New details about the SolarWinds attack are disclosed

While it is obvious to mention that the threat actors behind the attack on SolarWinds have advanced knowledge, the cybersecurity community had not been able to specifically define its methods of attack, at least until now. In a recent report, Microsoft security teams detailed some of the techniques used by these hackers to persist on affected systems without attracting the attention of some security tool, a key factor in the success of this campaign.

Although the Sunburst and Solorigate malware variants were detected in late 2020, in recent weeks it was revealed that operators of this attack injected Sunspot malware into compromised systems since September 2019, at which point it initiated the attack on SolarWinds networks.

La imagen tiene un atributo ALT vacío; su nombre de archivo es microsoft21012021.jpg

Experts mention that Sunburst was injected into SolarWinds Orion monitoring software to implement a backdoor on the networks that used this tool. Many of these loads included custom loaders for the Cobalt Strike kit, which included Teardrop: “An undefined stage of attack was the passage from backdoor to Cobalt Strike loader. We found that hackers showed a special approach to making sure the components didn’t have apparent connections to avoid detection,” Microsoft’s report says.

Microsoft researchers mention that threat actors removed the Sunburst backdoor in June 2020 after distributing it during March 2020, starting testing in real-world environments between May and June 2020. The report also mentions that the attackers spent more than a month delimiting their potential victims, as well as preparing their C&C infrastructure: “Although the malware would have been injected into up to 18,000 corporate and government networks, the hackers’ practical activities were critical to the commitment of their main goals,” the report adds.

In addition, the attackers also attempted to separate the Cobalt Strike loader’s execution from the SolarWinds process to ensure a successful infection: “Hackers expected that, should Cobalt Strike be detected and eliminated, the compromised SolarWinds binary would remain active.”

Hackers prepared Cobalt Strike implants in a customized way for each machine, avoiding overlapping folder names, file names, HTTP requests, timestamps, among other compromise indicators, Microsoft concludes. The attack on SolarWinds continues to prove to be a highly sophisticated exploitation campaign, so specialists believe this is unlikely to be the latest report produced in this regard that contains new details. Experts anticipate that these reports will help you better understand this incident and prevent it from happening again in the future.