cyber-defense missteps may have helped the attackers in their efforts. Early warning sensors placed by Cyber Command and the National Security Agency (NSA) evidently failed, and the attackers were using US-based servers to prevent getting caught.

Ref - TechRadar 

_______________________________________________________________________________________

(January 4, 2021)


UNC2452 hacker continues to tickle security researchers

The attack methods used by the SolarWinds attackers suggest their deep knowledge and understanding of the entire SDLC of SolarWinds. It is possible that the attackers were monitoring the version control server to prepare any necessary changes based on legitimate updates. Or, possibly, they had compromised the build process itself (e.g. a build script) and, during the build, substituted the legitimate SolarWinds.Orion.Core.BusinessLayer.dll with the malicious version.

Ref - Medium

_______________________________________________________________________________________

(January 4, 2021)


How SolarWinds hackers used Supernova malware to target Orion products

The SolarWinds hackers had trojanised versions 2019.4 HF 5 through 2020.2.1 of the SolarWinds Orion platform that was released between March and June 2020. These trojanised software updates were downloaded by as many as 18,000 private and public organizations. Hackers exploited Sunburst’s vulnerability and also used Supernova malware to target their victims.

Ref - TEISS 

_______________________________________________________________________________________

(January 4, 2021)


The massive Russian hack was waged inside the U.S.

Russian hackers staged their attacks from servers inside the U.S., sometimes using computers in the same town or city as the victims, according to cybersecurity company FireEye. The attack, attributed to Russia, began with the targeting of the software of IT contractor SolarWinds.

Ref - Axios

_______________________________________________________________________________________

(January 3, 2021)


SUPERNOVA forensic details by using Code Property Graph

The fallout of SolarWinds compromise has resulted in the identification of several new malware families, each with different characteristics and behaviors. Recently, security experts described how weaponized DLL was patched into the SolarWinds Software Development Life Cycle (SDLC) post infiltration. Further, the anti-evasion techniques employed by the APT actor behind this attack were also revealed. 


_______________________________________________________________________________________

(January 3, 2021)


SolarWinds was warned in 2017 about the risk of 'catastrophic' breach

A cybersecurity adviser says he had warned SolarWinds of a potential 'catastrophic' hacking attack if the company didn't amp up internal security measures three years before Russians compromised their software. The firm's moving of some operations to Eastern Europe may have exposed it to the massive Russian hack.

Ref - Dailymail

_______________________________________________________________________________________

(January 2, 2021)


The growing danger of Russia-based hack attacks

It now appears that the SolarWinds breach is far broader than first believed. Russia exploited multiple layers of the supply chain to gain access to as many as 250 networks. And all the “Early warning” sensors placed by Cyber Command and the National Security Agency deep inside foreign networks to detect brewing attacks clearly failed.


_______________________________________________________________________________________

(December 31, 2020)


Microsoft’s source code was accessed by SolarWinds hackers 

The hacking group behind the SolarWinds compromise was able to break into Microsoft Corp and access some of its source code. It is not clear how much or what parts of Microsoft’s source code repositories the hackers were able to access. However, being able to review the code could offer hackers insight that might help them subvert Microsoft products or services.

Ref - Reuters

_______________________________________________________________________________________

(December 31, 2020)


The SolarWinds attack is a wake call for the U.S. 

The recent major SolarWinds hack compromised the Department of Homeland Security, the State Department, the US Treasury, and also impacted several IT giants including Microsoft, Cisco, VMware, FireEye, and many more. The huge investment made by the U.S. in technology, which is a key strength of the US economy, is also making it vulnerable to such attacks.

Ref - Forbes

_______________________________________________________________________________________

(December 30, 2020)


All U.S. federal agencies ordered to update the SolarWinds Orion platform

The CISA has ordered all US federal agencies to update the SolarWinds Orion platform to the latest version by the end of business hours on December 31, 2020. CISA's Supplemental Guidance to Emergency Directive 21-01 demands this from all agencies using Orion versions unaffected in the SolarWinds supply chain attack.


_______________________________________________________________________________________

(December 30, 2020)


The cyberattack on SolarWinds may have started earlier than current estimates

The vice-chairman of the Senate Intelligence Committee claims that the cyberattacks on U.S. government agencies reported in December may have begun earlier than previously believed. According to him, the initial burrowing may have started earlier, however, there is no evidence suggesting that classified government secrets were compromised.

Ref - The Hill

_______________________________________________________________________________________

(December 30, 2020)


It is too early to make attribution for SolarWinds attack

The recent expansive intrusion of the SolarWinds campaign affected over half a dozen government U.S. agencies. Several individuals and agencies, including members of the U.S. Congress, have publicly accused Russia. However, the lack of public evidence gives rise to claims that other actors, even perhaps other countries, may be responsible, a claim made by President Donald Trump as well.


_______________________________________________________________________________________

(December 30, 2020)


NSA validates the bug-free version of SolarWinds Orion Platform - CISA issues emergency directive

After the release of the latest version of SolarWinds Orion Platform version 2020.2.1HF2, the National Security Agency (NSA) has examined this latest version and verified that it eliminates the previously identified malicious code. CISA issued an emergency directive to help organizations mitigate the SolarWinds Orion code compromise.

Ref - DHS

_______________________________________________________________________________________

(December 29, 2020)


SolarWinds hackers were looking for victims' cloud data

According to Microsoft, the end goal of the SolarWinds supply chain compromise was to pivot to the victims' cloud assets after deploying the Sunburst/Solorigate backdoor on their local networks. After the initial widespread foothold, the attackers could pick and choose the specific organizations they want to continue operating within.


_______________________________________________________________________________________

(December 29, 2020)


Qualys researchers analyze over 7.54 million vulnerable instances related to FireEye Red Team tools

An analysis of the 7.54 million vulnerable instances indicated that about 99.84% (roughly 7.53 million) are from only eight vulnerabilities in Microsoft’s software. For all these eight vulnerabilities, including CVE-2020-1472 and CVE-2020-0688, Microsoft patches have been available for a while.

Ref - Qualys 

_______________________________________________________________________________________

(December 29, 2020)


UAE-based entities targeted in the SolarWinds breach

The National Cybersecurity Council has reported that UAE-based entities were targeted in the SolarWinds cyber-attack and that steps were taken to secure constituencies. In addition, the government body is also taking all precautions and procedures necessary to safeguard the UAE's digital infrastructure, stop cyber-attacks, and ensure quick recovery from such incidents.


_______________________________________________________________________________________

(December 29, 2020)


NETRESEC updates its tool to identify security products installed on Trojanized SolarWinds Orion deployments

NETRESEC’s free tool SunburstDomainDecoder (v1.7) can be used to identify the endpoint protection applications that are installed on trojanized SolarWinds Orion deployments. The security application info is extracted from DNS queries for "avsvmcloud[.]com" subdomains, which is used by SUNBURST as a beacon and C2 channel.

Ref - Netresec 

_______________________________________________________________________________________

(December 28, 2020)


Microsoft shares information for partners on using Microsoft 365 Defender to protect against Solorigate

Microsoft has published a comprehensive guide to provide information to customers and partners about securing their environment and answering their questions related to the recent SolarWinds attacks. It also provides additional links and information for Microsoft partners.


_______________________________________________________________________________________

(December 28, 2020)


More supply chain attacks like SolarWinds expected in 2021

SolarWinds, Vietnam Government Certification Authority, Able Desktop, GoldenSpy and Wizvera VeraPort are some of the prominent Supply chain attacks the world has observed in recent times. Now, almost all security researchers agree that more such supply-chain attacks will happen, especially attacks on the software development lifecycle and that security teams need to sharpen their strategies.


