HackDig : Dig high-quality web security articles for hackers

New Sunspot malware found while investigating SolarWinds hack

2021-01-12 10:01

New Sunspot malware found while investigating SolarWinds hack

Cybersecurity firm CrowdStrike has discovered the malware used by the SolarWinds hackers to inject backdoors in Orion platform builds during the supply-chain attack that led to the compromise of several companies and government agencies.

Sunspot, as it was dubbed by CrowdStrike, was dropped by the attackers in the development environment of SolarWinds' Orion IT management software.

After being executed by the threat actor — tracked as StellarParticle(CrowdStrike),  UNC2452(FireEye), and Dark Halo (Volexity) — the malware would monitor and automatically injecting a Sunburst backdoor by replacing the company's legitimate source code with malicious code.

"The design of SUNSPOT suggests StellarParticle developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers," CrowdStrike found.

However, "[s]everal safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence."

Third malware linked to the SolarWinds hackers

This is the third malware strain found while investigating the SolarWinds supply-chain attack and associated with the StellarParticle threat actor.

A second one is the Sunburst (Solorigate) backdoor malware deployed by the SolarWinds hackers on the systems of organizations who installed trojanized Orion builds via the platform's built-in automatic update mechanism.

After recovering several Sunburst samples that delivered different payloads, FireEye found a third malware named Teardrop, which is a previously unknown memory-only dropper and a post-exploitation tool used to deploy customized Cobalt Strike beacons.

A fourth malware, not linked to the StellarParticle hackers but also delivered using trojanized Orion builds, was also discovered by Palo Alto Networks Unit 42 and Microsoft while investigating the SolarWinds supply-chain attack

This additional malware, dubbed SuperNova, was deployed as a DLL file that allowed attackers to remotely send, compile, and execute C# code on compromised machines.

SolarWinds attack timeline
Source: SolarWinds

SolarWinds hackers' identity not yet known

While we learned of the SolarWind hack on December 13th, the first disclosure of its consequences was made on December 8th by leading cybersecurity firm FireEye which revealed that it was hacked by a nation-state hacking group

As part of the attack, the hackers gained access to the SolarWinds Orion build system and injected the sunburst backdoor into a legitimate DLL used by the SolarWinds Orion IT management software. This DLL was later automatically distributed to SolarWinds customers in a supply chain attack.

Even though the timeline of the SolarWinds attack starts in September 2019, the date when the earliest suspicious activity was found on SolarWinds internal network, the identity of the hacking group behind this supply-chain attack is still unknown.

However, Kaspersky was the first to make a connection between the SolarWinds hackers and a previously known cyber-espionage group after finding that the Sunburst backdoor has feature overlaps with Kazuar, a .NET backdoor tentatively linked to the Russian Turla hacking group.

"The identified connection does not give away who was behind the SolarWinds attack, however, it provides more insights that can help researchers move forward in this investigation," Costin Raiu, director of Kaspersky's Global Research and Analysis Team (GReAT), said.

SolarWinds supply chain attack
SolarWinds supply chain attack (Microsoft)​​​

A week ago, the FBI, CISA, and the NSA also disclosed in a joint statement that a Russian-backed Advanced Persistent Threat (APT) group is likely behind the SolarWinds hack.

"The U.S. government and many private-sector experts have stated the belief that a foreign nation-state conducted this intrusive operation as part of a widespread attack against America’s cyberinfrastructure," SolarWinds CEO Sudhakar Ramakrishna said today.

"To date, our investigations have not independently verified the identity of the perpetrators."


Source: iwralos-gnitagitsevni-elihw-dnuof-erawlam-topsnus-wen/ytiruces/swen/moc.retupmocgnipeelb.www

Read:95 | Comments:0 | Tags:Security hack

“New Sunspot malware found while investigating SolarWinds hack”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud