Let me remind you that this story began back in February 2022, when an anonymous information security researcher who had access to the infrastructure of hackers (according to other sources, this was a Ukrainian member of the hack group itself) decided to take revenge on Conti. The fact is that the group announced that, in the light of the “special military operation” in Ukraine, it fully supports the actions of the Russian government.

As a result, all internal hacker chats over the past year were first released to the public (339 JSON files, each of which is a log for a single day), and then another portion of the logs was published (another 148 JSON files containing 107,000 internal grouping messages) and other data related to Conti, including control panel source code, BazarBackdoor API, old ransomware source code, server screenshots, and more. These leaks were followed by another, with more recent sources of the Conti malware.

According to Bleeping Computer, a hack group NB65 has already adapted the Conti sources and is attacking Russian organizations. According to the publication, NB65 has been hacking into Russian organizations for the past month, stealing data and leaking it to the network. At the same time, the hackers claimed that the attacks were connected with a “special operation” in Ukraine.

For example, in March, a hack group claimed that it had already compromised the Tenzor IT company, Roscosmos, and VGTRK. For example, hackers wrote that they had stolen 786.2 GB of data from VGTRK, including 900,000 emails and 4,000 other files, which were eventually published on the DDoS Secrets website.

Now, NB65 has switched to using ransomware, creating its own malware based on the Conti source codes, a sample of which was found on VirusTotal. It turned out that almost all security solutions identify this threat as Conti, but Intezer Analyze calculated that the malware uses only 66% of the same code.

Journalists who have been able to talk to the hackers, report that they created malware based on the first Conti source leak, but modify the malware for each victim so that existing decryptors do not work. Also, representatives of NB65 assured the publication that they support Ukraine and will attack Russian companies, including those owned by private individuals, up to the cessation of all military actions.

Let me remind you that we also wrote that the Russian Aviation agency switched to paper documents due to a hacker attack.

The post Leaked Conti ransomware source codes were used to attack Russian authorities appeared first on Gridinsoft Blog.

Most of them start off by exploiting the CVE-2021-35211 bug in Serv-U Managed File Transfer and Serv-U Secure FTP. This issue allows a remote attacker to execute commands with elevated privileges on the affected server.

SolarWinds fixed this bug back in July 2021, after discovering the “only attacker” who used this vulnerability in attacks. Then the company warned that the vulnerability affects only clients who have enabled the SSH function, and disabling SSH prevents the exploitation of the bug.

As the NCC Group now reports, Clop operators have also begun to exploit the vulnerability in their attacks, although they typically relied on explanting 0-day issues in Accellion and phishing emails with malicious attachments. Now attackers use Serv-U to launch a subprocess under their control, which allows them to run commands on the target system. This paves the way for malware deployment, network reconnaissance, and lateral movement, creating a solid platform for ransomware attacks.

Certain errors in the Serv-U logs are a characteristic sign of exploitation of this vulnerability. So, the error should look like the following line:

‘EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive();’

Another sign of exploitation of the bug are traces of the PowerShell command used to deploy Cobalt Strike beacons on the affected system.

The NCC Group has published a system administrator checklist that can check systems for signs of compromise:

• check if your Serv-U version is vulnerable;
• find the DebugSocketlog.txt file for Serv-U;
• Look for entries such as ‘EXCEPTION: C0000005; CSUSSHSocket::ProcessReceive();’;
• check event ID 4104 in the Windows event logs for the date and time of the exception error, and look for suspicious PowerShell commands.
• check for the captured scheduled RegIdleBackup task;
• CLSID in COM should not be set to {CA767AA8-9157-4604-B64B-40747123D5F2};
• If the task contains a different CLSID: check the contents of the CLSID objects in the registry, the returned Base64 strings could be an indicator of compromise.

The researchers note that most of the vulnerable Serv-U FTP systems are in China and the United States.

Let me remind you that I wrote that the Cyber police of Ukraine arrested persons linked with the Clop ransomware, but also that Clop ransomware continues to work even after a series of arrests.

The post Clop ransomware exploits vulnerability in SolarWinds Serv-U appeared first on Gridinsoft Blog.

EBA launched an investigation of the incident in partnership with its information and communications technology provider, a group of information security experts and other relevant organizations.

The EBA also said the experts secured the email infrastructure and found no evidence of data theft.

