SolarWinds Attack is one of the most recent and lethal cyberattacks discovered by the security researchers at the fag end of 2020.
It is called as a global intrusion campaign by cybersecurity firm FireEye, which is tracking the actors behind this campaign as UNC2452. The company also discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we know as SUNBURST.
The attacker’s post compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection. The campaign is widespread, affecting public and private organizations around the world.
SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.
After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. (AS STATED BY FIREEYE).
Various security researchers have come out with lists of companies where the threat actors deployed Sunburst/Solarigate malware. One of these lists— shared by cybersecurity firm Truesec includes high-profile tech companies such as Intel, Nvidia, Cisco, Cox Communications, VMWare and Belkin, to name just a few. (AS STATED BY BLEEPING COMPUTER)
My colleague and a young security enthusiast BABLU KUMAR has prepared a short but impactful video on #SolarWinds Attack for us to know what it is, how it has impacted the global orgs and what is the possible remediation.
Check this out