Finally, change the login credentials used to access SolarWinds servers and examine the entire network in search of any unusual activity that should otherwise not be taking place. If you do come across any infection-like symptoms on your SolarWinds Orion software, be sure to either isolate the SolarWinds servers themselves or sever their connection to as many endpoints as possible. Several victims have been identified that has been infected using the same. Following the attack on FireEye, the details are revealed and the US Department of Homeland Security (DHS) has issued an Emergency Directive (ED) regarding a backdoor being exploited in SolarWinds Orion products. Infected parties can also follow the vendor's security advisory on neutralizing the backdoor at this location. SunBurst : APT against Solarwinds, mapped to Kill Chain.
SUNBURST SOLARWINDS PATCH
SolarWinds has advised all its users to upgrade their software to Orion Platform release 2020.2.1 HF 1 as this is the version containing the patch for the SUNBURST vulnerability. And while new certificates may provide an adequate level of protection, old ones may put your online security at risk. However, when asked for comment, Symantec clarified that it had sold its certificate authority back in 2018 and underlined that the certificate in question was a legacy one still using the Symantec brand name. It is also worthy of mention that the crooks even used a Symantec-issued security certificate to hide SUNBURST’s true identity. On the one hand, the backdoor utilizes numerous obfuscated blocklists to neutralize any running anti-malware solutions. The UNC2452 actors appear to have gone to great lengths to make the SUNBURST backdoor remarkably resilient to AV detection.
SUNBURST SOLARWINDS .DLL
Overall, whoever stays behind the UNC2452 gang looks prone to remote access execution rather than leaving deep tracks inside the compromised networks. The Sunburst exploit was a supply chain attack.A malicious backdoor was placed into .dll which is a SolarWinds digitally signed component of the Orion software framework that communicates via HTTP to third party servers. All subsequent malicious actions come to fruition via temporary file replacements - the crooks infect a legitimate file or a system process with malware, use it to trigger the payload, then restore the original file or function. The login credentials used to obtain unauthorized remote access differ from the ones meant for lateral movement across the infected target. The crooks are using Virtual Private Servers to make their IP addresses look as if they came from the victim's country, as well. In addition to its classic backdoor features, some SUNBURST samples have also injected the Cobalt Strike BEACON malware straight into system memory. UNC2452 Lateral Movement - Source: Fireeye
0 kommentar(er)