_______________________________________________________________________________________

(December 28, 2020)


CISA's PowerShell-based tool Sparrow can detect malicious activities related to SolarWinds attack

SolarWinds threat actors were found actively using stolen credentials and access tokens to target Azure customers. CISA's Cloud Forensics team has prepared a malicious activity detection tool dubbed Sparrow, which can check for compromised Azure accounts. This tool can check the unified Azure/M365 audit log for known IoCs, provide a list of Azure AD domains, and also check for Azure service principals and their Microsoft Graph API permissions to discover potential malicious activity. 


_______________________________________________________________________________________

(December 28, 2020)


A different threat actor may have used Supernova malware, exploiting a new zero-day vulnerability

It has been discovered that the Supernova malware is designed to exploit a previously unknown vulnerability, tracked as CVE-2020-10148, which can allow a remote attacker to execute API commands. This zero-day flaw may have been used by a second (unrelated to the previous) threat actor to target the SolarWinds Orion platform.

Ref - SecurityWeek 

_______________________________________________________________________________________

(December 28, 2020)


Using ShiftLeft’s Code Property Graph to explore SolarWinds Sunburst backdoor

By reversing the binaries for Sunburst malware, several rough edges were discovered in the SolarWinds espionage operation. It has been revealed that the attacker employed FNV-1a (Fowler Noll Vo) + XOR class of hash algorithms to obfuscate all of the hardcoded literals in the codebase. A navigation workflow of the Sunburst malware has also been disclosed.


_______________________________________________________________________________________

(December 28, 2020)


NGSAST policy for Sunburst backdoor detection

A code repository has been put up on GitHub, which provides information about the building blocks of NGSAST Policy for Sunburst backdoor detection. These code snippets can be used to detect the ShiftLeft backdoor patterns.

Ref - GitHub

_______________________________________________________________________________________

(December 28, 2020)


Microsoft shares information on using Microsoft 365 Defender to protect against Solorigate

Microsoft has published a comprehensive guide for security operations and incident response teams. This guide provides details about using Microsoft 365 Defender to identify, investigate, and respond to the recent Solorigate attack targeting the SolarWinds Orion platform.

Ref - Microsoft 

_______________________________________________________________________________________

(December 26, 2020)


SolarWinds releases updated advisory for new SUPERNOVA malware

SolarWinds has released an updated advisory for the additional SuperNova malware discovered to have been distributed through the company's network management platform.


_______________________________________________________________________________________

(December 26, 2020)


SolarWinds breach highlights several corporate governance gaps

The SolarWinds breach poses several urgent cybersecurity challenges for CIOs Boards. It highlights the Boards’ ability to monitor cyber risks, which is hampered by a lack of director expertise, outdated and incomplete committee charters, and highly diffused work responsibilities. Insufficient resources, weak oversight, and poor coordination makes the matter worse.

Ref - Forbes

_______________________________________________________________________________________

(December 26, 2020)


Security advisory to fix newly found remote command execution flaw in SolarWinds Orion platform

A security advisory has been released to fix a new vulnerability (CVE-2020-10148) that was probably targeted by a second hacker group to execute remote API commands on the targeted systems. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.

Ref - CERT

_______________________________________________________________________________________

(December 25, 2020)


CrowdStrike releases a free Azure security tool after SolarWinds attack

CrowdStrike has released a free CrowdStrike Reporting Tool for Azure (CRT) tool to help administrators analyze their Microsoft Azure environment and see what privileges are assigned to third-party resellers and partners. The company was recently notified by Microsoft that during SolarWinds attacks, threat actors had attempted to read the company's emails through compromised Microsoft Azure credentials.


_______________________________________________________________________________________

(December 25, 2020)


A deep forensics investigation of SolarWinds supply-chain attack

A deep forensics investigation regarding SolarWinds supply chain attack has revealed another set of new details. The attackers had breached the SolarWinds source code management system in October 2019, and since then they not only deeply learned and tampered with the source code of SolarWinds but also learned the topology of their networks and internal development domain names to minimize the risk of getting noticed by security teams.


_______________________________________________________________________________________

(December 25, 2020)


SolarWinds issues urgent security fix

SolarWinds has updated its flagship Orion software, 11 days after revealing a major breach. On 13 December, it disclosed that Orion had been compromised, and used by suspected Russian attackers as a means to penetrate US government networks and companies including Intel. It was later revealed that the product had also been compromised by malware from a suspected second perpetrator, adding a separate backdoor.

Ref - BBC

_______________________________________________________________________________________

(December 25, 2020)


Solorigate attack affected critical infrastructure, including the power industry

The recent SolarWinds hacking attack that infected numerous government agencies and tech companies with malicious SolarWinds software has also infected more than a dozen critical infrastructure companies in the electric, oil, and manufacturing industries that were also running the software.


_______________________________________________________________________________________

(December 25, 2020)


Experts who wrestled with SolarWinds hackers say cleanup could take months - or longer

The attackers had not only managed to break back in a common enough occurrence in the world of cyber incident response but they had sailed straight through to the client’s email system. They even managed to get past the recently refreshed password protections without any trouble. This indicates that hackers were smart and sophisticated in nature.

Ref - Reuters

_______________________________________________________________________________________

(December 24, 2020)


CISA’s tool can detect malicious activity in the Azure/M365 environment impacted by SolarWinds attack

CISA has created a free tool for detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment. The tool is intended for use by incident responders and is focused on the recent identity- and authentication-based attacks seen across multiple sectors. This tool comes after Microsoft disclosed that SolarWinds threat actors were actively using stolen credentials and access tokens to target Azure customers.

Ref - US-CERT

_______________________________________________________________________________________

(December 24, 2020)


No taxpayer data is compromised by the recent SolarWinds breach

The internal watchdog at the IRS said in a letter that there is no evidence suggesting taxpayer information was exposed as a result of hackers breaching the agency's network. The IRS is conducting additional forensic reviews and network log analysis to collect more information.

Ref - FCW

_______________________________________________________________________________________

(December 24, 2020)

SolarWinds SUNBURST Backdoor: Inside the stealthy APT campaign

On December 13, FireEye shared valuable details on the breach about how threat actors compromised SolarWinds Orion software update distribution mechanism to spread malicious code to organizations using the software.

Ref - Varonis

_______________________________________________________________________________________

(December 24, 2020)


Suspected Russian attackers used Microsoft vendors to target customers

The suspected Russian hackers behind the SolarWinds cyber-attack leveraged reseller access to Microsoft Corp services to penetrate targets that had no compromised network software from SolarWinds Corp. While updates to SolarWinds’ Orion software was previously the only known point of entry, security company CrowdStrike Holdings Inc. stated that the hackers had also won access to the vendor that sold it Office licenses and used that to try to read CrowdStrike’s email.

Ref - Reuters

_______________________________________________________________________________________

(December 24, 2020)


Microsoft alerted CrowdStrike when hackers' first attempted break-in

During the course of investigating the SolarWinds breach, CrowdStrike says Microsoft uncovered an attempt from unidentified hackers to read emails linked with the company. The attackers tried to access emails, however, CrowdStrike said that it does not use Office 365 email as part of its secure IT architecture.


_______________________________________________________________________________________

(December 24, 2020)


Why does the SolarWinds hack matter so much?

Multiple networks have been penetrated in the recent SolarWinds breach, and now it is very expensive and difficult to secure all the systems. President Trump's former homeland security officer stated that it could be years before the networks are secure again. With access to government networks, hackers could even destroy or alter data, and impersonate legitimate people.


_______________________________________________________________________________________

(December 24, 2020)


SolarWinds attackers targeted local governments as well

CISA has disclosed that the SolarWinds hack not only affected key federal agencies, but it also targeted the computer systems used by state and local governments, critical infrastructure entities, and other private sector organizations. Other networking software may have been compromised.

Ref - NPR

_______________________________________________________________________________________

(December 24, 2020)


The massive data breach may have been discovered due to an 'unforced error' of attackers

Experts investigating the massive data breach related to SolarWinds said that the attackers were discovered possibly because they took more aggressive steps with calculated risk, months after their initial penetration. This led to a possible "unforced error" as they tried to expand their access within the network they had penetrated earlier without detection.

Ref - CNN
 
 _______________________________________________________________________________________

(December 23, 2020)


Trustwave’s action response to the FireEye data breach & SolarWinds Orion compromise

This blog post provides information about Trustwave’s response to the FireEye tools breach and SolarWinds Orion platform compromise, as well as additional clarifications to Trustwave’s non-use of affected versions of SolarWinds Orion.

Ref - Trustwave

_______________________________________________________________________________________

(December 23, 2020)

Understanding & detecting the SUPERNOVA Webshell trojan

The sophisticated nature of the SolarWinds compromise has resulted in a flurry of new malware families, each with different characteristics and behaviors.


_______________________________________________________________________________________

(December 23, 2020)


SolarWinds victims need to report data breaches - UK privacy watchdog

U.K.'s Information Commissioner's Office (ICO) has warned the victim organizations of the SolarWinds attack that they are required to report data breaches within three days after their discovery. Organizations using the SolarWinds Orion IT management platform are asked to check if they are using the malicious builds - i.e., versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1. Affected organizations are required to inform the ICO within 72 hours of discovering the breach.


_______________________________________________________________________________________

(December 23, 2020)


The motive of SolarWinds attack could be beyond just espionage

Some experts suggest that the scope of SolarWinds attack extended beyond typical cyber-espionage, as the attackers dispersed their malicious code widely, even to potential targets with no obvious intelligence value. The attack may be extending to the “key utilities” in the U.S., and hackers may be still operating within breached networks, with the ability to conduct a more damaging attack, like deleting data or shutting down systems.

Ref - Bloomberg 

_______________________________________________________________________________________

(December 23, 2020)

How to Detect and Search for SolarWinds IOCs in LogRhythm

LogRhythm Labs has gathered up the indicators of compromise (IOCs) from CISA, Volexity, and FireEye associated with the recent SolarWinds supply chain attack and made them available in the GitHub repository.

Ref - LogRhytm

_______________________________________________________________________________________

(December 23, 2020)


US in talks with intelligence alliance partners for sharing intelligence and taking joint actions

White House National Security Adviser Robert O'Brien held a call with his counterparts in an international intelligence-sharing alliance to discuss the suspected Russian cyberattack on US government agencies. He also put a proposal for a joint statement condemning the breach with other members of the so-called Five Eyes alliance, which includes the US, UK, Canada, Australia, and New Zealand.

Ref - CNN 
 
_______________________________________________________________________________________

(December 23, 2020)


Five solution providers targeted with second-stage attacks

Five Solution Provider companies, namely Deloitte, Stratus Networks, Digital Sense, ITPS, and Netdecisions were specific targets of second-stage attacks during the SolarWinds attacks. Experts said that these companies should consider themselves compromised and conduct a full incident response investigation.

Ref - CRN 

_______________________________________________________________________________________

(December 23, 2020)


Millions of Devices Affected by Vulnerabilities Used in Stolen FireEye Tools

More than 7.5 million vulnerable instances have been identified that are exposed to the vulnerabilities associated with the stolen FireEye tools and compromised versions of the SolarWinds Orion product. These vulnerable devices include around 5.3 million unique assets, belonging to more than 15000 customers.

Ref - SecurityWeek 

_______________________________________________________________________________________

(December 22, 2020)

An analysis of SolarWinds Orion supply-chain attack

Disconnecting or turning off affected Orion devices is the only known mitigation measure currently available. CISA advises affected agencies to forensically image system memory and/or host operating systems hosting all instances of affected SolarWinds Orion versions and to analyze stored network traffic for indicators of compromise (IoCs). 

Ref - Logpoint

_______________________________________________________________________________________

(December 22, 2020)

Sunburst detection and investigation with Trend Micro products

This article covers various Trend Micro product detection and protection patterns, rules, and filters that have been deployed to help organizations investigate and mitigate additional risk against threats associated with this campaign as well as highlighting Trend Micro technology that can assist in the investigation.


_______________________________________________________________________________________

(December 22, 2020)


The SolarWinds cyberattack: What SLTTs need to know

This cyber-attack is exceptionally complex and continues to evolve. The attackers randomized parts of their actions making traditional identification steps such as scanning for known indicators of compromise (IOC) of limited value.

Ref - CIS

_______________________________________________________________________________________

(December 22, 2020)

SolarWinds hack breaches Treasury Department’s top levels

The Russian hackers behind the attack broke into the email system used by top officials at the Treasury Department in July. The Treasury Department ranks among the most highly protected corners of the government because of its responsibility for market-moving economic decisions, communications with the Federal Reserve, and economic sanctions against adversaries.

Ref - NYTimes

_______________________________________________________________________________________

(December 22, 2020)


Analysis of a supernova SolarWinds .NET Webshell 

In the IOCs listed by FireEye as part of this investigation related to supply-chain compromise of SolarWinds, a .NET webshell named SUPERNOVA was identified. There was no supplemental analysis as to its method of operation or any behavioral indications of this webshell being present in an environment.


_______________________________________________________________________________________

(December 22, 2020)


SolarWinds victims discovered after breaking the Sunburst malware DGA

Security researchers have shared lists of organizations where threat actors deployed Sunburst/Solarigate malware. To build the list of victims infected with the Sunburst backdoor via the compromised update mechanism of the SolarWinds Orion IT management platform, the researchers decoded a dynamically generated part of the C2 subdomain for each of the compromised devices.


_______________________________________________________________________________________

(December 21, 2020)


SolarWinds incident is a wakeup call for federal cybersecurity

CIOs and CISOs have spent a long week trying to get a handle on the impact on their networks, systems, and data from the SolarWinds cyber attack. While the details of the cyber breach continue to emerge and the agencies impacted come to light, Congress and the incoming administration of President-elect Joe Biden are promising to make 2021 an even busier year for CIOs and CISOs.


_______________________________________________________________________________________


(December 21, 2020)


SolarWinds hack: Microsoft leverages threat intelligence to identify patterns and new indicators 

As part of the ongoing security processes of the SolarWinds attack, Microsoft has been leveraging threat intelligence and monitoring for new indicators that could signal attacker activity. There are two categories of anomalies detected, in which the first is SAML tokens being presented for access, and the second is Microsoft 365 API access patterns in a tenant. 

Ref - Microsoft

_______________________________________________________________________________________

(December 21, 2020)

Responding to the SolarWinds Software Compromise in Industrial Environments

Far fewer than the 18,000 organizations had followed on activity from the adversary; public data currently supports the number to be in the dozens though the situation is evolving.

Ref - Dragos

_______________________________________________________________________________________

(December 21, 2020)

What We Have Learned So Far about the “Sunburst”/SolarWinds Hack

Based on SolarWind’s data, 33,000 organizations use Orion’s software, and 18,000 were directly impacted by this malicious update.

Ref - Fortinet

_______________________________________________________________________________________

(December 21, 2020)


List of organizations affected with Sunburst malware released online

Multiple security researchers and research teams have published over the weekend lists ranging from 100 to 280 organizations that installed a trojanized version of the SolarWinds Orion platform. The biggest names on this list include the likes of Cisco, SAP, Intel, Cox Communications, Deloitte, Nvidia, Fujitsu, Belkin, Amerisafe, Lukoil, Rakuten, Check Point, Optimizely, Digital Reach, and Digital Sense.

Ref - ZDNet

_______________________________________________________________________________________

(December 21, 2020)

Another SUPERNOVA backdoor discovered in SolarWinds cyberattack 

While analyzing the artifacts from the SolarWinds Orion supply-chain attack, security researchers discovered another backdoor. Named SUPERNOVA, the malware is a webshell planted in the code of the Orion network and applications monitoring platform. This is likely the work of a second threat actor, and it enabled adversaries to run arbitrary code on machines running the trojanized version of the software


_______________________________________________________________________________________

(December 21, 2020)


A second threat group exploited SolarWinds systems

Security researchers have discovered a second threat actor, dubbed CosmicGale aka Supernova that has exploited the SolarWinds software to plant malware on corporate and government networks. On infected networks, the Solorigate malware (originally detected malware) would ping its creators and then download a second stage-phase backdoor trojan named Teardrop that allowed attackers to start a hands-on-keyboard session, also known as a human-operated attack.

