Discover and read the best of Twitter Threads about #Sunburst

Most recents (18)

1/ Solving the root cause of #GoldenSAML attacks, recently used in #Sunburst attacks.
Don't of scale security "UP", burying #SAML's private key deeper in HSM,
scale it "OUT": distribute it w/ modern crypto (#TSS #MPC)+ service architecture, as we do for #cryptocurrency @ZenGo
2/ Advanced attackers (#APT) steal long term secrets ("the stamp") that allow them to issue access tokens and thus access all services in victims' environment, bypassing all security, including multi-factor auth (#MFA,#2FA)
3/ @CISAgov recommends protecting such secrets with hardware (HSM), but this solution is not always feasible, does not scale well and is susceptible to vulnerabilities especially when facing #APT attackers (hence: "aggressively updated")
media.defense.gov/2020/Dec/17/20…
Read 8 tweets
Abusing #ADFS for #GoldenSAML attack, heavily used by #Sunburst attackers.
To get context, see the fabulous '19 talk @WEareTROOPERS by @doughsec @BakedSec of @Mandiant @FireEye (the irony..)
Read 4 tweets
As part of our commitment to keeping our customers/community protected & informed, we are releasing a blog that shines light on transition between Stage 1 and 2 of #Solorigate/#SUNBURST campaign, custom Cobalt Strike loaders, post-exploit. artifacts, IOCs: microsoft.com/security/blog/…
Here are some highlights:
The missing link between the Solorigate backdoor and the custom #CobaltStrike loaders observed during the #Solorigate is an Image File Execution Options (IFEO) Debugger registry value created for the legitimate process dllhost.exe (ATT&CK ID: T1546.012).
Once the registry value is created, the attackers wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped by the SolarWinds backdoor (Stage 1).
Read 21 tweets
I've said from day one that the injection of the non-malicious code back in 2019 was a dry run to see if the dll would build and not throw any red flags. What I didn't know is that the dll was also inflated in size to allow for additional code to be inserted at a later date.
The immediate attribution to RU especially APT29 was always questionable IMHO. Especially when you see the same exact players in the media parroting it from the rooftops in record time...
Read 5 tweets
1/ could it be that #SUNBURST introduced #SUPERNOVA, but only to victims of interest (not the whole 18K)?
Abusing #Solarwinds Orion vulns with #SUPERNOVA , attackers can bypass auth and get access to Orion.
From there they get access to cloud cert to Sign #GoldenSAML
2/ If so this explains a lot:
It means no mysterious second actor as originally claimed by Microsoft reducing the complexity of this story
microsoft.com/security/blog/…
3/ it explains why the #SUPERNOVA webshell was not signed (because it's not part of the backdoor payload, but introduced later)
And finally, it tightly connects the method of entry to the #GoldenSAML post exploitation.
Read 3 tweets
The #sunburst case is interesting and demonstrates how threat actors can rely on evasion techniques or defense evasion to spy on or make damage. #UnprotectProject Thread 👇
First of all, the use of the supply chain attack made the attack super stealthy and difficult to detect. This is another red flag to increase and improve trust with partners and suppliers, although it is difficult to resolve.
#Sunburst uses the TrackProcesses() function to verify blacklisted processes and services. If an item in the blacklist is found, the loop is terminated.
Read 7 tweets
Короче, мой прошлый тред про то как хуёво находится в процессе эмоционального выгорания набрал реакций с белкин-хуй (он был второй, поэтому это тоже мотивирует). Сейчас расскажу вам кое-что поинтереснее. Их сферы сайбер-секурити, садитесь поудобнее. Эт будет тред
Продолжая идти под уклон и добравшись до выходных наконец-то я сегодня решил клин вышибать клином и почитать про айтишнегов, которые проебывают покруче меня. Ну что свои проблемы казались мушиной какашечкой в сравнении с. Время сейчас для этого благодатное :)
Я думаю, все слышали, что кто-то хакнул дохера компаний по всему миру и Помпео уже заявил в эту Пт., что это рашка, а дедушка Дональд, как он это последовательно делал все 4 года своего президенства засунул язык в жопу. Так вот, это оно
Read 28 tweets
THREAD | A groundbreaking espionage operation targeting USG, the #Sunburst incident was also software supply chain compromise similar to 31 attacks observed since 2010. Using our Breaking Trust report @Cyberstatecraft walks through the incident. 1/16

atlanticcouncil.org/in-depth-resea…
COMPROMISE BUILD: Malicious code inserted into a SolarWinds software library compromised the Orion software in development. Here, we track the compromise along a visualization of 115 software supply chain attacks and vulnerability disclosures since 2010. 2/16
Direct comparisons to 2015 Kingslayer, 2017 NotPetya, and 2018 Webmin, where attackers went stealth, seeding malware into administrative and security tools later distributed through trusted update channels. 3/16

comsecglobal.com/kingslayer-a-s…
Read 18 tweets
No DNS logs?

Next best activity indicator seems to be file-write events to `SolarWindows.Orion.Core.BusinessLayer.dll.config` (used to track detection and modification of forensic/anti-tamper services)

... but you probably don't track those either 😉 #SolarWinds #SUNBURST
Couple of colleagues also reported seeing reports that the config file should contain a setting key'd `ReportStatus`.