This incident is a consequence of an ongoing large-scale campaign to exploit vulnerabilities in Microsoft Exchange mail servers.

We will remind that last week Microsoft released emergency security updates for its mail server Exchange, fixing four zero-day vulnerabilities, which are actively used by Chinese hackers.

According to experts, attacks using vulnerabilities in Microsoft Exchange could affect more than 60 thousand organizations around the world. Regarding this, the Bloomberg publication predicts a new global cybersecurity crisis.

According to a former senior U.S. official familiar with the investigation, the attack began with a hacker group backed by the Chinese government.

Initially, Chinese hackers appeared to be targeting important intelligence aims in the United States. About a week ago, everything changed. Other hacker groups began hitting thousands of victims in a short period of time by introducing hidden software that could give them access to companies’ mail.

Either way, the attacks were so successful – and so quick – that hackers seem to have found a way to automate the process.

The post Hackers attacked Microsoft Exchange servers of the European Banking Authority appeared first on Gridinsoft Blog.

Let me remind you that Microsoft acknowledged the fact of compromise back in December 2020, when it became clear that the company was using versions of the Orion platform, manufactured by SolarWinds and infected by cybercriminals. This allowed hackers to gain access to some source codes.

When hackers were disabled, they continued to try to log into the company’s systems throughout December and even in early January 2021. That is, the activity of the attackers continued even several weeks after the SolarWinds hack became known, and even after Microsoft officially announced that it was investigating the incident.

The company assures that hackers did not get access to all repositories of any particular product or service, and also did not get to the bulk of the source code. Instead, according to the manufacturer, the attackers were able to view “only a few individual files […] as a result of searching the repository.”

Moreover, judging by the search queries, the hackers were not interested in the source code itself, but looked for API keys, credentials, and tokens that would help them penetrate other Microsoft systems. However, these attempts were unsuccessful, as the company’s development policy prohibits the use of secrets in the code, and for this, regular automated checks are carried out.

In the end, the attackers still managed to steal the source code, but these were only the source code for several components associated with the company’s cloud products. Thus, the compromised repositories contained:

• a small portion of Azure components;
• a small portion of Intune components.
• a small part of Exchange components.

Microsoft representatives summarize that this leak will not affect the company’s products in any way, and the incident did not allow hackers to gain wide access to user data.

As a reminder, Microsoft says SolarWinds hackers hunted for access to cloud resources.

The post Microsoft: SolarWinds Hackers Stole Source Codes of Azure, Exchange and Intune Components appeared first on Gridinsoft Blog.

At the same time, Smith says that the attackers rewrote only 4032 lines of code in Orion, which contains millions of lines of code.

Let me remind you that in December 2020 it became known that unknown hackers attacked SolarWinds and infected its Orion platform with malware. Of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the infected version of the platform was installed on approximately 18,000 customers, according to official figures.

As a result, the victims included such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Security Administration.

Smith said that more than 500 Microsoft engineers are working on the analysis of this incident, but much more specialists “worked” on the side of the attackers:

Since the attack is attributed to a Russian-speaking hack group that cybersecurity experts track under the names StellarParticle (CrowdStrike), UNC2452 (FireEye), and Dark Halo (Volexity), Smith also compared the SolarWinds hack to large-scale attacks on Ukraine, which are also attributed to Russia (although the Russian Federation authorities deny their involvement).

The head of FireEye, Kevin Mandia, also spoke to reporters and explained the recent events.

As it turned out, a compromise was discovered in FireEye almost by accident. The fact is that to remotely log into a company’s VPN, employees need a two-factor authentication code, and their accounts are tied to phone numbers. The FireEye security service accidentally noticed that one of the employees linked two phone numbers to his account.

Let me remind you that Microsoft says SolarWinds hackers hunted for access to cloud resources.

The post Microsoft Says Over 1,000 Developers Worked on SolarWinds Attack appeared first on Gridinsoft Blog.

According to the researchers, Raindrop was used by cybercriminals in the last stages of the attack and was deployed only on the networks of a few selected targets (only four malware samples were found).

Let me remind you that SolarWinds, which develops software for enterprises to help manage their networks, systems and infrastructure, was hacked in mid-2019, and this attack on the supply chain is attributed to an allegedly Russian-speaking hack group, which information security experts track under the names StellarParticle (CrowdStrike), UNC2452 (FireEye) and Dark Halo (Volexity).

Among the victims are such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the US Department of State and the National Nuclear Safety Administration.

Microsoft researchers also reported that Supernova and CosmicGale malware detected on systems running SolarWinds.

Additionally, as it became known earlier from reports of other information security experts, the attackers first deployed the Sunspot malware on the SolarWinds network.

CrowdStrike analysts wrote that this malware was used to inject the Sunburst backdoor into Orion code. The infected versions of Orion went undetected and were active between March and June 2020, while Orion user companies were compromised. According to official figures, among 300,000 SolarWinds customers only 33,000 were using Orion, and the infected version of the platform was installed on approximately 18,000 customers’ machines. At the same time, the hackers developed their attack further only in rare cases, carefully choosing large targets among the victims.

Sunburst itself was not particularly important, it only collected information about the infected network and transmitted this data to a remote server. If, finally, the malware operators decided that the victim was a promising target for the attack, they removed Sunburst and replaced it with the more powerful Teardrop backdoor Trojan.

However, Symantec now reports that in some cases attackers have chosen to use Raindrop malware over Teardrop. Both backdoors have similar functionality and are characterized by researchers as a “downloader for the Cobalt Strike beacon”, that is, they were used by cybercriminals to expand access within the compromised network. However, Raindrop and Teardrop also have differences, which the researchers listed in the table below.

The way malware was deployed was also different. For example, the widely used Teardrop backdoor was installed directly by the Sunburst malware, while Raindrop appeared mysteriously on victims’ systems where Sunburst was also installed, that is, experts have no direct evidence that Sunburst initiated its installation.

It must be said that earlier in the reports of specialists it was already mentioned that Sunburst was used to launch various fileless PowerShell payloads, many of which left almost no traces on infected hosts. It can be assumed that the mysterious “appearance” of Raindrop in the systems of victims was exactly the result of these operations.

Let me remind you that Google experts exposed sophisticated hacking campaign against Windows and Android users.

The post Raindrop is another malware detected during the SolarWinds hack appeared first on Gridinsoft Blog.

Just to recap, in December 2020, it was revealed that unknown hackers attacked SolarWinds, infecting its Orion platform with malware. Out of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the compromised version of the platform was installed on approximately 18,000 customers’ machines, according to official figures.

As a result, victims included major entities like Microsoft, Cisco, FireEye, as well as numerous US government agencies, including the US Department of State and the National Nuclear Security Administration.

In early January, the FBI, NSA, CISA, and ODNI issued a joint statement indicating that an unnamed APT group of “probably Russian origin” was responsible for the extensive attack. The SolarWinds hack was described by officials as “an attempt to gather intelligence.”

Now, the unknown individuals claim to be ready to sell the following stolen data:

• $600,000: Microsoft Windows source codes and other data from the company’s repositories (2.6 GB);
• $500,000: source codes of various Cisco products and an internal bug tracker dump (1.7 GB);
• $50,000: private red team FireEye tools, source codes, binaries, and documentation (39 MB);
• $250,000: SolarWinds product source code (including Orion) and customer portal dump (612 MB).

The hackers offer to sell all this data in bulk for one million dollars. Additionally, the site operators mimic the well-known hack group The Shadow Brokers, stating that initially, the stolen information will be sold in batches, and later, it will be freely published in the public domain.

It’s noteworthy that while Microsoft representatives previously confirmed the possibility of source code theft, Cisco announced having no evidence of the theft of its intellectual property. The solarleaks[.]net domain is registered through the NJALLA registrar, which is popular with hackers. Attempting to check WHOIS information results in the message “You can get no info”.

It remains unknown whether the site operators possess the data they claim to have, or if SolarLeaks is an ambitious scam attempt. Journalists attempted to contact the attackers using the email address provided on the website, but it was found to be nonexistent.

The post Experts discovered SolarLeaks website with data stolen in a recent massive hacker attack appeared first on Gridinsoft Blog.

Let me remind you that unknown hackers attacked SolarWinds and infected its Orion platform with malware.

Among the victims were such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Security Administration.

Let me remind you that SolarWinds was hacked because its credentials were publicly available on GitHub.

