SolarWinds Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 30 May 2024 21:33:59 +0000 en-US hourly 1 https://wordpress.org/?v=86087 200474804 Leaked Conti ransomware source codes were used to attack Russian authorities https://gridinsoft.com/blogs/conti-source-codes/ https://gridinsoft.com/blogs/conti-source-codes/#respond Mon, 11 Apr 2022 18:01:26 +0000 https://gridinsoft.com/blogs/?p=7265 In March 2022, the source codes of the Conti malware were made public, and now, apparently, other hackers are starting to use them, turning the ransomware against Russian authorities and companies. Let me remind you that this story began back in February 2022, when an anonymous information security researcher who had access to the infrastructure… Continue reading Leaked Conti ransomware source codes were used to attack Russian authorities

The post Leaked Conti ransomware source codes were used to attack Russian authorities appeared first on Gridinsoft Blog.

]]>
In March 2022, the source codes of the Conti malware were made public, and now, apparently, other hackers are starting to use them, turning the ransomware against Russian authorities and companies.

Let me remind you that this story began back in February 2022, when an anonymous information security researcher who had access to the infrastructure of hackers (according to other sources, this was a Ukrainian member of the hack group itself) decided to take revenge on Conti. The fact is that the group announced that, in the light of the “special military operation” in Ukraine, it fully supports the actions of the Russian government.

As a result, all internal hacker chats over the past year were first released to the public (339 JSON files, each of which is a log for a single day), and then another portion of the logs was published (another 148 JSON files containing 107,000 internal grouping messages) and other data related to Conti, including control panel source code, BazarBackdoor API, old ransomware source code, server screenshots, and more. These leaks were followed by another, with more recent sources of the Conti malware.

According to Bleeping Computer, a hack group NB65 has already adapted the Conti sources and is attacking Russian organizations. According to the publication, NB65 has been hacking into Russian organizations for the past month, stealing data and leaking it to the network. At the same time, the hackers claimed that the attacks were connected with a “special operation” in Ukraine.

For example, in March, a hack group claimed that it had already compromised the Tenzor IT company, Roscosmos, and VGTRK. For example, hackers wrote that they had stolen 786.2 GB of data from VGTRK, including 900,000 emails and 4,000 other files, which were eventually published on the DDoS Secrets website.

Now, NB65 has switched to using ransomware, creating its own malware based on the Conti source codes, a sample of which was found on VirusTotal. It turned out that almost all security solutions identify this threat as Conti, but Intezer Analyze calculated that the malware uses only 66% of the same code.

Journalists who have been able to talk to the hackers, report that they created malware based on the first Conti source leak, but modify the malware for each victim so that existing decryptors do not work. Also, representatives of NB65 assured the publication that they support Ukraine and will attack Russian companies, including those owned by private individuals, up to the cessation of all military actions.

We will not attack targets outside of Russia. Groups like Conti and Sandworm, along with other Russian APTs, have been attacking the West for years with ransomware and conducting supply chain attacks (SolarWinds, defense contractors). We decided it was time for them to experience it for themselves.says NB65.

Let me remind you that we also wrote that the Russian Aviation agency switched to paper documents due to a hacker attack.

The post Leaked Conti ransomware source codes were used to attack Russian authorities appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/conti-source-codes/feed/ 0 7265
Clop ransomware exploits vulnerability in SolarWinds Serv-U https://gridinsoft.com/blogs/clop-ransomware-exploits-vulnerability-in-solarwinds-serv-u/ https://gridinsoft.com/blogs/clop-ransomware-exploits-vulnerability-in-solarwinds-serv-u/#respond Fri, 12 Nov 2021 21:51:29 +0000 https://blog.gridinsoft.com/?p=6114 The NCC Group warns of a spike of Clop ransomware attacks (hack group also known as TA505 and FIN11), which exploits a vulnerability in SolarWinds Serv-U. Most of them start off by exploiting the CVE-2021-35211 bug in Serv-U Managed File Transfer and Serv-U Secure FTP. This issue allows a remote attacker to execute commands with… Continue reading Clop ransomware exploits vulnerability in SolarWinds Serv-U

The post Clop ransomware exploits vulnerability in SolarWinds Serv-U appeared first on Gridinsoft Blog.

