How to hack Solar wind ?
A malicious web shell deployed on Windows systems by leveraging a previously undisclosed zero-day in Solar Winds' Orion network monitoring software may have been the work of a possible Chinese threat group.
In a report published by Secure works on Monday, the cyber security firm attributed the intrusions to a threat actor it calls Spiral.
Back on December 22, 2020, Microsoft disclosed that a second espionage group may have been abusing the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on target systems.
The findings were also corroborated by cyber security firms Palo Alto Networks' Unit 42 threat intelligence team and GuidePoint Security, both of whom described Supernova as a .NET web shell implemented by modifying an "app_web_logoimagehandler.ashx.b6031896.dll" module of the SolarWinds Orion application.
What is role of CTU Researchers ?
According to Secure works Counter Threat Unit (CTU) researchers — who discovered the malware in November 2020 while responding to a hack in one of its customers' networks — "the immediate and targeted nature of the lateral movement suggests that Spiral had prior knowledge of the network."
During the course of further investigation, the firm said it found similarities between the incident and that of a prior intrusion activity on the same network uncovered in August 2020, which had been accomplished by exploiting a vulnerability in a product known as Manage Engine Service Desk as early as 2018.
"CTU researchers were initially unable to attribute the August activity to any known threat groups," the researchers said. "However, the following similarities to the Spiral intrusion in late 2020 suggest that the Spiral threat group was responsible for both intrusions."
"The threat group likely downloaded the endpoint agent installer from the network and executed it on the attacker-managed infrastructure," the researchers detailed. "The exposure of the IP address was likely unintentional, so its geo-location supports the hypothesis that the Spiral threat group operates out of China."
Comments
Post a Comment