A new blog post on Microsoft 365 Defender does not contain new technical details, but experts write that they seem to have identified the ultimate goal of the hackers: after infiltrating companies ‘networks using the SUNBURST (or Solorigate) backdoor, hackers sought to gain access to victims’ cloud resources.

This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being detected.

Microsoft experts note that the end goal of the hackers, apparently, was the creation of SAML (Security Assertion Markup Language) tokens in order to forge authentication tokens that provide access to cloud resources. Thus, hackers were able to extract emails from the accounts of interest.

Microsoft detailed the tactics that attackers used to gain access to cloud resources of their victims:

• Using a compromised SolarWinds DLL to activate a backdoor that allowed remote control and operation of the device;
• Using a backdoor to steal credentials, escalate privileges, and sideways to create valid SAML tokens in one of two ways: steal the SAML signing certificate, add or modify existing federation trusts.
• Using generated SAML tokens to access cloud resources and perform actions leading to theft of emails and retain access to the cloud.

Let me also remind you that SolarWinds hack allowed Russian attackers to infiltrated dozens of US Treasury Department mailboxes.

The post Microsoft says SolarWinds hackers hunted for access to cloud resources appeared first on Gridinsoft Blog.

The statement came after the Treasury Department and the IRS held a briefing with committee members regarding the attack on SolarWinds.

While has yet been found no evidence that the IRS itself or any taxpayer data has been compromised, the senator says that “the Treasury hack appears to be significant.”

Also, according to Weiden, the Ministry of Finance still does not know exactly what actions the hackers took, and what information was stolen.

The statements were made the same day that Attorney General William P. Barr joined Secretary of State Mike Pompeo in his last press conference before retiring, claiming Moscow was almost certainly behind the hack. The invasion went through a commercial network management software package created by SolarWinds, a company based in Austin, Texas, and gave hackers wide access to government and corporate systems.

Let me remind you that the compromise of SolarWinds, which develops software for enterprises to help manage their networks, systems and infrastructure, became known in mid-December. After infiltrating the SolarWinds network, the attackers provided Orion’s centralized monitoring and control platform with a backdoor.

It also became known that SolarWinds was hacked because its credentials were publicly available on GitHub.

To complicate matters, SolarWinds’ client list includes more than 400 of the largest US Fortune 500 companies, as well as many government agencies, banks, medical institutions and smaller businesses.

The post SolarWinds hack allowed Russian attackers to infiltrated dozens of US Treasury Department mailboxes appeared first on Gridinsoft Blog.

Let me remind you that the malware used in the original attack was codenamed SUNBURST (aka Solorigate). Microsoft, FireEye and the Department of Homeland Security’s Cybersecurity and Infrastructure Protection Agency (DHS CISA) almost immediately released detailed reports on this threat.

After infiltrating the victim’s network, SUNBURST sent a request to its creators and then downloaded a backdoor Trojan called Teardrop, which allowed attackers to launch hands-on-keyboard attacks that are human-controlled.

However, almost immediately in the reports of information security experts were metioned two more payloads. For example, analysts from Guidepoint, Symantec, and Palo Alto Networks describe in detail that cybercriminals injected a web shell called Supernova into infected .NET networks.

However, Microsoft experts now write that Supernova was part of another attack and has nothing to do with the sensational attack on the supply chain. So, according to a post on GitHub published by Microsoft analyst Nick Carr, the Supernova web shell was embedded in poorly protected SolarWinds Orion installations, which were vulnerable to the CVE-2019-8917 issue.

The confusion arose from the fact that, like Sunburst, Supernova was disguised as a DLL for the Orion application: Sunburst was hidden inside the SolarWinds.Orion.Core.BusinessLayer.dll file, and Supernova was inside App_Web_logoimagehandler.ashx.b6031896.dll.

However, a Microsoft report released last week argues that unlike the Sunburst DLL, the Supernova DLL file was not signed with a legitimate SolarWinds certificate.

This is hardly the fault of the attackers, who have demonstrated a fair amount of sophistication and attention to detail so far. As a result, Microsoft experts are convinced that this malware has nothing to do with the original attack on the supply chain and generally belongs to another hack group.

Let me remind you that SolarWinds was hacked because its credentials were publicly available on GitHub.

The post Microsoft: Supernova and CosmicGale malware detected on systems running SolarWinds appeared first on Gridinsoft Blog.