Cracking the Sunburst / Solorigate "do not infect" domain hashes, a thread 👉
In their comprehensive analysis of Sunburst / Solorigate, Microsoft highlights an interesting fact: that certain domains are excepted from further infection. microsoft.com/security/blog/…
To quote, "The domain must not contain certain strings; the check for these strings is implemented via hashes, so at this time the domain names that are block-listed are unknown[...] If any of these checks fail, the backdoor terminates"
Actually, @megabeets_ already cracked most of these hashes several days ago, pretty impressive job, btw! We implemented the modified FNV1a 64 algorithm as well and together with @2igosha, we cracked all the remaining ones.
Here's the full list of hashes and their associated domains which are skipped by the backdoor:
As Itay (@megabeets_ ) also pointed, these are likely internal Solarwinds domain names, potentially associated with local offices or branches around the world.
If you read this thread to the end, then it's a good opportunity to remind that tonight we are going to witness an incredible astronomic event known as the “great conjunction”, Saturn and Jupiter will appear just 0.1 degrees apart, the closest since 1623.
According to @campuscodi this astronomic event may also reveal who was behind the Solarwinds attack. As always, stay tuned :) 😇
• • •
Missing some Tweet in this thread? You can try to
force a refresh
2/10 First of all, some reports are talking about the fact that unlike the SUNBURST DLL, SUPERNOVA is not signed. This is not entirely accurate. Here's a signed SUPERNOVA sample: 2abd33b8e5bc1948ddb0f9e1deb5cbc8
3/10 This sample is signed by a digital cert with the serial 0fe973752022a606adf2a36e345dc0ed, CN = Solarwinds Worldwide, LLC. The cert is a issued by Symantec Class 3 SHA256 Code Signing CA.
4/10 The SUNBURST sample b91ce2fa41029f6955bff20079468448 is also signed with a digital cert, serial 0fe973752022a606adf2a36e345dc0ed (the same). The is the same cert as the one used to sign the SUPERNOVA sample.
Today, Singapore gov published a large, thorough, 450+ pages analysis report on the Health Services Private Ltd hack. Here's a summary analysis highlighting the most interesting findings. Full report is available at: mci.gov.sg/coireport
The attackers breached Singapore Health Services through a vulnerability in Outlook. Although a patch was available, the systems were not updated. As a side note, it is quite rare that we see attackers exploiting vulnerabilities in Outlook.
Once on the host, the attackers collected passwords and began moving laterally. Some of the passwords were weak and their hashes easily crackable by tools such as @hashcat. Sadly, ‘P@ssw0rd’ is way too common in IT environments.