]]>
The NCC Group warns of a spike of Clop ransomware attacks (hack group also known as TA505 and FIN11), which exploits a vulnerability in SolarWinds Serv-U.

Most of them start off by exploiting the CVE-2021-35211 bug in Serv-U Managed File Transfer and Serv-U Secure FTP. This issue allows a remote attacker to execute commands with elevated privileges on the affected server.

SolarWinds fixed this bug back in July 2021, after discovering the “only attacker” who used this vulnerability in attacks. Then the company warned that the vulnerability affects only clients who have enabled the SSH function, and disabling SSH prevents the exploitation of the bug.

As the NCC Group now reports, Clop operators have also begun to exploit the vulnerability in their attacks, although they typically relied on explanting 0-day issues in Accellion and phishing emails with malicious attachments. Now attackers use Serv-U to launch a subprocess under their control, which allows them to run commands on the target system. This paves the way for malware deployment, network reconnaissance, and lateral movement, creating a solid platform for ransomware attacks.

Certain errors in the Serv-U logs are a characteristic sign of exploitation of this vulnerability. So, the error should look like the following line:

‘EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive();’

Another sign of exploitation of the bug are traces of the PowerShell command used to deploy Cobalt Strike beacons on the affected system.

The NCC Group has published a system administrator checklist that can check systems for signs of compromise:

  • check if your Serv-U version is vulnerable;
  • find the DebugSocketlog.txt file for Serv-U;
  • Look for entries such as ‘EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive();’;
  • check event ID 4104 in the Windows event logs for the date and time of the exception error, and look for suspicious PowerShell commands.
  • check for the captured scheduled RegIdleBackup task;
  • CLSID in COM should not be set to {CA767AA8-9157-4604-B64B-40747123D5F2};
  • If the task contains a different CLSID: check the contents of the CLSID objects in the registry, the returned Base64 strings could be an indicator of compromise.

The researchers note that most of the vulnerable Serv-U FTP systems are in China and the United States.

Clop exploits a vulnerability in SolarWinds

Let me remind you that I wrote that the Cyber police of Ukraine arrested persons linked with the Clop ransomware, but also that Clop ransomware continues to work even after a series of arrests.

The post Clop ransomware exploits vulnerability in SolarWinds Serv-U appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/clop-ransomware-exploits-vulnerability-in-solarwinds-serv-u/feed/ 0 6114
Hackers attacked Microsoft Exchange servers of the European Banking Authority https://gridinsoft.com/blogs/hackers-attacked-microsoft-exchange-servers-of-the-eba/ https://gridinsoft.com/blogs/hackers-attacked-microsoft-exchange-servers-of-the-eba/#respond Tue, 09 Mar 2021 16:08:01 +0000 https://blog.gridinsoft.com/?p=5224 Hackers attacked the servers of the Microsoft Exchange European Banking Authority (EBA). Due to the attack, EBA had to temporarily shut down its mail systems as a precaution. EBA launched an investigation of the incident in partnership with its information and communications technology provider, a group of information security experts and other relevant organizations. The… Continue reading Hackers attacked Microsoft Exchange servers of the European Banking Authority

The post Hackers attacked Microsoft Exchange servers of the European Banking Authority appeared first on Gridinsoft Blog.

]]>
Hackers attacked the servers of the Microsoft Exchange European Banking Authority (EBA). Due to the attack, EBA had to temporarily shut down its mail systems as a precaution.

EBA launched an investigation of the incident in partnership with its information and communications technology provider, a group of information security experts and other relevant organizations.

Since the vulnerability is related to the EBA mail servers, attackers could presumably gain access to confidential information through emails.the agency said.

