Tag: Malware

  • SolarWinds Supply Chain Attack – Updated 12/18/2020

    On December 8, 2020, FireEye disclosed that it had been breached by a sophisticated threat actor that had accessed some of its internally developed red team tools. On December 12, FireEye disclosed that this access, and access to many other companies, was accomplished through a supply chain attack against SolarWinds, a monitoring product that is deployed across a myriad of other organizations in the public and private sectors.

    What we know: SolarWinds’ Orion Platform versions 2019.4 HF 5 through 2020.2.1, released between March and June 2020, were affected by the supply chain attack. At present, we believe other versions are not affected.

    Who was affected: In addition to FireEye, anyone running these SolarWinds versions should assume they have been compromised and should take immediate action to mitigate this exposure.

    What to do:
    • Power down any SolarWinds Orion products that are running or have run versions 2019.4 HF 5 through 2020.2.1.
    • Upgrade to the SolarWinds Orion Platform version 2020.2.1 HF 1 immediately.
    • On Tuesday December 15, 2020, upgrade to SolarWinds Orion Platform version 2020.2.1 HF 2. This is a critical release that addresses the exposure.
    • If your company has used the affected versions, assume that the network has been breached and implement applicable incident response processes.
    • This was a far-reaching attack perpetrated by highly skilled threat actors. Evidence of the attack may be hard to detect, and Indications of Compromise (IOCs) may change over time as more information becomes available.
    How did this happen:

    SolarWinds was the victim of a sophisticated supply chain attack. Supply chain attacks target components that are trusted by their users in order to gain a foothold within an organization, product, or other target. This can happen to in-house software components, third-party libraries, or even in the manufacturing of devices. How the attack was deployed via the SolarWinds platform remains unclear, but multiple payloads were delivered via digitally signed updates from SolarWinds from March to May 2020 through the SolarWinds.Orion.Core.BusinessLayer.dll.

    Technical Details:
    • The trojan placed on the system lays dormant for up to two weeks before making a DNS request to avsvmcloud[.]com to get the details of a Command and Control (C2) server.
    • Further communications with the C2 server masquerade as SolarWinds API traffic.
    • The trojan downloads multiple types of payloads, including a memory-only dropper that FireEye has named, “TEARDROP.” A Cobalt Strike Beacon payload has also been detected.
    • After gaining a foothold, the attacker used remote access and conducted lateral movement using legitimate account credentials to establish persistence and levy ongoing attacks.
    • The attack prioritizes stealth and persistence, only using hostnames enumerated within the target environment and restricting traffic to mostly IP addresses from the target’s country.
    • The attacker modifies files and scheduled tasks to drive remote execution and later reverts them back to their original contents in order to evade detection.

    FireEye has released countermeasures for these threats, including Snort and Yara rules. For more specific details on the delivered malware, how it avoided detection, and other threat signatures, see the FireEye blog post detailing the attack.

    Updates

    December 18, 2020

    Who was affected:

    In addition to FireEye, Microsoft confirmed their systems were affected by the SolarWinds breach and have helped identify an additional 40+ customers of their own that have been affected. [1]

    Additionally, RedDrip7 and Bambenek have put forth research into DNS records and other Indicators of Compromise to help people determine whether they have been compromised. [2]

    However, anyone running these SolarWinds versions should still assume they have been compromised and should take immediate action to mitigate this exposure.

    [1] https://www.bleepingcomputer.com/news/security/microsoft-identifies-40-plus-victims-of-solarwinds-hack-80-percent-from-us/

    [2] https://github.com/bambenek/research/tree/main/sunburst

  • Public USB Charging Ports & Their Potential Security Risks

    How many times have we found ourselves with a nearly depleted mobile device and no charger cable? Despite the array of adapters and cables that are available, on occasion we are found without our charge cable and a nearly dead phone or tablet battery. Increasingly, public locations are providing native USB convenience charging stations for the modern day smart device. It’s a common oversight to plug our devices into these public charging outlets without considering the risks in doing so.

    What have you done??

    Honestly, odds are, you’re simply charging your phone as expected. But the truth is you just don’t know. This is due to the nature of the USB interface and the fact that it has the capability to transmit both power and data.

    Charging ports that seem innocent enough can be a hot bed of disaster waiting to happen. By exploiting the USB data connection to your device, malware can easily be transferred onto your device revealing critical information to a malicious actor. You would likely never even know.

    That charging device might not have even been placed by the establishment that you assume has placed it. A bad actor could simply drop the device in a public area waiting for the unassuming person to walk by and plug in their device.

    The reality is that most charging ports are legitimate and pose no real threat, but you also never know for sure.

    Here are some suggestions to keep yourself safe while using a public charging station:
    • Do Not plug your device’s USB cable into an untrusted USB port, such as those commonly found on public charging stations.
    • Always carry your own charging cable and wall adapter with you.
    • If you use a public station, practice situational awareness and assess the threat level of interfacing with the charging station.
    • When you plug your device in, never agree to trust the source or allow it any type of control on your phone. These functions vary by device type and model.
    The Threat of Malware

    The installation of malware is a key way to gain unauthorized privileges on a device. Be it a charging port, a free or found USB drive, a link in an email, or a malicious website. Cyber criminals are getting increasingly savvy in their attack vectors. This means you must be even more diligent than ever before to protect yourself from this emerging threat.