solarwinds hack

Microsoft Releases New Info on SolarWinds Attack Chain


Microsoft shared more details on Wednesday about the tactics, techniques and procedures (TTP) used by the behind the SolarWinds hackers to hide under the radar and avoid detection, because cybersecurity companies are working hard to get the clearest picture Provide a “clearer picture” of complex attacks in recent history.

The company called the threat actors “skilled and methodical operators who follow best practices in operational security (OpSec).” The did their best to ensure the initial backdoor (Sunburst aka Solorigate) and compromised implants Teardrop and Raindrop are separated as much as possible to prevent efforts to detect their malicious activities.

“Behind the Solorigate are skilled campaign operators who carefully plan and execute the attack, while remaining elusive while maintaining persistence,” a researcher from the Microsoft 365 Guardian Research Group, Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber ​​Defense Operations Center (CDOC) said: .

Although the exact identity of the organization still is StellarParticle (CrowdStrike), UNC2452 (FireEye), Solarstorm (Palo Alto Unit 42) and Dark Halo (Volexity) is still not known, but the US government earlier this month formally spying with a group can come from People from Russia.

Multiple strategies to stay undetected

Microsoft’s attack schedule shows that the fully functional Sunburst DLL backdoor was compiled and deployed on SolarWinds’ Orion platform on February 20, and then distributed in the form of a tampered update in late March.

solarwinds hacker

The reconnaissance phase lasted nearly two months to determine its target-which requires secret to remain undetected and collect valuable information-and finally deploy Cobalt Strike implants on selected victim networks and clear them in May Sunburst paved the way. The build environment from SolarWinds will be released on June 4.

However, there are few clear clues as to how and when to transition from Sunburst to Raindrops, even if the attacker seems to have deliberately separated the execution of the Cobalt Strike loader from the SolarWinds process as an OpSec measure.

solarwinds malware

The idea is that if a Cobalt Strike implant is found on the target network, it will not reveal the damaged SolarWinds binary and the supply chain attack that led to its deployment in the first place.

These findings also clearly show that although hackers rely on a series of attack vectors, the Trojan Horse’s SolarWinds software constitutes the core of espionage:

  • By deploying customized Cobalt Strike DLL implants on each system, methodically avoid sharing indicators for each infected host
  • Disguise malicious tools and binary files to mimic existing files and programs that already exist on the infected machine
  • In the hands keyboard use AUDITPOL before disabling event logging, and after the completion of its re-enabled
  • Create special firewall rules to minimize outgoing packets of certain protocols before running noisy network enumeration activities, which are subsequently deleted after network investigations
  • Perform lateral movement activities only after disabling the security service on the target host
  • Allegedly, the use of timestamps can change the timestamps of artifacts, and use the erasure process and tools to prevent the discovery of malicious DLL implants

Adopt a zero trust mentality

Microsoft said: “This attack is both complex and common.” “The actor shows the complexity in the breadth of the strategy to penetrate, expand, and persist the affected infrastructure, but many strategies, techniques, and procedures (TTP) are common. .”

To prevent such attacks in the future, the company recommends that organizations adopt a ” zero trust mentality ” to achieve least privileged access and to minimize risk by enabling multi-factor authentication.

Alex Weinert, Director of Identity Security at Microsoft, said: “With Solorigate, took advantage of a wide range of role assignments, exceeded the permissions required by the role, and in some cases gave up no permissions at all. Accounts and applications.”