The EBA also said the experts secured the email infrastructure and found no evidence of data theft.

This incident is a consequence of an ongoing large-scale campaign to exploit vulnerabilities in Microsoft Exchange mail servers.

We will remind that last week Microsoft released emergency security updates for its mail server Exchange, fixing four zero-day vulnerabilities, which are actively used by Chinese hackers.

According to experts, attacks using vulnerabilities in Microsoft Exchange could affect more than 60 thousand organizations around the world. Regarding this, the Bloomberg publication predicts a new global cybersecurity crisis.

The result is a second cybersecurity crisis coming just months after suspected Russian hackers breached nine federal agencies and at least 100 companies through tampered updates from IT management software maker SolarWinds LLC. Cybersecurity experts that defend the world’s computer systems expressed a growing sense of frustration and exhaustion.Bloomberg journalists write.

According to a former senior U.S. official familiar with the investigation, the attack began with a hacker group backed by the Chinese government.

Initially, Chinese hackers appeared to be targeting important intelligence aims in the United States. About a week ago, everything changed. Other hacker groups began hitting thousands of victims in a short period of time by introducing hidden software that could give them access to companies’ mail.

Either way, the attacks were so successful – and so quick – that hackers seem to have found a way to automate the process.

If you are using an Exchange server, you are most likely to be a victim.said Steven Adair, head of the northern Virginia-based Volexity.

The post Hackers attacked Microsoft Exchange servers of the European Banking Authority appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hackers-attacked-microsoft-exchange-servers-of-the-eba/feed/ 0 5224
Microsoft: SolarWinds Hackers Stole Source Codes of Azure, Exchange and Intune Components https://gridinsoft.com/blogs/solarwinds-hackers-stole-microsoft-source-codes/ https://gridinsoft.com/blogs/solarwinds-hackers-stole-microsoft-source-codes/#respond Fri, 19 Feb 2021 16:44:57 +0000 https://blog.gridinsoft.com/?p=5135 Microsoft experts announced that they have completed an official investigation of the attack, and told what exactly SolarWinds hackers were able to steal. The company reiterated that it was found no evidence that outsiders could somehow abuse Microsoft systems or use its products to attack customers. Let me remind you that Microsoft acknowledged the fact… Continue reading Microsoft: SolarWinds Hackers Stole Source Codes of Azure, Exchange and Intune Components

The post Microsoft: SolarWinds Hackers Stole Source Codes of Azure, Exchange and Intune Components appeared first on Gridinsoft Blog.

]]>
Microsoft experts announced that they have completed an official investigation of the attack, and told what exactly SolarWinds hackers were able to steal. The company reiterated that it was found no evidence that outsiders could somehow abuse Microsoft systems or use its products to attack customers.

Let me remind you that Microsoft acknowledged the fact of compromise back in December 2020, when it became clear that the company was using versions of the Orion platform, manufactured by SolarWinds and infected by cybercriminals. This allowed hackers to gain access to some source codes.

Our analysis shows that the first view of the file in the source code repository was at the end of November, and [the attack] ended when we secured the affected accounts.says the final report.

When hackers were disabled, they continued to try to log into the company’s systems throughout December and even in early January 2021. That is, the activity of the attackers continued even several weeks after the SolarWinds hack became known, and even after Microsoft officially announced that it was investigating the incident.

The company assures that hackers did not get access to all repositories of any particular product or service, and also did not get to the bulk of the source code. Instead, according to the manufacturer, the attackers were able to view “only a few individual files […] as a result of searching the repository.”

Moreover, judging by the search queries, the hackers were not interested in the source code itself, but looked for API keys, credentials, and tokens that would help them penetrate other Microsoft systems. However, these attempts were unsuccessful, as the company’s development policy prohibits the use of secrets in the code, and for this, regular automated checks are carried out.

In the end, the attackers still managed to steal the source code, but these were only the source code for several components associated with the company’s cloud products. Thus, the compromised repositories contained:

  • a small portion of Azure components;
  • a small portion of Intune components.
  • a small part of Exchange components.

