Latest News Latest News

Microsoft Issues Patches for Defender Zero-Day and 82 Other Windows Flaws

For the first patch Tuesday of 2021, Microsoft released security updates addressing a total of 83 flaws spanning as many as 11 products and services, including an actively exploited zero-day vulnerability.

Read More...

Ransomware Attackers Using SystemBC Malware With RAT and Tor Proxy

Cybercriminals are increasingly outsourcing the task of deploying ransomware to affiliates using commodity malware and attack tools.

Read More...

New Evidence Suggests SolarWinds' Codebase Was Hacked to Inject Backdoor

The investigation into how the attackers managed to compromise SolarWinds' internal network and poison the company's software updates is still underway, but we may be one step closer to understanding what appears to be a very meticulously planned and highly-sophisticated supply chain attack.

Read More...

US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor

State-sponsored actors allegedly working for Russia have targeted the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to monitor internal email traffic as part of a widespread cyberespionage campaign.

Read More...

Watch Out! Adrozek Malware Hijacking Chrome, Firefox, Edge, Yandex Browsers

Microsoft on Thursday took the wraps off an ongoing campaign impacting popular web browsers that stealthily injects malware-infested ads into search results to earn money via affiliate advertising.

Read More...

Zero-Click Wormable RCE Vulnerability Reported in Microsoft Teams

A zero-click remote code execution (RCE) bug in Microsoft Teams desktop apps could have allowed an adversary to execute arbitrary code by merely sending a specially-crafted chat message and compromise a target's system.

Read More...

WARNING — Critical Remote Hacking Flaws Affect D-Link VPN Routers

Some widely sold D-Link VPN router models have been found vulnerable to three new high-risk security vulnerabilities, leaving millions of home and business networks open to cyberattacks—even if they are secured with a strong password.

Read More...

Microsoft Releases Windows Update (Dec 2020) to Fix 58 Security Flaws

Microsoft on Tuesday released fixes for 58 newly discovered security flaws spanning as many as 11 products and services as part of its final Patch Tuesday of 2020, effectively bringing their CVE total to 1,250 for the year. Of these 58 patches, nine are rated as Critical, 46 are rated as Important, and three are rated Moderate in severity.

Read More...

Multiple Botnets Exploiting Critical Oracle WebLogic Bug — PATCH NOW

Multiple botnets are targeting thousands of publicly exposed and still unpatched Oracle WebLogic servers to deploy crypto miners and steal sensitive information from infected systems.

Read More...

Stantinko Botnet Now Targeting Linux Servers to Hide Behind Proxies

An adware and coin-miner botnet targeting Russia, Ukraine, Belarus, and Kazakhstan at least since 2012 has now set its sights on Linux servers to fly under the radar.

Read More...

Most Viewed News Most Viewed News

Back

New Evidence Suggests SolarWinds' Codebase Was Hacked to Inject Backdoor

The investigation into how the attackers managed to compromise SolarWinds' internal network and poison the company's software updates is still underway, but we may be one step closer to understanding what appears to be a very meticulously planned and highly-sophisticated supply chain attack.

A new report that the operators behind the espionage campaign likely managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the malicious backdoor through its software release process.

"The source code of the affected library was directly modified to include malicious backdoor code, which was compiled, signed, and delivered through the existing software patch release management system,".
Cybersecurity firm FireEye earlier this week detailed how multiple SolarWinds Orion software updates, released between March and June 2020, were injected with backdoor code ("SolarWinds.Orion.Core.BusinessLayer.dll" or SUNBURST) to conduct surveillance and execute arbitrary commands on target systems.

FireEye has not so far publicly attributed the attack to any specific nation-state actor, but multiple media reports have pinned the intrusion campaign on APT29 (aka Cozy Bear), a hacker group associated with Russia's foreign intelligence service

Sneaky Injection of Malicious Code

Although the first version containing the tainted Orion software was traced to 2019.4.5200.9083, ReversingLabs has found that an earlier version 2019.4.5200.8890, released in October 2019, also included seemingly harmless modifications that acted as the stepping stone for delivering the real attack payload down the line.

The idea, according to Pericin, was to compromise the build system, quietly inject their own code in the source code of the software, wait for the company to compile, sign packages and at last, verify if their modifications show up in the newly released updates as expected.

Once confirmed, the adversary then took steps to blend the SUNBURST malware with the rest of the codebase by mimicking existing functions (GetOrCreateUserID) but adding their own implementations so as to remain stealthy and invoking them by modifying a separate class called "InventoryManager" to create a new thread that runs the backdoor.

What's more, malicious strings were obscured using a combination of compression and Base64 encoding in hopes that doing so would thwart YARA rules from spotting anomalies in the code as well as slip through undetected during a software developer review.

"The attackers went through a lot of trouble to ensure that their code looks like it belongs within the code base,". "That was certainly done to hide the code from the audit by the software developers."

How did the Compromise Happen?

This implies that not only did the attackers have a high degree of familiarity with the software, but also the fact that its existing software release management system itself was compromised — as the class in question was modified at the source code level to build a new software update containing the backdoored library, then signed, and ultimately released to the customers.

This also raises more questions than it answers in that a change of this magnitude could only have been possible if either the version control system was compromised or the tainted software was placed directly on the build machine.

While it's not immediately clear how the attackers got access to the code base, security researcher Vinoth Kumar's disclosure about SolarWinds' update server being accessible with the password "solarwinds123" assumes new significance given the overlap in timelines.

The company of a publicly accessible GitHub repository that was leaking the FTP credentials of the company's download website in plaintext, adding a hacker could use the credentials to upload a malicious executable and add it to a SolarWinds update.

"SUNBURST illustrates the next generation of compromises that thrive on access, sophistication and patience," Pericin concluded. "For companies that operate valuable businesses or produce software critical to their customers, inspecting software and monitoring updates for signs of tampering, malicious or unwanted additions must be part of the risk management process."

"Hiding in plain sight behind a globally known software brand or a trusted business-critical process, gives this method access that a phishing campaign could only dream to achieve,".
Over 4,000 Sub-domains Compromised by SUNBURST.

SolarWinds said up to 18,000 of its customers may have been impacted by the supply chain attack while urging Orion platform users to update the software to version 2020.2.1 HF 2 as soon as possible to secure their environments.

Over 4,000 sub-domains belonging to prominent businesses and educational institutions were infected with the SUNBURST backdoor, including those of Intel, NVIDIA, Kent State University, and Iowa State University.
To make matters worse, malicious code added to an Orion software update may have gone unnoticed by antivirus software and other security tools on targeted systems owing to SolarWinds' own support advisory, which states its products may not work properly unless their file directories are exempted from antivirus scans and group policy object (GPO) restrictions.

"Prolific actors are constantly going after high-revenue customers like SolarWinds because they see an increased chance of making larger profits by selling access to ransomware partners and other buyers," cybersecurity firm Intel 471 said, responding to the possibility that criminals were selling access to the company's networks on underground forums.

"Whether it's by exploiting vulnerabilities, launching spam campaigns or leveraging credential abuse, access is typically advertised and auctioned to the highest bidder for a profit. Whether this was the motivation for the current SolarWinds incident remains to be seen."


Contact Us Contact Us

Free Call[OH]: 933

Phone Number: +251-993939270,

                            +251-936825343,

                            +251-944-33-68-02

E-mail: ethiocert@insa.gov.et

P.O.Box: 124498

Download PGP Keys


Report an Incident

Values Values

  • Trustworthiness
  • Innovation
  • Scientific
  • Democracy
  • Synergy
  • Saving