State-sponsored actors allegedly working for Russia targeted the U.S. Treasury, the Department of Commerce’s National Telecommunications and Information Administration (NTIA), and other government agencies to monitor internal email traffic as part of a campaign widespread cyber espionage.
The Washington Post, citing anonymous sources, said the latest attacks were the work of APT29 or Cozy Bear, the same group of hackers believed to have organized a US-based cybersecurity company FireEye a few days ago that led to the theft of its Red Test Equipment Team penetration.
The full reason and scope of what information has been compromised remains unclear, but indications show that opponents have interfered with a software update released by Texas-based IT infrastructure provider SolarWinds earlier this year to infiltrate government agency systems and FireEye and installed a highly sophisticated supply chain attack. .
“Orion’s SolarWinds Compromise network management products pose unacceptable risks to federal network security,” said Brandon Wales, interim director of the U.S. Cyber Security and Infrastructure Agency (CISA), who issued an emergency directive, urging federal civilian agencies to examine their networks for suspicious. activity and immediately disconnect or close Orion’s SolarWinds products.
SolarWinds networking and security products are used by more than 300,000 customers worldwide, including Fortune 500 companies, government agencies and educational institutions.
It also serves several major US telecommunications companies, all five U.S. military branches and other major government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, the Justice Department. and the Office of the President of the United States.
SUNBURST Backdoor classified evasion campaign
FireEye, which monitors the ongoing intrusion campaign with the moniker “UNC2452”, said the supply chain attack leveraged the SolarWinds Orion enterprise software updates in the form of Troea wood to use a backdoor called SUNBURST.
“This campaign may have started as early as spring 2020 and is currently underway,” FireEye said in an analysis Sunday. “Post-compromise activity following this supply chain compromise involved lateral shifts and data theft. The actor is a highly skilled actor and the operation was carried out with considerable operational security.”
This rogue version of Orion’s SolarWinds plugin, as well as disguising its network traffic as the Orion Improvement Program (OIP) protocol, is said to communicate via HTTP to remote servers to retrieve and execute malicious commands (“Jobs”) that they cover the range of spyware, including those for file transfer, file execution, profiling and restarting the target system, and disabling system services.
The Orion Improvement Program or OIP is primarily used to collect performance and usage statistics from SolarWinds users for product improvement purposes.
In addition, the IP addresses used for the campaign were abused by VPN servers located in the same country as the victim to avoid detection.
Microsoft also confirmed the findings in a separate analysis, noting that the attack (which it calls “Solorigate”) prompted the trust associated with SolarWinds software to inject malicious code as part of a larger campaign.
“A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate,” says the Windows manufacturer. The resulting binary included outdoor and was therefore sensibly distributed to targeted organizations. ”
SolarWinds issues a security consultant
In a security consultant published by SolarWinds, the company said the attack targeted 2019.4 to 2020.2.1 versions of SolarWinds Orion Platform software released between March and June 2020, recommending users run the update to version 2020.2.1 HF immediately. 1 of the Orion platform.
The company, which is currently investigating the attack in conjunction with FireEye and the U.S. Federal Bureau of Investigation, is expected to release an additional hotfix, 2020.2.1 HF 2, on December 15, which replaces the component is under threat and provides several additional protections. level improvements.
Last week FireEye revealed that it was the victim of a highly sophisticated attack by a foreign government that compromised its software tools used to test its customers’ defenses.
In total, up to 60 in number, the Red Team theft equipment is a mix of publicly available tools (43%), modified versions of publicly available equipment (17%) and those developed in-house (40%).
In addition, the theft also includes exploitation of payloads that exploit critical vulnerabilities in Pulse Secure SSL VPN (CVE-2019-11510), Microsoft Active Directory (CVE-2020-1472), Zoho ManageEngine Desktop Central (CVE -2020-10189), and Windows Remote Desktop Services (CVE-2019-0708).
The campaign, in the end, appeared to be a global-scale supply chain attack, as FireEye reported that it has taken over this business in several entities around the world, including government, consulting, technology, telecommunications, and mining companies in North America., Europe, Asia and the Middle East.
Indicators of Compromise (IoC) and other relevant attack signatures designed to block SUNBURST are available here.