Ref - ZDNet

_______________________________________________________________________________________

(December 21, 2020)


Intel and Nvidia were targeted in the SolarWinds attack

Intel and Nvidia have joined the growing list of companies that have been swept up in the massive hacking campaign perpetrated through SolarWinds’ Orion network monitoring software. The Santa Clara, Calif.-based chipmakers said in separate statements that they are investigating the impact of downloading a software update containing malicious code for SolarWinds Orion

Ref - CRN

_______________________________________________________________________________________

(December 21, 2020)


Detecting SUNBURST/Solarigate activity in retrospect with Zeek – a practical example

The threat actors who created SUNBURST went to extraordinary lengths to hide Command-and-Control (C2) traffic by mimicking the nature of communication patterns used by legitimate software within the SolarWinds package.


_______________________________________________________________________________________

(December 21, 2020)


The SolarWinds attackers could have targeted federated authentication

An attacker-modified update to the SolarWinds Orion network management product is likely not the only way Russian attackers infiltrated networks. Specifically, US agencies are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistently with this adversary's behavior is present.
 
 
_______________________________________________________________________________________

(December 21, 2020)


The SolarWinds attack also affected a hospital and a university

It has been revealed that the suspected Russian hackers behind breaches at U.S. government agencies also gained access to major U.S. technology and accounting companies, at least one hospital, and a university. Along with access to tech companies, the attackers also had access to the California Department of State Hospitals and Kent State University.

Ref - WSJ

_______________________________________________________________________________________

(December 20, 2020)


Deloitte on the list of victims affected by the SolarWinds hack

It has been revealed that Deloitte, a British multinational professional services network, unwittingly downloaded software linked to a massive hack that targeted dozens of US government departments. The consulting firm installed SolarWinds Orion products, after which it was forced to take steps to protect itself from any risks.

Ref - Telegraph

_______________________________________________________________________________________

(December 20, 2020)


Around 50 firms are impacted by the SolarWinds massive breach

The cyber-security firm that identified the large-scale hacking of US government agencies says it genuinely impacted around 50 organizations. In addition, some 18,000 organizations had malicious code in their networks, out of which 50 suffered major breaches. The U.S. Secretary of State has blamed Russia for the hack.

Ref - BBC

_______________________________________________________________________________________

(December 19, 2020)

The SolarWinds cyberattack: The hack, the victims, and what we know

Since the SolarWinds supply chain attack was disclosed, there has been a whirlwind of news, technical details, and analysis released about the hack. Because the amount of information that was released in such a short time is definitely overwhelming, so the news agency published a roundup of this week's SolarWinds news.


_______________________________________________________________________________________

(December 19, 2020)


Hackers conducted a test run of SolarWinds breach a year ago

Hackers who breached federal agency networks appear to have conducted a test run of their broad espionage campaign last year. The hackers distributed malicious files from the SolarWinds network in October 2019, five months before previously reported files were sent to victims through the company’s software-update servers.

Ref - Yahoo

_______________________________________________________________________________________

(December 19, 2020)


Russia is behind SolarWinds operation: US Secretary of State

US Secretary of State Mike Pompeo has blamed Russia for the recent attacks on U.S. federal agencies and private organizations in what is being described as the worst-ever cyber-espionage attack on the US government. He did not provide details about the alleged links to Moscow, and Russia has denied any involvement in the attack. 

Ref - BBC

_______________________________________________________________________________________

(December 19, 2020)


Sunburst malware used encoded DNS requests to talk to the C&C server 

In the initial phases of the recent SolarWinds hack, the Sunburst malware talks to the C&C server by sending encoded DNS requests. These requests contain information about the infected computer. If the attackers deem it interesting enough, the DNS response includes a CNAME record pointing to a second level C&C server. 


_______________________________________________________________________________________

(December 18, 2020)

Detecting SUNBURST Malware with Panther

Panther has published an addition to our open-source detections to actively track malware callbacks to the SUNBURST Indicators of Compromise (IoCs) identified by FireEye. 

Ref - Panther

_______________________________________________________________________________________

(December 18, 2020)


Internal machines used by Cisco researchers were targeted in SolarWinds attack

Internal machines used by Cisco researchers were targeted via SolarWinds as the impact of the colossal hacking campaign on the tech sector becomes apparent. Roughly two dozen computers in a Cisco lab were compromised through malicious updates to SolarWinds’ Orion network monitoring platform. In this case, the perpetrators didn't just sneak in, but they broke in and covered their tracks by manipulating code, according to a cyber security expert familiar with the case.

Ref - CRN

_______________________________________________________________________________________

(December 18, 2020)

A Telecom organization and Fortune 500 company were breached in SolarWinds attack

A large telecommunications organization, a Fortune 500 company, and multiple government agencies are among the recent breaches to emerge as a result of the SolarWinds supply chain hack. SolarWinds estimates that between March and June, roughly 18,000 user organizations downloaded updates of its Orion software that Russian APT actors allegedly corrupted with Sunburst backdoor malware.


_______________________________________________________________________________________

(December 18, 2020)

A VMware flaw could be a vector in SolarWinds attack


The U.S. National Security Agency stated that Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors to access the protected data and abuse federated authentication. VMware released a software update to plug the security hole (CVE-2020-4006) on Dec. 3 and said it learned about the flaw from the NSA.


_______________________________________________________________________________________

(December 18, 2020)

Cozy Bear is suspected to be behind the SolarWinds breach

In the recent SolarWinds attacks, according to people familiar with the matter, the culprit is one of the most persistent and savvy hacking groups on the planet: the Russian government-backed APT29, also known as Cozy Bear. Although, the U.S. government has not formally blamed any group for the SolarWinds breach.


_________________________________________________________________________________

(December 18, 2020)


Sunburst’s C2 unveiled additional SolarWinds victims

Examining the backdoor’s DNS communications led researchers to identify two organizations: a government agency and a big U.S. telco, that were flagged for further exploitation in the spy campaign. Further exploitation by the hacker UNC2452 involves installing more malware, installing persistence mechanisms, and exfiltrating data.


_______________________________________________________________________________________

(December 18, 2020)


A small number of UK organizations affected by SolarWinds hack

Suspected Russian hackers have compromised a small number of organizations in Britain after hijacking software updates issued by the U.S. IT firm SolarWinds Corp. Numbers in the UK are small and the organizations are not in the public sector, according to a UK security source.

Ref - Reuters

_______________________________________________________________________________________

(December 18, 2020)


SolarWinds hackers also breached a U.S. cable firm and a county government in Arizona 

Suspected Russian hackers accessed the systems of a U.S. internet provider and a county government in Arizona as part of a sprawling cyber-espionage campaign disclosed this week, according to an analysis of publicly-available web records.

Ref - Reuters

_______________________________________________________________________________________

(December 18, 2020)


SolarWinds attack is an act of recklessness - Microsoft president

Out of the 18,000 organizations that downloaded a backdoored version of the software from SolarWinds, around 0.2 percent were targeted in a follow-on hack, that used the backdoor to install a second-stage payload. The largest populations receiving stage two include tech companies, government agencies, and think tanks/NGOs. The vast majority, 80 percent, of these 40 chosen ones were located in the US. This act of recklessness has created a serious technological vulnerability for the United States and the world.


