![]() ![]() You should definitely investigate them separately bc they are interesting – but don’t let it distract from the SUNBURST intrusions.ĭetails: - Nick Carr DecemIntelligence GatheringĮxperts say the campaign to install backdoors on valuable systems has all the hallmarks of an intelligence gathering operation. ![]() However, SUPERNOVA & COSMICGALE are unrelated to this intrusion campaign. This is excellent analysis of a webshell! Microsoft security engineer Nick Carr reports in a post to GitHub that Supernova and Sunburst “have not been conclusively tied to the same threat actor.” While both used malicious DLL files, unlike Sunburst, the Supernova web shell was not signed using the SolarWinds digital certificate, but rather appears to have been installed by attackers exploiting a zero-day flaw that was already present in the software. Some security experts say it now appears that Sunburst is not connected to Supernova. SolarWinds has issued patches for Orion against Sunburst, as well as for malware called Supernova - aka CosmicGale - that targeted flaws in Orion. The latest estimate that up to 250 organizations may have been compromised as part of the supply chain attack comes via Amazon's intelligence team, The New York Times reports, adding that unnamed officials have cautioned that some victims may have been counted twice. The risk posed by Sunburst is considered to be so severe that, on Thursday, CISA issued an emergency directive requiring that all federal organizations still running vulnerable SolarWinds Orion software update to the latest version by the end of the day, or else "disconnect or power down" the software. Other targeted organizations include technology giants Belkin, Cisco, Intel, NVidia and VMware, as well as Iowa State University, Pima County in Arizona and Hilton Grand Vacations, among many others. Commerce, Homeland Security, State and Energy departments, as well as some branches of the Pentagon. On Thursday, Microsoft warned in a blog post that attackers even accessed source code for undisclosed products, although it said the risk posed to customers was low.Ĭonfirmed Sunburst victims include the U.S. Subsequently, however, the technology giant revealed that both it and its resellers had also been breached. ![]() 17 reported that at least 40 of its customers had fallen victim to second-stage attacks. FireEye CEO Kevin Mandia subsequently estimated that perhaps 50 organizations had been subjected to second-stage attacks that involved not just systems phoning home, but being infected with the Teardrop malware (see: Target Selection: SolarWinds' Orion 'Big Fish' Most at Risk). intelligence establishment, but rather by California-based cybersecurity firm FireEye - a victim that investigated the theft of some of its own penetration testing tools. The alleged Russian intelligence campaign was discovered and brought to light on Dec. Cybersecurity and Infrastructure Security Agency, the FBI, the National Security Agency and the Office of the Director of National Intelligence, said that the investigation so far has revealed that "fewer than 10" federal agencies have been affected by follow-on activities tied to the attack. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly." At this time, we believe this was, and continues to be, an intelligence gathering effort. On Tuesday, the federal Cyber Unified Coordination Group, formed to investigate the breach, noted in a statement: “An advanced persistent threat actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. For a subset of infected endpoints, attackers dropped second-stage malware called Teardrop that could exfiltrate data, install additional malware and backdoors, and help hackers reach other systems (see: Shareholder Sues SolarWinds). For nine months, the backdoor, known as Sunburst, phoned home from about 18,000 customers' systems to attackers' command-and-control servers. The supply chain attack installed a backdoor in Orion - a widely used security tool developed by Texas-based SolarWinds - that shipped beginning in March. The New York Times reports that investigators now believe that up to 250 organizations may have been subjected to more advanced hacking as part of the campaign. See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases As investigators probe the SolarWinds hack, they're finding that the supply chain campaign appears to have reached farther than they first suspected. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |