Share this page!

Costin Raiu Profile picture
Twitter logo
21 Dec, 8 tweets, 3 min read
Cracking the Sunburst / Solorigate "do not infect" domain hashes, a thread 👉
In their comprehensive analysis of Sunburst / Solorigate, Microsoft highlights an interesting fact: that certain domains are excepted from further infection. microsoft.com/security/blog/…
To quote, "The domain must not contain certain strings; the check for these strings is implemented via hashes, so at this time the domain names that are block-listed are unknown[...] If any of these checks fail, the backdoor terminates"
Actually, @megabeets_ already cracked most of these hashes several days ago, pretty impressive job, btw! We implemented the modified FNV1a 64 algorithm as well and together with @2igosha, we cracked all the remaining ones.
Here's the full list of hashes and their associated domains which are skipped by the backdoor:
As Itay (@megabeets_ ) also pointed, these are likely internal Solarwinds domain names, potentially associated with local offices or branches around the world.
If you read this thread to the end, then it's a good opportunity to remind that tonight we are going to witness an incredible astronomic event known as the “great conjunction”, Saturn and Jupiter will appear just 0.1 degrees apart, the closest since 1623.
According to @campuscodi this astronomic event may also reveal who was behind the Solarwinds attack. As always, stay tuned :) 😇

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Costin Raiu

Costin Raiu Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @craiu

Costin Raiu Profile picture
20 Dec
2/10 First of all, some reports are talking about the fact that unlike the SUNBURST DLL, SUPERNOVA is not signed. This is not entirely accurate. Here's a signed SUPERNOVA sample: 2abd33b8e5bc1948ddb0f9e1deb5cbc8
3/10 This sample is signed by a digital cert with the serial 0fe973752022a606adf2a36e345dc0ed, CN = Solarwinds Worldwide, LLC. The cert is a issued by Symantec Class 3 SHA256 Code Signing CA.
4/10 The SUNBURST sample b91ce2fa41029f6955bff20079468448 is also signed with a digital cert, serial 0fe973752022a606adf2a36e345dc0ed (the same). The is the same cert as the one used to sign the SUPERNOVA sample.
Read 9 tweets
Costin Raiu Profile picture
10 Jan 19
Today, Singapore gov published a large, thorough, 450+ pages analysis report on the Health Services Private Ltd hack. Here's a summary analysis highlighting the most interesting findings. Full report is available at: mci.gov.sg/coireport
The attackers breached Singapore Health Services through a vulnerability in Outlook. Although a patch was available, the systems were not updated. As a side note, it is quite rare that we see attackers exploiting vulnerabilities in Outlook.
Once on the host, the attackers collected passwords and began moving laterally. Some of the passwords were weak and their hashes easily crackable by tools such as @hashcat. Sadly, ‘P@ssw0rd’ is way too common in IT environments.
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @craiu has new unrolls!

Check out other threads from @craiu!

Read all threads by @craiu