_______________________________________________________________________________________

(December 18, 2020)

A massive hack attack should be considered as an act of war: US lawmakers 

Several lawmakers in the U.S. are raising questions about whether the recent attack on the federal government widely attributed to Russia constitutes an act of war. This attack may represent one of the biggest cyberattacks in U.S. history. Questions have been raised about the fact that the U.S. has no clear cyber warfare strategy.

Ref - The Hill

_______________________________________________________________________________________

(December 18, 2020)


FBI, CISA confirms the US govt hacks 

The compromise of multiple US federal networks following the SolarWinds breach was officially confirmed for the first time in a joint statement released earlier by the FBI, DHS-CISA, and the Office of the Director of National Intelligence (ODNI).


_______________________________________________________________________________________

(December 18, 2020)


Microsoft’s systems were vulnerable to SolarWinds hack

Microsoft Corp. said its systems were exposed to the malware used in the Russia-linked hack that targeted U.S. states and government agencies. Microsoft is also a customer of SolarWinds, and the company said that it found malicious code related to the cyber-attack in its own environment, which was isolated and removed. However, there were no pieces of evidence of access to production services or customer data.

Ref - Bloomberg

_______________________________________________________________________________________

(December 18, 2020)


More hacking attacks unearthed as officials alert the U.S. government 

Federal officials issued an urgent warning Thursday that the hackers who were working for a foreign government and penetrated deep into government systems had used a wider variety of techniques in their cyber-offensive and they warned that the hacking was a grave risk to the federal government.

Ref - NYTimes

_______________________________________________________________________________________

(December 17, 2020)

Additional Analysis into the SUNBURST Backdoor

An interesting observation was the check for the presence of SolarWinds’ Improvement Client executable and it’s version “3.0.0.382”. The ImprovementClient is a program that can collect considerable information such as the count of Orion user accounts by authentication method and data about devices and applications monitored.

Ref - McAfee

_______________________________________________________________________________________

(December 17, 2020)

SolarWinds supply chain-type attacks demand global cybersecurity response

Brad Smith, the President of Microsoft, has provided some clarifications as well as recommendations regarding the recent attacks. This latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firms. It illuminates the need for sharing information and best practices and coordinating not just on cybersecurity protection but on defensive measures and responses.

Ref - Microsoft

_______________________________________________________________________________________

(December 17, 2020)

The US establishes 'Cyber Unified Coordination Group' to respond to SolarWinds attack

A joint statement yesterday from the US FBI, CISA, and ODNI says that the Government has invoked Presidential Policy Directive (PPD) 41 to establish a Cyber Unified Coordination Group to coordinate a whole-of-Government response to the Russian cyber operation that exploited SolarWinds' Orion platform.


_______________________________________________________________________________________

(December 17, 2020)


The SolarWinds hack targeted government agencies, critical infrastructure, and private sector organizations

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of the compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an APT actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions.

Ref - US-CERT

_______________________________________________________________________________________

(December 17, 2020)


Attackers used unknown tactics to penetrate the U.S government networks

Federal investigators presented evidence of previously unknown tactics for penetrating government computer networks. Attackers first gained access to the think tank’s networks using multiple tools, backdoors, and malware implants and exploited a vulnerability in Microsoft’s Exchange Control Panel software.


_______________________________________________________________________________________

(December 17, 2020)

SolarWinds SUNBURST backdoor assessment

The SolarWinds Orion Platform is the market leader for network monitoring platforms with SolarWinds having over 275.000 customers in 190 countries and providing network monitoring for 400 of the Fortune 500, the US government, and other high profile organizations.


_______________________________________________________________________________________

(December 17, 2020)


Nuclear weapons agency breached in SolarWinds attack

The Energy Department and National Nuclear Security Administration (NNSA), which maintains the U.S. nuclear weapons stockpile, have evidence that hackers accessed their networks as part of an extensive espionage operation that has affected at least half a dozen federal agencies. The hackers were able to access the networks belonging to a core part of the U.S. national security enterprise.

Ref - Politico

_______________________________________________________________________________________

(December 17, 2020)


Hacker behind SolarWinds attack breached the US nuclear weapons agency

The hacking group behind the SolarWinds compromise also hacked the networks of the US nuclear weapons agency. The federal investigators have found evidence of hackers gaining access to US DOE and NNSA networks as part of the ongoing US govt compromise attack campaign.


_______________________________________________________________________________________

(December 17, 2020)


The sophistication and scope of SolarWinds attack

The suspected Russian hack that compromised parts of the U.S. government was executed with a scope and sophistication that has surprised even veteran security experts and exposed a potentially critical vulnerability in America’s technology infrastructure. The operation is part of a broader, previously undetected cyber-espionage campaign that may stretch back years.

Ref - WSJ

_______________________________________________________________________________________

(December 17, 2020)


Microsoft confirmed that it was breached in SolarWinds supply chain attack

The state-sponsored hackers who breached US software provider SolarWinds earlier this year pivoted to Microsoft's internal network and then used Microsoft's own products to further the attacks against other companies. A US agency, CISA, had evidence of additional initial access vectors, other than the SolarWinds Orion platform.

Ref - ZDNet

_______________________________________________________________________________________

(December 17, 2020)


State-sponsored hackers breached the US think tank three times

A hacking group believed to be working for the Russian government has compromised the internal network of a think tank in the U.S. three times. The attacks between late 2019 and July 2020 named the threat actor Dark Halo, quickly switched to different tactics and techniques to carry out long-term, stealthy operations.


_______________________________________________________________________________________

(December 17, 2020)


Microsoft identifies 40 more precise targets in ongoing’ SolarWinds hack

Microsoft president warned that the wide-ranging hack of SolarWinds' Orion IT software is ongoing, and that investigation reveals an attack that is remarkable for its scope, sophistication, and impact. The breach targeted several US government agencies and is believed to have been carried out by Russian nation-state hackers.

Ref - The Verge

_______________________________________________________________________________________

(December 17, 2020)


Microsoft denies infecting others in SolarWinds hack

Microsoft has confirmed that they were hacked in the recent SolarWinds attacks but denied that their software was compromised in a supply-chain attack to infect customers. Microsoft was not only compromised in the SolarWinds supply-chain attack but also had its software modified to distribute malicious files to its clients.


_______________________________________________________________________________________

(December 17, 2020)


SolarWinds is not alone in a suspected Russian hack

The massive hacking campaign disclosed by U.S. officials this week and tentatively attributed to the Russian government extended beyond users of pervasive network software that had been compromised. Another major technology supplier was also compromised by the same attack team and used to get into high-value final targets.

Ref - CNBC

_______________________________________________________________________________________

(December 17, 2020)


Key safeguards for IT supply chains were missing - US Watchdogs

According to the report by the U.S. Government Accountability Office, 14 out of the 23 surveyed federal agencies hadn’t implemented any of the foundational practices meant to protect their information and communications technology supply chains. The surveyed agencies also included Commerce, Treasury, and State, which were targeted in the recent hacks. 

Ref - Fortune

_______________________________________________________________________________________

(December 17, 2020)


Senators question IRS for SolarWinds hack

A bipartisan pair of senior senators have asked the Internal Revenue Service (IRS) to provide them with a briefing about the SolarWinds hack, suspecting that personal taxpayer information may have been stolen in the breach. They asked the details about how the IRS was mitigating potential damage, ensuring the hackers didn’t obtain access to internal IRS systems.


_______________________________________________________________________________________

(December 16, 2020)


More details on SolarWinds supply-chain attack

FireEye shared more details of their compromise and broke the news that they fell victim to a supply-chain attack involving the IT services company SolarWinds. The SolarWinds Orion software update had a backdoor (SUNBURST) injected into its code, which SolarWinds believed to have been included in updates released between March and June 2020.


_______________________________________________________________________________________

(December 16, 2020)


Hackers obtained 'God Access' during the SolarWinds hack.

A former White House official has warned that the SolarWinds breach potentially gave hackers "God access" or a "God door" to computer systems using the Orion IT software. On a scale of one to 10, this attack has been assigned a score of 9 by the former White House chief information officer.

