While we learned of SolarWind’s attack on December 13th, the first disclosure of its consequence was made on December 8th when leading cybersecurity firm FireEye revealed that it was hacked by a nation-state APT group.
Sunburst, a.k.a. Solorigate, is the malware employed as the tip of the spear in the campaign, in which adversaries have been ready to use SolarWinds’ Orion network management platform to infect targets. It was pushed out by using trojanized product or service updates to pretty much 18,000 organizations about the world, beginning nine months back.
Examining the backdoor’s DNS communications led researchers to find a government agency and a big U.S. telco that were flagged for further exploitation in the spy campaign.
Far more information and facts have occurred to mild about the Sunburst backdoor that could enable defenders to get better take care of on the scope of the sprawling SolarWinds espionage attack. The marketing campaign is known to have affected six federal departments, Microsoft, FireEye and dozens of other folks so far that installed tainted network monitoring software called SolarWinds Orion that allowed the hackers in via a covertly inserted backdoor.
Among them: technology giant Cisco Systems Inc., chip makers Intel Corp. and Nvidia Corp., accounting firm Deloitte LLP, cloud-computing software maker VMware Inc. and Belkin International Inc., which sells home and office Wi-Fi routers and networking gear under the LinkSys and Belkin brands. The attackers also had access to the California Department of State Hospitals and Kent State University.
Cisco detected the malicious software on some employee systems and lab systems; so far, it says there is no effect on its products or services. Intel is investigating and has said there is no indication attackers accessed its network.
Mediatek, the world’s second-largest provider of fabless semiconductors, might have also been specifically targeted in this campaign but TrueSec hasn’t yet fully confirmed the breach at this point.
Similarly, the other organizations affected confirm they detected the infected software but there is no indication attackers have exploited it.
With Sunburst embedded, the attackers have because been in a position to select and choose which businesses to even further penetrate.
The list of encoded C2 subdomains used by the Sunburst malware was harvested from passive DNS datasets and web traffic pointing to the main avsvmcloud[.]com C2 domain contacted by the backdoor to exfiltrate stolen data.
By decoding this list of subdomains generated by the malware’s domain generation algorithm (DGA), TrueSec and other security firms including QiAnXin RedDrip, Kaspersky, and Prevasio, were able to find many well-known organizations that have already or may disclose targeted attacks later on.