Responding with a quick turnaround after the breach announcement, Microsoft had the Command & Control (C2) server, avsvmcloudcom, transferred to them from GoDaddy. Their actions have been attributed to many notable attacks such as the attacks on the Democratic National Committee in 2017 and the recent attempt to steal Covid-19 vaccine data in multiple countries. Specifically, APT29 as their activities have been closely linked to Russian security agencies. The significant effort put into evading detection as well as a strong understanding of SolarWinds infrastructure have led researchers to speculate that this attack was the work of a foreign government. It became clear that the attacker was seeking high-value targets for espionage.Īdvanced Persistent Threat (APT) actor, APT29, is considered the prime suspect in the SolarWinds breach.
A few to note: Department of Homeland Security, Department of State, Department of Justice, Microsoft, FireEye, Cisco Systems, and VMware. Major companies and United States agencies were among those. Upward of 18,000 SolarWinds customers downloaded the compromised Orion update. Last month SolarWinds disclosed the impact of the breach. The Teardrop malware then loaded Cobalt Strike, a hacking toolkit designed for security professionals but that has since grown in popularity and use by malicious actors. The attackers then used a second-stage payload, Teardrop, on organizations they considered high-value targets. Customers who updated their Orion Platform software between late February 2020 and June 2020 became a potential victim of the malware referred to as Sunburst.
Orion is a platform that hosts a suite of tools for monitoring IT infrastructure. Unbeknownst to SolarWinds, attackers had implanted a Trojan backdoor into the Orion software update code. On December 13 th, 2020 FireEye released a report on a SolarWinds supply chain attack. We break this down in several of the following sections.įireEye Initial Release on Sunburst Malware and Teardrop Loader Since then, there have been two separate malware strains identified. Remarkably, the initial story on the Sunburst backdoor by FireEye was not the only exploit that SolarWinds faced. The research released so far has painted a vivid picture of how the attackers created one of the largest supply chain attacks in history. Understandably, there are still some aspects of the breach that remain unknown. Beyond the major players such as FireEye, Microsoft, CISA, and SolarWinds, there have been a plethora of other companies and researchers eager to understand and publish their findings. Nevertheless, the Threat Lab team at WatchGuard has been keeping an eye out on the latest updates. Under normal circumstances it is difficult to keep up to date on the news and especially so with a story that continues to grow. Swift new developments have continued to pour out on the SolarWinds breach.
0 kommentar(er)