Ref - Newsweek 

_______________________________________________________________________________________

(December 16, 2020)


Tech firms have collaborated to create a kill switch for SolarWinds backdoor

Microsoft, FireEye, and GoDaddy have collaborated to create a kill switch for the SolarWinds Sunburst backdoor that forces the malware to terminate itself. They collaborated and used the avsvmcloud[.]com takeover to create a kill switch that unloads the Sunburst malware on infected machines.


_______________________________________________________________________________________

(December 16, 2020)

Hundred of suspected victims of the SolarWinds breach identified

Security researchers are saying that they have made progress in decoding SUNBURST’s obfuscated communications methods. Chinese cybersecurity firm RedDrip Team published their findings on Github, saying its decoder tool had identified nearly a hundred suspected victims of the SolarWinds/Orion breach, including universities, governments, and high tech companies.


_______________________________________________________________________________________

(December 16, 2020)


SolarWinds hack - one of the biggest hacks ever

According to researchers, this hack named Sunburst is one of the biggest ever cyber-attacks ever, and it could take years to fully comprehend it. It is said that the security teams across all affected organizations could take months trying to identify which emails were read, documents stolen or passwords compromised in the hack.

Ref - BBC

_______________________________________________________________________________________

(December 16, 2020)

Recommendations for monitoring SolarWinds supply chain attack with Sumo Logic Cloud SIEM

In this blog, Sumo Logic provides recommendations for Sumo Logic customers to gain a deeper understanding of how to utilize available Indicators of Compromise (IOCs) within our Cloud SIEM offerings to determine your exposure to the attack.


_______________________________________________________________________________________

(December 16, 2020)


SolarWinds/Orion compromise – Immediate action recommended

Optiv has created this list of recommendations to help reduce exposure to the SolarWinds supply chain attack.

Ref - Optiv

_______________________________________________________________________________________

(December 16, 2020)


Why is SolarWinds hack keeping security experts awake at night?

According to CNN, the SolarWinds attacks are very much concerning because of several reasons. Firstly, besides the three high-profile federal already compromised, there is a huge range of potential victims. Secondly, the attackers appear to have been extraordinarily skilled and determined. The third reason is the unusual and creative way used by hackers by disguising the initial attack within legitimate software updates issued by SolarWinds.

Ref - CNN 

_______________________________________________________________________________________

(December 16, 2020)


Hackers leveraged SolarWinds' dominance against it for their spy campaign

The Texas-based company SolarWinds has been providing some level of monitoring or management to almost each and every database or an IT deployment model out there in the area. While hackers leveraged this dominance and turned it into a liability, cybersecurity experts are still struggling to understand the scope of the damage.

Ref - Reuters

_______________________________________________________________________________________

(December 16, 2020)


A security expert reported misconfiguration in SolarWinds' software in 2019

A security researcher said he warned SolarWinds in 2019 that the IT company's update server could be accessed by using the password "solarwinds123.” The revelation comes days after a massive hack of the Austin-based SolarWinds was made public, an attack that has since been confirmed to have infiltrated US government agencies. Though it is unclear which clients specifically were affected by the hack.


_______________________________________________________________________________________

(December 16, 2020)


No other products were compromised in a recent hack according to SolarWinds

IT software company SolarWinds has said that no other products were identified to contain malicious code similar to the one found in the Orion platform. The company's disclaimer comes after it carried out an internal audit of all its applications after news broke about the Russian state-sponsored hackers breaching its internal network and inserting malware inside Orion, the network monitoring and inventory platform.

Ref - ZDNet

_______________________________________________________________________________________

(December 16, 2020)


U.S. Senators ask for details from FBI on SolarWinds supply chain attack

A bipartisan group of U.S. senators has requested a government-wide report into the "highly sophisticated" cyberattack on SolarWinds from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). 

Ref - Newsweek

_______________________________________________________________________________________

(December 16, 2020)


Microsoft announces plans to quarantine SolarWinds apps

Microsoft announced plans to start forcibly blocking and isolating versions of the SolarWinds Orion app that are known to have contained the Solorigate (SUNBURST) malware. Microsoft said that from December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries. This will quarantine the binary even if the process is running.

Ref - ZDNet

_______________________________________________________________________________________

(December 15, 2020)


SolarWinds cyberattack leaves U.K. infrastructure exposed

It has been claimed that the cyber-attack on the U.S. technology company SolarWinds that has left U.K. infrastructure exposed, including the Home Office, National Health Service (NHS), and police forces, could take months to remove.

Ref - Newsweek 

_______________________________________________________________________________________

(December 15, 2020)


SolarWinds hack may have a big impact on the D.C. contractors

In addition to high-profile federal agencies such as the Defense, Justice and State departments, and the Office of the President of the United States, SolarWinds also named prominent contractors such as Lockheed Martin Corp, General Dynamics Corp, and Booz Allen Hamilton Corp. among its customers. It is suspected that the scope of the intrusion is likely broader in comparison to the intrusion aimed at the Office of Personnel Management (OPM).


_______________________________________________________________________________________

(December 15, 2020)


A hacker named 'Fxmsp' sold access to SolarWinds machine

Years before a SolarWinds security breach that compromised the networks of multiple federal government agencies, a notorious hacker attempted to sell access to the company's computers on underground forums. The hacker, known as "fxmsp," was one of several individuals who attempted to sell access to SolarWinds machines in online forums during 2017.

Ref - Newsweek

_______________________________________________________________________________________

(December 15, 2020)


Microsoft, along with industry partners, seized a key domain used in the SolarWinds hack

Microsoft and a coalition of tech companies have intervened to seize and sinkhole a domain that played a central role in the SolarWinds hack. The domain (avsvmcloud[.]com) served as a command and control (C&C) server for malware delivered to around 18,000 SolarWinds customers via a trojanized update for the company's Orion app.

Ref - ZDNet

_______________________________________________________________________________________

(December 15, 2020)


NATO is assessing the damage from SolarWinds supply chain attack

The NATO Western military alliance is assessing the damage caused to its communication networks as a result of a massive hack that has rocked global institutions, including multiple agencies of the U.S. federal government and neighboring Canada. SolarWinds software is used by a wide range of governments and organizations, including some entities in NATO.

Ref - Newsweek

_______________________________________________________________________________________

(December 15, 2020)


SolarWinds attackers used a clever way to bypass multi-factor authentication

The hackers behind the supply chain attack that compromised public and private organizations have devised a clever way to bypass multi-factor-authentication systems. After having gained administrator privileges on the infected network, they used those unfettered rights to steal a Duo secret known as a key from a server running Outlook Web App.


_______________________________________________________________________________________

(December 15, 2020)


Recent Sunburst targeted attacks

Various sources have recently disclosed a sophisticated attack that hit organizations via the supply chain. This was carried out via a compromised version of a network monitoring application called SolarWinds Orion. The attackers used the access provided by this application to plant a backdoor known as Sunburst onto affected machines. Trend Micro has provided detailed technical analysis as well as IOCs related to this attack.


_______________________________________________________________________________________

(December 15, 2020)


Critical responses needed for all businesses after SolarWinds supply chain attack 

The recent attacks on the U.S. Department of Homeland Security, Treasury Department, and FireEye are just scratching the surface of one of the most significant foreign hacking incidents in history. Over the long term, certain companies or agencies are likely to use this incident as a turning point to justify additional scrutiny of third-party software and safeguards against its abuse.


_______________________________________________________________________________________

(December 15, 2020)


More details of the SolarWinds attack emerge

A likely Russia-based threat actor infecting thousands of organizations with malware delivered via seemingly legitimate software updates of their Orion network management product from SolarWinds. All enterprises running the company's Orion network management software should assume compromise and respond accordingly. 