Microsoft representatives summarize that this leak will not affect the company’s products in any way, and the incident did not allow hackers to gain wide access to user data.

As a reminder, Microsoft says SolarWinds hackers hunted for access to cloud resources.

The post Microsoft: SolarWinds Hackers Stole Source Codes of Azure, Exchange and Intune Components appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/solarwinds-hackers-stole-microsoft-source-codes/feed/ 0 5135
Microsoft Says Over 1,000 Developers Worked on SolarWinds Attack https://gridinsoft.com/blogs/microsoft-says-about-developers-that-worked-on-solarwinds-attack/ https://gridinsoft.com/blogs/microsoft-says-about-developers-that-worked-on-solarwinds-attack/#respond Tue, 16 Feb 2021 16:47:08 +0000 https://blog.gridinsoft.com/?p=5121 In an interview with CBSNews, Microsoft President Brad Smith said the recent attack on SolarWinds was “the largest and most sophisticated he has ever seen.” According to him, the analysis of the hack carried out by the company’s specialists suggests that more than 1,000 developers worked on this attack. At the same time, Smith says… Continue reading Microsoft Says Over 1,000 Developers Worked on SolarWinds Attack

The post Microsoft Says Over 1,000 Developers Worked on SolarWinds Attack appeared first on Gridinsoft Blog.

]]>
In an interview with CBSNews, Microsoft President Brad Smith said the recent attack on SolarWinds was “the largest and most sophisticated he has ever seen.” According to him, the analysis of the hack carried out by the company’s specialists suggests that more than 1,000 developers worked on this attack.

At the same time, Smith says that the attackers rewrote only 4032 lines of code in Orion, which contains millions of lines of code.

Let me remind you that in December 2020 it became known that unknown hackers attacked SolarWinds and infected its Orion platform with malware. Of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the infected version of the platform was installed on approximately 18,000 customers, according to official figures.

As a result, the victims included such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Security Administration.

Smith said that more than 500 Microsoft engineers are working on the analysis of this incident, but much more specialists “worked” on the side of the attackers:

When we analysed everything we found at Microsoft, we asked ourselves how many engineers could be working on these attacks? The answer we received was: well, obviously more than a thousand.said Brad Smith.

Since the attack is attributed to a Russian-speaking hack group that cybersecurity experts track under the names StellarParticle (CrowdStrike), UNC2452 (FireEye), and Dark Halo (Volexity), Smith also compared the SolarWinds hack to large-scale attacks on Ukraine, which are also attributed to Russia (although the Russian Federation authorities deny their involvement).

The head of FireEye, Kevin Mandia, also spoke to reporters and explained the recent events.

As it turned out, a compromise was discovered in FireEye almost by accident. The fact is that to remotely log into a company’s VPN, employees need a two-factor authentication code, and their accounts are tied to phone numbers. The FireEye security service accidentally noticed that one of the employees linked two phone numbers to his account.

When this person was called and asked if he really had two numbers or devices, he replied that he had not done anything like that. It turned out that the second number was tied to the account by the attackers.said Kevin Mandia.

Let me remind you that Microsoft says SolarWinds hackers hunted for access to cloud resources.

The post Microsoft Says Over 1,000 Developers Worked on SolarWinds Attack appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-says-about-developers-that-worked-on-solarwinds-attack/feed/ 0 5121
Raindrop is another malware detected during the SolarWinds hack https://gridinsoft.com/blogs/raindrop-is-another-malware-detected-during-the-solarwinds-hack/ https://gridinsoft.com/blogs/raindrop-is-another-malware-detected-during-the-solarwinds-hack/#respond Wed, 20 Jan 2021 16:29:43 +0000 https://blog.gridinsoft.com/?p=5012 Symantec specialists detected Raindrop malware, which was used during the attack on SolarWinds along with other malware. According to the researchers, Raindrop was used by cybercriminals in the last stages of the attack and was deployed only on the networks of a few selected targets (only four malware samples were found). Let me remind you… Continue reading Raindrop is another malware detected during the SolarWinds hack

The post Raindrop is another malware detected during the SolarWinds hack appeared first on Gridinsoft Blog.

]]>
Symantec specialists detected Raindrop malware, which was used during the attack on SolarWinds along with other malware.

According to the researchers, Raindrop was used by cybercriminals in the last stages of the attack and was deployed only on the networks of a few selected targets (only four malware samples were found).

Let me remind you that SolarWinds, which develops software for enterprises to help manage their networks, systems and infrastructure, was hacked in mid-2019, and this attack on the supply chain is attributed to an allegedly Russian-speaking hack group, which information security experts track under the names StellarParticle (CrowdStrike), UNC2452 (FireEye) and Dark Halo (Volexity).

After infiltrating the SolarWinds network, the attackers provided Orion’s centralized monitoring and control platform with malicious updates. As a result, many SolarWinds customers installed an infected version of the platform and unintentionally let the hackers into their networks.Symantec experts remind the course of the attack.

Among the victims are such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the US Department of State and the National Nuclear Safety Administration.

Microsoft researchers also reported that Supernova and CosmicGale malware detected on systems running SolarWinds.

Additionally, as it became known earlier from reports of other information security experts, the attackers first deployed the Sunspot malware on the SolarWinds network.

CrowdStrike analysts wrote that this malware was used to inject the Sunburst backdoor into Orion code. The infected versions of Orion went undetected and were active between March and June 2020, while Orion user companies were compromised. According to official figures, among 300,000 SolarWinds customers only 33,000 were using Orion, and the infected version of the platform was installed on approximately 18,000 customers’ machines. At the same time, the hackers developed their attack further only in rare cases, carefully choosing large targets among the victims.

Sunburst itself was not particularly important, it only collected information about the infected network and transmitted this data to a remote server. If, finally, the malware operators decided that the victim was a promising target for the attack, they removed Sunburst and replaced it with the more powerful Teardrop backdoor Trojan.

However, Symantec now reports that in some cases attackers have chosen to use Raindrop malware over Teardrop. Both backdoors have similar functionality and are characterized by researchers as a “downloader for the Cobalt Strike beacon”, that is, they were used by cybercriminals to expand access within the compromised network. However, Raindrop and Teardrop also have differences, which the researchers listed in the table below.

Raindrop malware for SolarWinds
The way malware was deployed was also different. For example, the widely used Teardrop backdoor was installed directly by the Sunburst malware, while Raindrop appeared mysteriously on victims’ systems where Sunburst was also installed, that is, experts have no direct evidence that Sunburst initiated its installation.

It must be said that earlier in the reports of specialists it was already mentioned that Sunburst was used to launch various fileless PowerShell payloads, many of which left almost no traces on infected hosts. It can be assumed that the mysterious “appearance” of Raindrop in the systems of victims was exactly the result of these operations.

Let me remind you that Google experts exposed sophisticated hacking campaign against Windows and Android users.

The post Raindrop is another malware detected during the SolarWinds hack appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/raindrop-is-another-malware-detected-during-the-solarwinds-hack/feed/ 0 5012
Experts discovered SolarLeaks website with data stolen in a recent massive hacker attack https://gridinsoft.com/blogs/experts-discovered-solarleaks-website-with-data-stolen-in-a-recent-massive-hacker-attack/ https://gridinsoft.com/blogs/experts-discovered-solarleaks-website-with-data-stolen-in-a-recent-massive-hacker-attack/#respond Wed, 13 Jan 2021 16:32:49 +0000 https://blog.gridinsoft.com/?p=4981 Bleeping Computer reports the discovery of the SolarLeaks website (solarleaks[.]net), where unidentified individuals claim to be selling data allegedly stolen from SolarWinds, Microsoft, Cisco, and FireEye during a recent supply chain attack. Just to recap, in December 2020, it was revealed that unknown hackers attacked SolarWinds, infecting its Orion platform with malware. Out of the… Continue reading Experts discovered SolarLeaks website with data stolen in a recent massive hacker attack

The post Experts discovered SolarLeaks website with data stolen in a recent massive hacker attack appeared first on Gridinsoft Blog.

]]>
Bleeping Computer reports the discovery of the SolarLeaks website (solarleaks[.]net), where unidentified individuals claim to be selling data allegedly stolen from SolarWinds, Microsoft, Cisco, and FireEye during a recent supply chain attack.

Just to recap, in December 2020, it was revealed that unknown hackers attacked SolarWinds, infecting its Orion platform with malware. Out of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the compromised version of the platform was installed on approximately 18,000 customers’ machines, according to official figures.

As a result, victims included major entities like Microsoft, Cisco, FireEye, as well as numerous US government agencies, including the US Department of State and the National Nuclear Security Administration.

In early January, the FBI, NSA, CISA, and ODNI issued a joint statement indicating that an unnamed APT group of “probably Russian origin” was responsible for the extensive attack. The SolarWinds hack was described by officials as “an attempt to gather intelligence.”

Now, the unknown individuals claim to be ready to sell the following stolen data:

  • $600,000: Microsoft Windows source codes and other data from the company’s repositories (2.6 GB);
  • $500,000: source codes of various Cisco products and an internal bug tracker dump (1.7 GB);
  • $50,000: private red team FireEye tools, source codes, binaries, and documentation (39 MB);
  • $250,000: SolarWinds product source code (including Orion) and customer portal dump (612 MB).

The hackers offer to sell all this data in bulk for one million dollars. Additionally, the site operators mimic the well-known hack group The Shadow Brokers, stating that initially, the stolen information will be sold in batches, and later, it will be freely published in the public domain.

It’s noteworthy that while Microsoft representatives previously confirmed the possibility of source code theft, Cisco announced having no evidence of the theft of its intellectual property. The solarleaks[.]net domain is registered through the NJALLA registrar, which is popular with hackers. Attempting to check WHOIS information results in the message “You can get no info”.

Experts discovered the SolarLeaks website

It remains unknown whether the site operators possess the data they claim to have, or if SolarLeaks is an ambitious scam attempt. Journalists attempted to contact the attackers using the email address provided on the website, but it was found to be nonexistent.

Experts discovered the SolarLeaks website

The post Experts discovered SolarLeaks website with data stolen in a recent massive hacker attack appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/experts-discovered-solarleaks-website-with-data-stolen-in-a-recent-massive-hacker-attack/feed/ 0 4981
Microsoft says SolarWinds hackers hunted for access to cloud resources https://gridinsoft.com/blogs/microsoft-says-solarwinds-hackers-hunted-for-access-to-cloud-resources/ https://gridinsoft.com/blogs/microsoft-says-solarwinds-hackers-hunted-for-access-to-cloud-resources/#respond Wed, 30 Dec 2020 16:40:02 +0000 https://blog.gridinsoft.com/?p=4906 Microsoft continues to investigate the supply chain attack that SolarWinds and its customers have suffered this year. Microsoft analysts reported that SolarWinds hackers were hunting for access to cloud resources. Let me remind you that unknown hackers attacked SolarWinds and infected its Orion platform with malware. Among the victims were such giants as Microsoft, Cisco,… Continue reading Microsoft says SolarWinds hackers hunted for access to cloud resources

The post Microsoft says SolarWinds hackers hunted for access to cloud resources appeared first on Gridinsoft Blog.

]]>
Microsoft continues to investigate the supply chain attack that SolarWinds and its customers have suffered this year. Microsoft analysts reported that SolarWinds hackers were hunting for access to cloud resources.

Let me remind you that unknown hackers attacked SolarWinds and infected its Orion platform with malware.

Among the victims were such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Security Administration.

Let me remind you that SolarWinds was hacked because its credentials were publicly available on GitHub.

