[BreachExchange] A Second Hacker Group May Have Also Breached SolarWinds, Microsoft Says

[Inga Goddijn]

https://thehackernews.com/2020/12/a-second-hacker-group-may-have-also.html

As the probe into the SolarWinds supply chain attack continues, new digital
forensic evidence has brought to light that a separate threat actor may
have been abusing the IT infrastructure provider's Orion software to drop a
similar persistent backdoor on target systems.

"The investigation of the whole SolarWinds compromise led to the discovery
of an additional malware that also affects the SolarWinds Orion product but
has been determined to be likely unrelated to this compromise and used by a
different threat actor," Microsoft 365 research team said on Friday in a
post detailing the Sunburst malware.

What makes the newly revealed malware, dubbed "Supernova," different is
that unlike the Sunburst DLL, Supernova
<https://www.virustotal.com/gui/file/c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71/detection>
("app_web_logoimagehandler.ashx.b6031896.dll") is not signed with a
legitimate SolarWinds digital certificate, signaling that the compromise
may be unrelated to the previously disclosed supply chain attack.

In a standalone write-up
<https://unit42.paloaltonetworks.com/solarstorm-supernova/>, researchers
from Palo Alto Networks said the Supernova malware is compiled and executed
in-memory, permitting the attacker to bypass endpoint detection and
response (EDR) systems and "deploy full-featured – and presumably
sophisticated – .NET programs in reconnaissance, lateral movement and other
attack phases."
How the Sunburst Backdoor Operates

The discovery is yet another indication that in addition to being a
lucrative infection vector for threat actors, the supply chain attack of
SolarWinds — which cast a wide net of 18,000 companies and government
agencies — had been executed with a far broader scope and extraordinary
sophistication.

The adversaries used what's called a supply chain attack, exploiting
SolarWinds Orion network management software updates the company
distributed between March and June of this year to plant malicious code in
a DLL file (aka Sunburst or Solorigate) on the targets' servers that's
capable of stealthily gathering critical information
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/>,
running remote commands, and exfiltrating the results to an
attacker-controlled server.
<https://thehackernews.com/images/-33rKRWNg2ow/X-GjpAjK_sI/AAAAAAAABUA/_hkZdWpoOtoiq9MIlze_LGtYxrKSehG_ACLcBGAsYHQ/s0/supply-chain.jpg>

Analysis of the Solorigate modus operandi has also revealed that the
campaign chose to steal data only from a select few of thousands of
victims, opting to escalate their attacks based on intel amassed during an
initial reconnaissance of the target environment for high-value accounts
and assets.

The escalation involves the predefined command-and-control (C2) server — a
now-sinkholed domain called "avsvmcloud[.]com" — responding to the infected
system with a second C2 server that allows the Sunburst backdoor to run
specific commands for privilege escalation exploration, credential theft,
and lateral movement.

The fact that the compromised DLL file is digitally signed implies a
compromise of the company's software development or distribution pipeline,
with evidence suggesting that the attackers have been conducting a dry run
of the campaign as early as October 2019.

The October files did not have a backdoor embedded in them in the way that
subsequent software updates SolarWinds Orion customers downloaded in the
spring of 2020 did — rather, it was mainly used to test if the
modifications showed up in the newly released updates as expected.

The US Cybersecurity and Infrastructure Security Agency (CISA), in an alert
last week, said it found evidence of initial infection vectors using flaws
other than the SolarWinds software.
Cisco, VMware, and Deloitte Confirm Malicious Orion Installations

Cybersecurity firms Kaspersky
<https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/>
and Symantec
<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds>
have said they each identified 100 customers who downloaded the trojanized
package containing the Sunburst backdoor, with the latter finding traces of
a second-stage payload called Teardrop in a small number of organizations.
<https://thehackernews.com/images/-tAfDA7IePcg/X-GlOR-2T3I/AAAAAAAABUM/ElhYw76fMsk2Fwzg6fzxes0lktf2ApYUgCLcBGAsYHQ/s0/domain-names.jpg>

The specific number of infected victims remains unknown at this time, but
it has steadily increased since cybersecurity firm FireEye revealed it had
been breached via SolarWinds's software early this month. So far, several
US government agencies and private companies, including Microsoft, Cisco,
Equifax, General Electric, Intel, NVIDIA, Deloitte, and VMware
<https://www.vmware.com/company/news/updates/2020/vmware-statement-solarwinds-supply-chain-compromise.html>
have reported finding the malware on its servers.

"Following the SolarWinds attack announcement, Cisco Security immediately
began our established incident response processes," Cisco said in a
statement to The Hacker News via email.

"We have isolated and removed Orion installations from a small number of
lab environments and employee endpoints. At this time, there is no known
impact to Cisco products, services, or to any customer data. We continue to
investigate all aspects of this evolving situation with the highest
priority."

FireEye was the first to expose the wide-ranging espionage campaign on
December 8 after discovering that the threat actor had stolen its arsenal
of Red Team penetration testing tools, making it so far the only instance
where the attackers escalated access thus far. No foreign governments have
announced compromises of their own systems.

Although media reports have cited it to be the work of APT29, Russia has
denied involvement in the hacking campaign. Neither have cybersecurity
companies and researchers from FireEye, Microsoft, and Volexity attributed
these attacks to the threat actor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20201222/b1861824/attachment.html>