_______________________________________________________________________________________

 

(December 15, 2020)


Microsoft ensuring customers are protected from Solorigate supply chain attack

Microsoft is monitoring a dynamic threat environment surrounding the discovery of a sophisticated attack that included compromised binaries from legitimate software. These binaries, which are related to the SolarWinds Orion Platform, could be used by attackers to remotely access devices.

Ref - Microsoft

_______________________________________________________________________________________

(December 15, 2020)


SolarWinds released the second hotfix for the Orion platform 

SolarWinds officially released a second hotfix to address a critical vulnerability in its Orion platform that was exploited to insert malware and breach public and private entities in a wide-ranging espionage campaign. The company urged its customers to update Orion Platform to version 2020.2.1 HF 2 immediately.


_______________________________________________________________________________________

(December 15, 2020)


Thousands of businesses could have been affected by SolarWinds attack

Thousands of businesses and several branches of the US government are now thought to have been affected by the recent attack on software firm SolarWinds. The Austin-based company has fallen victim to a massive supply chain attack believed to be the work of state-sponsored hackers. It is suspected that over 18,000 organizations have used the affected version of its Orion platform.

Ref - TechRadar

_______________________________________________________________________________________

(December 15, 2020)

After news of SolarWinds breach, Capitol Hill turns attention to CISA

Cyber-savvy members of Congress were just beginning to respond, as of Tuesday morning, to news of breaches of at least three federal agencies’ networks by foreign hackers, but the early reaction from Capitol Hill focused on supporting the Cybersecurity and Infrastructure Security Agency to do more work to protect the government.

Ref - FedScoop
 
_______________________________________________________________________________________

(December 15, 2020)

SolarWinds attack explained: And why it was so hard to detect

A group believed to be Russia's Cozy Bear gained access to government and other systems through a compromised update to SolarWinds' Orion software. Most organizations aren't prepared for this sort of software supply chain attack.


_______________________________________________________________________________________

(December 15, 2020)

Five U.S agencies hacked in a major Russian cyberespionage campaign

Three more organizations, namely the Department of Homeland Security, the State Department, and the National Institutes of Health have joined the list of known victims of a months-long, highly sophisticated digital spying operation by Russia. Its damage remains uncertain but is presumed to be extensive, experts say.


_______________________________________________________________________________________

(December 15, 2020)

AlienVault: SolarWinds SUNBURST IOCs

AlientVault has accumulated the list of indicators of compromise (IOCs) for the SolarWinds SUNBURST supply chain attack.


_______________________________________________________________________________________

(December 15, 2020)


Sunburst backdoor: What to look for in your logs now - interview with an incident responder

FireEye published a report about a global intrusion campaign that utilized a backdoor planted in SolarWinds Orion. Attackers gained access to the download servers of Orion. They managed to infect signed installers downloaded by Orion users who had all reason to believe that the packages are safe and had not been tampered with.

Ref - GrayLog

_______________________________________________________________________________________

(December 15, 2020)

SolarWinds hack could have affected 18K Customers

The still-unfolding breach at network management software firm SolarWinds may have resulted in malicious code being pushed to nearly 18,000 customers, the company said in a legal filing on Monday. It is said that on Dec. 14, the software giant gained control over a key domain name avsvmcloud[.]com, that the SolarWinds hackers were using to communicate with systems compromised by the backdoored Orion product updates.


_______________________________________________________________________________________

(December 15, 2020)

Suspected Russian cybercriminals breached U.S DHS

A group of sophisticated hackers, which is believed to be working for the Russian government, managed to get access to internal communications in the U.S. Department of Homeland Security, according to people familiar with the matter. The breach was part of the campaign that penetrated the U.S. departments of Treasury and Commerce.

Ref - Reuter

_______________________________________________________________________________________
 
(December 14, 2020)

Canada assessing SolarWinds hack as U.S. agencies lockdown

Canadian security officials are eyeing a significant hack south of the border that appears to have penetrated top U.S. government agencies and left officials there scrambling to limit the damage.
 

_______________________________________________________________________________________

(December 14, 2020)

A backdoor inserted into SolarWinds' network monitoring software

The effects of the backdoor inserted into SolarWinds' network monitoring software on Britain's public sector are mounting the concerns, as tight-lipped government departments refuse to say whether UK institutions were accessed by Russian spies. It appears the downloads page for SolarWinds' platform was altered by Kremlin hackers.


_______________________________________________________________________________________

(December 14, 2020)


Adversaries infiltrated SolarWinds Orion software applications

In the past week the US Treasury, US Department of Commerce, and cybersecurity company FireEye experienced breaches tied to their reliance on software supply chains and a compromise of a SolarWinds software application. Officials stated that the exploit path demonstrated all signs of a nation-state sponsored cyberattack.

Ref - Sonatype

_______________________________________________________________________________________

(December 14, 2020)

The SolarWinds supply chain attack

Cisco Talos said that it is monitoring the announcements made by FireEye and Microsoft that a likely state-sponsored actor compromised potentially thousands of high-value government and private organizations around the world via the SolarWinds Orion product. The adversary gained access to victims’ networks via trojanized updates to SolarWinds’ Orion software.

Ref - Cisco

_______________________________________________________________________________________

(December 14, 2020)

US calls on federal agencies To power down SolarWinds Orion due to security breach

An emergency directive issued by the U.S. government calls on all federal civilian agencies to disconnect or power down SolarWinds Orion IT management tools because they are being used to facilitate an active exploit.

Ref - CRN

_______________________________________________________________________________________

(December 14, 2020)

Using Splunk to detect Sunburst backdoor

This blog contains some immediate guidance on using Splunk Core and Splunk Enterprise Security to protect (and detect activity on) your network from the Sunburst Backdoor malware delivered via SolarWinds Orion software.

Ref - Splunk

_______________________________________________________________________________________

(December 14, 2020)

SolarWinds SUNBURST backdoor supply chain attack: What you need to know

Rapid7 has deployed detections in InsightIDR for activity related to vulnerable versions of SolarWinds Orion and will continue to add additional IOCs/TTPs as they become available.


Ref - RAPID7

_______________________________________________________________________________________

(December 14, 2020)

Multiple U.S. agencies hit in cyberattack

The Pentagon, intelligence agencies, nuclear labs, and several Fortune 500 companies use software that was found to have been compromised by Russian hackers. The sweep of stolen data is still being assessed. Investigators were struggling to determine the extent to which entities were affected by the highly sophisticated attack.

Ref - NYTimes

_______________________________________________________________________________________

(December 14, 2020)

Dark Halo abuses SolarWinds tool to breach organizations

Volexity is releasing additional research and indicators associated with compromises impacting customers of the SolarWinds platform. Volexity has been able to tie these attacks to multiple incidents it worked in late 2019 and 2020 at a US-based think tank. Volexity tracks this threat actor under the name Dark Halo.

Ref - Volexity

_______________________________________________________________________________________

(December 14, 2020)


TrustedSec incident response team releases summary and guidance

In the wake of recent revelations regarding a supply chain compromise of the SolarWinds Orion platform by a nation-state actor, the TrustedSec Incident Response team has released a summary and guidance. The company revealed that the threat actor has been dubbed “UNC2452” by FireEye and the corresponding malware identified as “SUNBURST,” which has capabilities to deliver a memory-only dropper named “TEARDROP”.


_______________________________________________________________________________________

(December 14, 2020)


A disruptive cyber crisis-affected multiple agencies

The sophisticated cyber campaign that breached email accounts across the federal government created a deepening crisis as signs multiplied about the scope of the foreign intruders’ reach. This is probably going to be one of the most consequential cyberattacks that happened in U.S. history. A new Cyber Response Group will activate a subsidiary body, known as a Unified Coordination Group, to streamline crisis collaboration between affected agencies.

Ref - Politico

_______________________________________________________________________________________

(December 14, 2020)

Around 18,000 customers were affected by the recent hack

Earlier, it was speculated that all of SolarWinds' customers were impacted. However, in SEC documents filed recently, SolarWinds said that of its 300,000 total customers, only 33,000 were using Orion, a software platform and that fewer than 18,000 are believed to have installed the malware-laced update.

Ref - ZDNet

_____________________________________________________________________________________

(December 14, 2020)

SolarWinds just released a security advisory

SolarWinds has been made aware that some of their systems experienced a highly sophisticated, manual supply chain attack. The attack impacted SolarWinds Orion versions 2019.4 HF 5 through 2020.2.1. This attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted, and manually executed attack.


_______________________________________________________________________________________

(December 14, 2020)

SolarWinds serves more than 425 Fortune500 organizations

The suspected Russia-led cyberattack had targeted IT monitoring software called Orion, developed by company SolarWinds, with malware pushed via booby-trapped updates. Solarwinds names a large number of U.S clients, including the Pentagon, State Department, NASA, NOAA, National Security Agency, Postal Service, Department of Justice, the Office of the President of the United States, and top five U.S. accounting firms.

Ref - NewsWeek

_______________________________________________________________________________________

(December 14, 2020)

US treasury and commerce departments targeted in cyber-attack

US federal agencies are hacked in a way that may have allowed a foreign power to monitor government communications. The treasury and commerce departments have both been attacked. And all federal civilian agencies have been told to disconnect from SolarWinds Orion, a computer network tool being abused by hackers.

Ref - BBC

_______________________________________________________________________________________

(December 14, 2020)

Russian government hackers are behind the compromise of U.S. agencies

The Treasury and Commerce departments, along with other U.S. government agencies, have been breached by the Russian government hackers, as a part of a global espionage campaign that stretches back months, according to people familiar with the matter. The breach was described as long-running and significant.


_______________________________________________________________________________________

(December 14, 2020)

Microsoft and FireEye verify SolarWinds supply chain attack

It has been identified that some hackers, believed to be operating on behalf of a foreign government, have breached software provider SolarWinds. After the breach, they deployed a malware-laced update for its Orion software to infect the networks of multiple US companies and government networks.

Ref - ZDNet

_______________________________________________________________________________________

(December 14, 2020)

US agencies examining the attack on government networks

The US Commerce Department has recently confirmed that it has been the victim of a data breach in a major cyber incident. In addition, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency also confirmed the data security incident.

Ref - CNN

_______________________________________________________________________________________

(December 14, 2020)

US Treasury and Commerce departments breached

The U.S. Treasury Department and the U.S. Department of Commerce were victims of a cyber breach. It was a sophisticated attack and it is said that very few entities are capable of carrying out such attacks. Authorities are investigating who was behind the breach.

Ref - ABCNews

_______________________________________________________________________________________

(December 14, 2020)

The US calls on federal agencies to stop using SolarWinds Orion 

The U.S. government has called on all federal civilian agencies to power down SolarWinds Orion products immediately. It has been identified that they are being used as part of an active security exploit. An emergency directive comes in response to a known compromise involving SolarWinds Orion products.

Ref - CRN

_______________________________________________________________________________________

(December 14, 2020)

U.S. agencies attacked by Suspected Russian hackers

In one of the most valorous hacks in recent time, U.S. government agencies were attacked as part of a global campaign that exploited a flaw in the software updates of a U.S. company. The hackers are suspected to be part of a notorious hacking group tied to the Russian government.

Ref - Bloomberg

_______________________________________________________________________________________

(December 14, 2020)

The US government agencies attacked by hackers

U.S. government agencies were hit by a widespread campaign of cyber-attacks by hackers who were suspected of exploiting a flaw in the update of a U.S. software company, according to three people familiar with the investigation. The attacks included snooping on emails at the U.S. Treasury and Commerce Department.


_______________________________________________________________________________________

(December 14, 2020)

US agencies hacked in a months-long spying campaign

As a part of a months-long global cyber espionage campaign, some hackers broke into the networks of the Treasury and Commerce departments. This has been disclosed just a few days after the prominent cybersecurity firm FireEye said it had been breached in an attack that industry experts said bore the hallmarks of Russian tradecraft.

Ref - APNews

_______________________________________________________________________________________

(December 14, 2020)

SolarStorm and SUNBURST Customer Coverage

Any organization utilizing SolarWinds Orion IT management software is potentially at risk from this threat. These organizations should immediately identify Orion systems in their network, determine if they are compromised with the SUNBURST backdoor, and seek out further evidence of compromise. 


_______________________________________________________________________________________

(December 14, 2020)

US treasury hacked by foreign attackers

A serious hack has been detected, which has led to a national security council meeting at the White House. According to the sources, hackers backed by a foreign government have been monitoring internal email traffic at the US treasury department and an agency that decides internet and telecommunications policy.


_______________________________________________________________________________________

(December 14, 2020)

US departments targeted in cyber-attack

US federal agencies have been hacked in a way that may have let a foreign power monitor government communications. All the civilian agencies are told to disconnect from SolarWinds Orion, which is being exploited by malicious hackers. SolarWinds have 300,000 global customers including all five branches of the US military.

Ref - Yahoo

_______________________________________________________________________________________

(December 14, 2020)

Hackers breached the U.S Treasury Department

Hackers linked to a foreign government have breached the systems belonging to the U.S. Treasury Department and the National Telecommunications and Information Administration (NTIA) within the Commerce Department. As a result of the incursion, some files were stolen from both agencies.

Ref - The Hill

_______________________________________________________________________________________

(December 14, 2020)

Hackers attacked the U.S. Treasury and Commerce departments

Some hackers broke into the networks of US federal agencies, including the Treasury and Commerce departments. The attacks were revealed just days after the U.S. officials warned that cyber actors linked to the Russian government were attempting to exploit the vulnerabilities to target sensitive data. It appeared to be a large-scale penetration of U.S. government agencies.

Ref - Time

_______________________________________________________________________________________

(December 14, 2020)

Suspected Russian hackers hacked U.S. Treasury emails

According to people familiar with the matter, some hackers, believed to be working for Russia, have been monitoring internal email traffic in the U.S. Treasury and Commerce departments. They also added that it is feared these hacks are just the tip of the iceberg. The hack is so serious it led to a National Security Council meeting at the White House.

Ref - Reuters

_______________________________________________________________________________________

(December 13, 2020)

Microsoft releases security guide to stay protected from recent nation-state cyberattacks

Microsoft is sharing information and issuing guidance about increased activities from a sophisticated threat actor that is focused on high-value targets such as government agencies and cybersecurity companies. The firm believes this is nation-state activity on a significant scale, aimed at both the government and private sector.

Ref - Microsoft

_______________________________________________________________________________________

(December 13, 2020)

A global intrusion campaign abused widely-used IT infrastructure management software

A global campaign has been identified, that includes a compromise into the networks of public and private organizations through the software supply chain. This compromise is delivered through updates to the Orion network - a widely-used IT infrastructure management software from SolarWinds.

Ref - FireEye

_______________________________________________________________________________________

(December 13, 2020)

Hackers compromise SolarWinds Orion

SolarWinds Orion products (versions 2019.4 through 2020.2.1 HF1) are currently being exploited by malicious actors. CISA has determined that exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. 

Ref - DHS

_______________________________________________________________________________________

(December 13, 2020)

The active abuse of SolarWinds software

The Cybersecurity and Infrastructure Security Agency (CISA) said that it is aware of active exploitation of SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, released between March 2020 and June 2020. CISA encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures.

Ref - US-CERT

_______________________________________________________________________________________

(December 13, 2020)

Highly invasive attacker abused SolarWinds supply chain

FireEye has uncovered a widespread campaign, that tracked as UNC2452. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software in order to distribute malware we call SUNBURST. This campaign may have begun as early as Spring 2020 and is currently ongoing. FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild.

Ref - FireEye

 Tags

solarwinds
fireeye
usa
russia

Posted on: December 14, 2020

Get the Cyware Blog delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!