A new blog post on Microsoft 365 Defender does not contain new technical details, but experts write that they seem to have identified the ultimate goal of the hackers: after infiltrating companies ‘networks using the SUNBURST (or Solorigate) backdoor, hackers sought to gain access to victims’ cloud resources.

SolarWinds hackers cloud resources

This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being detected.

With such a massive initial foothold, attackers could choose specific organizations in which they want to continue working (while others remained a fallback, available at any time, as long as the backdoor was installed and not detected).the researchers write.

Microsoft experts note that the end goal of the hackers, apparently, was the creation of SAML (Security Assertion Markup Language) tokens in order to forge authentication tokens that provide access to cloud resources. Thus, hackers were able to extract emails from the accounts of interest.

Microsoft detailed the tactics that attackers used to gain access to cloud resources of their victims:

  • Using a compromised SolarWinds DLL to activate a backdoor that allowed remote control and operation of the device;
  • Using a backdoor to steal credentials, escalate privileges, and sideways to create valid SAML tokens in one of two ways: steal the SAML signing certificate, add or modify existing federation trusts.
  • Using generated SAML tokens to access cloud resources and perform actions leading to theft of emails and retain access to the cloud.

Let me also remind you that SolarWinds hack allowed Russian attackers to infiltrated dozens of US Treasury Department mailboxes.

The post Microsoft says SolarWinds hackers hunted for access to cloud resources appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-says-solarwinds-hackers-hunted-for-access-to-cloud-resources/feed/ 0 4906
SolarWinds hack allowed Russian attackers to infiltrated dozens of US Treasury Department mailboxes https://gridinsoft.com/blogs/solarwinds-hack-allowed-russian-attackers-to-infiltrated-dozens-of-us-treasury-department-mailboxes/ https://gridinsoft.com/blogs/solarwinds-hack-allowed-russian-attackers-to-infiltrated-dozens-of-us-treasury-department-mailboxes/#respond Thu, 24 Dec 2020 21:38:21 +0000 https://blog.gridinsoft.com/?p=4887 US Senator Ron Wyden, a member of the US Senate Finance Committee, said that hackers, standing behind the SolarWinds hack, compromised dozens of US Treasury Department mailboxes. The statement came after the Treasury Department and the IRS held a briefing with committee members regarding the attack on SolarWinds. While has yet been found no evidence… Continue reading SolarWinds hack allowed Russian attackers to infiltrated dozens of US Treasury Department mailboxes

The post SolarWinds hack allowed Russian attackers to infiltrated dozens of US Treasury Department mailboxes appeared first on Gridinsoft Blog.

]]>
US Senator Ron Wyden, a member of the US Senate Finance Committee, said that hackers, standing behind the SolarWinds hack, compromised dozens of US Treasury Department mailboxes.

The statement came after the Treasury Department and the IRS held a briefing with committee members regarding the attack on SolarWinds.

While has yet been found no evidence that the IRS itself or any taxpayer data has been compromised, the senator says that “the Treasury hack appears to be significant.”

According to employees of the Ministry of Finance, there was a serious compromise in the organization, the depth of which is still unknown. Microsoft has notified the organization that dozens of email accounts have been hacked.Weiden says.

Also, according to Weiden, the Ministry of Finance still does not know exactly what actions the hackers took, and what information was stolen.

I am extremely concerned about the breach at Treasury. Hackers accessed dozens of email accounts, and the full extent of the damage is still unknown. It’s time to become concerned about cybersecurity, and put an end to any plan that weakens encryption.Wyden said on Twitter.

The statements were made the same day that Attorney General William P. Barr joined Secretary of State Mike Pompeo in his last press conference before retiring, claiming Moscow was almost certainly behind the hack. The invasion went through a commercial network management software package created by SolarWinds, a company based in Austin, Texas, and gave hackers wide access to government and corporate systems.

