Meanwhile, researchers at SecurityScorecard say the “fileless” malware loader in the attack – Teardrop – actually dates back to 2017.
Organisaatiot, jotka tutkivat, ovatko he niin sanotun SolarWinds-hyökkäyskampanjan uhreja – tai ovatko he edelleen tartunnan saaneita – saavat nyt käyttöönsä ilmaisen työkalupaketin, jota Microsoft käytti kitkemään haittaohjelmat omassa koodissaan.
Microsoft is offering the CodeQL queries it employed to analyze its source code in the wake of the SolarWinds breach discovery. CodeQL is a tool in GitHub’s Advanced Security toolset; the queries Microsoft used with CodeQL root out code that contains similarities in patterns and functions to the SolarWinds binary. These queries can be used on any software for signs of the SolarWinds attack campaign.
And in a separate SolarWinds development, security researchers at SecurityScorecard say they have discovered that one piece of malware used in the SolarWinds attacks — the memory-only dropper dubbed Teardrop that profiled the victim’s network and systems environments — dates back to 2017 and appears to be associated with a single Russian cyber-espionage group.
Tämä viittaa siihen, että tämä kansallisvaltion hakkerointitiimi käytti Teardropia muissa APT-operaatioissa ennen SolarWindsiä, sanoo SecurityScorecardin kyberuhkien tutkimuksesta ja tiedustelupalvelusta vastaava varajohtaja Ryan Sherstobitoff ja panee merkille haittaohjelmiin liittyvän aikaisemman ajanjakson.
Teardropia, jonka FireEye antoi haittaohjelmien analysoinnissaan nimeksi, käytettiin Cobalt Strike BEACONin, komento- ja ohjaustyökalun (C2) käyttämiseen avoimen lähdekoodin Cobalt Strike -työkalupaketissa, jota hyökkääjät käyttivät – todennäköisimmin keinona naamioida. heidän toimintaansa.
FireEye ensin julkistettiin joulukuussa about the attack it had suffered at the hands of a malicious software update to its SolarWinds Orion software, and that its red-team tools had been stolen in the attack. FireEye initially described Teardrop — a dynamic link library (DLL) file payload delivered via the Sunburst Trojan (the first-stage malware in the attack) — as a piece of malware that didn’t match any it had seen before.
“TEARDROP does not have code overlap with any previously seen malware,” FireEye wrote in its detailed raportti joulukuussa SolarWinds-haittaohjelmassa.
But Sherstobitoff says the C2 telemetry his team found shows that Teardrop was not necessarily built solely for the SolarWinds attacks, which were triggered in 2020 but test-run in October 2019. “It pushes a lot of timelines much earlier than what people suspected,” he says.
His team also confirms that the attacker behind SolarWinds is a single APT group out of Russia, targeting US organizations. Like other security vendors, SecurityScorecard won’t name names, but experts surmise it’s the handiwork of the Russian SVR and its hacking team known as Cozy Bear.
Some 95% of victim organizations are in the US, the researchers found, and they reiterate that it’s most likely a cyber-espionage campaign as most experts believe. Even so, Sherstobitoff says because Teardrop opens a backdoor into the victim organization, the fear is that it could be used to drop other more destructive payloads. Teardrop itself was used mainly to “fingerprint” and profile the victim’s systems and networks.
“The challenge is, are there third- or fourth-stage implants we don’t know about? They may be highly custom,” he says.
CodeQL
Meantime, Microsoft’s release of its CodeQL queries today could help root out attack code that could be deeply embedded in a victim’s network.
“Anything that’s able to look for behaviors or host-level artifacts will help [find] out if there are compromises from Teardrop or Sunburst because the command-and-control at this point is most likely offline,” notes Sherstobitoff.
Microsoft sanoi avoimen lähdekoodin julkaisu on yritys jakaa havaintojaan haittaohjelmahyökkäyksestä, jota se kutsuu Solorigateksi.
“With the increasing sophistication of attacks like Solorigate, it’s more important than ever for the security community to work together in transparency to share learnings where possible. Since these attacks were detected, we’ve worked closely behind the scenes with the security community and have published dozens of teknisiä päivityksiä ja työkaluja to empower defenders,” a Microsoft spokesperson said. “The open sourcing of CodeQL queries is another example of how sharing techniques that Microsoft has found useful can give defenders the edge they need to help protect against sophisticated attacks.”
Kelly Jackson Higgins on Dark Readingin päätoimittaja. Hän on palkittu veteraani teknologia- ja yritystoimittaja, jolla on yli kahden vuosikymmenen kokemus raporttien julkaisemisesta ja muokkaamisesta erilaisille julkaisuille, kuten Network Computing, Secure Enterprise ... Näytä koko bio
Suositeltua lukemista:
Lisää näkemyksiä