Looking at the March sample (32519b85..107d6c77) This is NOT true, the key names in the file on disk starts with `ReportWatcher`, not `ReportStatus`
Something haven't seen elsewhere:
When the main loop enters a state of `Truncate` (ReportWatcherRetry=3 on disk), it breaks the current run. FireEye previously reported that subsequent frequency of reactivation was unclear.

The default update interval is 24h
Read 14 tweets
The attackers behind the #SUNBURST malware put a lot of effort into trying to avoid detection by analysts and security vendors. Not only this, but they also tried to make sure to stay under the radar of #SolarWinds developers and employees. A thread >>
When brute-forcing the FNV-1a hashes embedded in #SUNBURST, I noticed that some of the cracked strings look like domain names of #SolarWinds internal networks across the globe. If the domain of the infected computer ends with one of these names, the malware would not run >>
In addition to this, the #SUNBURST malware will match the domain name of the infected machine against two regular-expression patterns of "solarwinds" and "test" network domain names. >>
Read 5 tweets
#SolarWinds #SUNBURST malware checks for a long list of security processes and services running on the endpoint to try and evade detection. It does this by hashing the lowercase process name and comparing it against hardcoded values. Thread 👇
The hashing function isn't one I'm familiar with, FNV1A, but seems pretty straight forward to understand
FireEye did a great job in brute-forcing many of the hardcoded hashes and identified a big list of security tools that the malware is checking for

github.com/fireeye/sunbur…
Read 8 tweets
LOTS of folks asked me about the sophistication of these attacks, the response actions I expect will happen, and the always fun attribution. This thread will cover those topics. (cue scary political hacker image)
Starting w/the #SUNBURST backdoor, the actor's approach to hiding source code in plain sight was simple/classy. They studied Orion's code and naming conventions to make sure even SolarWinds devs would not take immediate notice. OrionImprovementBusinessLayer does not stand out.
The malicious methods are PascalCase and also start with familiar verb prefixes like Get* and Is*.
Read 7 tweets
Was just shown the SolarWinds.Orion.Core.BusinessLayer.dll is included in n-Central's Probe installer by @KelvinTegelaar. WindowsProbeSetup.exe is signed by the same certificate. However the DLL backdoored with #SUNBURST is not signed and appears to be a 2014 version. #Looking
The unsigned SolarWinds.Orion.Core.BusinessLayer.dll binary from my copy of the Windows probe installer had hash B9CE678F9DAF32C526211EDEA88B5EC104538C75FAD13767EA44309E9F81DBFC. No OrionImprovementBusinessLayer class within this version (comparison screens attached).
The default installation directory for this binary is "C:\Program Files (x86)\N-able Technologies\Windows Software Probe\bin". Going to have the team do a quick survey across all hosts to see if anything shakes up. Will report back what we find (hoping nothing 😅)
Read 7 tweets
One of the anomalous #SUNBURST DLLs from October 2019 that Microsoft highlighted can be found in the SolarWinds Coreinstall.msi for 2019.4.5220.20161 - hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20161/CoreInstaller.msi ImageImage
Malicious #SUNBURST DLL CE77D116A074DAB7A22A0FD4F2C1AB475F16EEC42E1DED3C0B0AA8211FE858D6 from May 2020 can be found in CoreInstaller.msi for 2020.2.5320.27438 -hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2020.2/2020.2.5320.27438/CoreInstaller.msi ImageImage
Malicious #SUNBUST DLL 019085A76BA7126FFF22770D71BD901C325FC68AC55AA743327984E89F4B0134 from April 2020 can be found in CoreInstaller.msi for 2020.2.5220.27327 - hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2020.2/2020.2.5220.27327/CoreInstaller.msi ImageImage
Read 6 tweets
⚠️URGENT⚠️

Hackers exploit #Solorigate supply-chain backdoor in #SolarWinds enterprise monitoring software to breach US Treasury, Commerce Department, other government agencies, and cybersecurity firm #FireEye.

Details: thehackernews.com/2020/12/us-age…

#infosec #cybersecurity #sysadmin
Citing unnamed sources, media said the latest cyberattacks against #FireEye and U.S. government agencies were the work of Russian state-sponsored #APT29 or Cozy Bear #hacking group.
According to FireEye, attackers tampered with a #software update released by #SolarWinds, which eventually led to the compromise of numerous public and private organizations around the world with #SUNBURST backdoor.

thehackernews.com/2020/12/us-age…

#infosecurity Image
Read 4 tweets
FLASH: "Emergency Directive 21-01 calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately."-@CISAgov Read more: cisa.gov/news/2020/12/1…
CONTD: @CISAgov is responding to an exploit of Federally operated @solarwinds Orion products by malicious actors. They Issued an Emergency Directive to federal civilian agencies to review networks & DISCONNECT OR POWER DOWN ALL SOLARWINDS ORION PRODUCTS NOW!
CONTD: @FireEye discovered an attack trojanizing @solarwinds Orion biz software distributing malware named #SUNBURST.
The attacker’s use multiple techniques to evade detection/obscure activity. The campaign is widespread affecting public & private organizations around the world.
Read 11 tweets
Only 1 / 67 antivirus engines list SUNBURST backdoor as malicious - SolarWinds.Orion.Core.BusinessLayer.dll virustotal.com/gui/file/32519… #SUNBURST #UNC2452 Image
SolarWinds' digital certificate hasn't been revoked yet. Image
The full compromised package is still being hosted online as well 😓 hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp ImageImage
Read 16 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!