Let me remind you that the compromise of SolarWinds, which develops software for enterprises to help manage their networks, systems and infrastructure, became known in mid-December. After infiltrating the SolarWinds network, the attackers provided Orion’s centralized monitoring and control platform with a backdoor.

It also became known that SolarWinds was hacked because its credentials were publicly available on GitHub.

To complicate matters, SolarWinds’ client list includes more than 400 of the largest US Fortune 500 companies, as well as many government agencies, banks, medical institutions and smaller businesses.

The post SolarWinds hack allowed Russian attackers to infiltrated dozens of US Treasury Department mailboxes appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/solarwinds-hack-allowed-russian-attackers-to-infiltrated-dozens-of-us-treasury-department-mailboxes/feed/ 0 4887
Microsoft: Supernova and CosmicGale malware detected on systems running SolarWinds https://gridinsoft.com/blogs/microsoft-supernova-and-cosmicgale-malware-detected-on-systems-running-solarwinds/ https://gridinsoft.com/blogs/microsoft-supernova-and-cosmicgale-malware-detected-on-systems-running-solarwinds/#respond Mon, 21 Dec 2020 16:45:48 +0000 https://blog.gridinsoft.com/?p=4870 Continue studies oт large-scale attack on the supply chain, for which attackers compromised SolarWinds and its Orion platform. It seems that experts have now discovered another hack group that used SolarWinds software to host Supernova and CosmicGale malware on corporate and government networks. Let me remind you that the malware used in the original attack… Continue reading Microsoft: Supernova and CosmicGale malware detected on systems running SolarWinds

The post Microsoft: Supernova and CosmicGale malware detected on systems running SolarWinds appeared first on Gridinsoft Blog.

]]>
Continue studies oт large-scale attack on the supply chain, for which attackers compromised SolarWinds and its Orion platform. It seems that experts have now discovered another hack group that used SolarWinds software to host Supernova and CosmicGale malware on corporate and government networks.

Let me remind you that the malware used in the original attack was codenamed SUNBURST (aka Solorigate). Microsoft, FireEye and the Department of Homeland Security’s Cybersecurity and Infrastructure Protection Agency (DHS CISA) almost immediately released detailed reports on this threat.

After infiltrating the victim’s network, SUNBURST sent a request to its creators and then downloaded a backdoor Trojan called Teardrop, which allowed attackers to launch hands-on-keyboard attacks that are human-controlled.

In SolarWinds the Supernova and CosmicGale malware

However, almost immediately in the reports of information security experts were metioned two more payloads. For example, analysts from Guidepoint, Symantec, and Palo Alto Networks describe in detail that cybercriminals injected a web shell called Supernova into infected .NET networks.

Hackers used Supernova to download, compile and execute a malicious Powershell script (called CosmicGale).the researchers suggested.

However, Microsoft experts now write that Supernova was part of another attack and has nothing to do with the sensational attack on the supply chain. So, according to a post on GitHub published by Microsoft analyst Nick Carr, the Supernova web shell was embedded in poorly protected SolarWinds Orion installations, which were vulnerable to the CVE-2019-8917 issue.

The confusion arose from the fact that, like Sunburst, Supernova was disguised as a DLL for the Orion application: Sunburst was hidden inside the SolarWinds.Orion.Core.BusinessLayer.dll file, and Supernova was inside App_Web_logoimagehandler.ashx.b6031896.dll.

However, a Microsoft report released last week argues that unlike the Sunburst DLL, the Supernova DLL file was not signed with a legitimate SolarWinds certificate.

This is hardly the fault of the attackers, who have demonstrated a fair amount of sophistication and attention to detail so far. As a result, Microsoft experts are convinced that this malware has nothing to do with the original attack on the supply chain and generally belongs to another hack group.

Let me remind you that SolarWinds was hacked because its credentials were publicly available on GitHub.

The post Microsoft: Supernova and CosmicGale malware detected on systems running SolarWinds appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-supernova-and-cosmicgale-malware-detected-on-systems-running-solarwinds/feed/ 0 4870