September 25, 2023

State-sponsored actors allegedly working for Russia have targeted the US government agencies,to monitor internal email traffic as part of a widespread cyberespionage campaign.

APT29 or Cozy Bear, the same hacking group that’s believed to have orchestrated a breach of US-based cybersecurity firm FireEye a few days ago leading to the theft of its Red Team penetration testing tools.

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” emergency review of networks for suspicious activity and disconnect or power down SolarWinds Orion products immediately which serves most of the US Organization

SUNBURST Backdoor

FireEye, which is tracking the ongoing intrusion campaign under the moniker “UNC2452,” said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST, began as early as 2020.

Once after compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.”

SolarWinds Software Backdoor

This rogue version of SolarWinds Orion plug-in, besides masquerading its network traffic as the Orion Improvement Program (OIP) protocol, is said to communicate via HTTP to remote servers so as to retrieve and execute malicious commands (“Jobs”) that cover the spyware gamut, including those for transferring files, executing files, profiling and rebooting the target system, and disabling system services.

Orion Improvement Program or OIP is chiefly used to collect performance and usage statistics data from SolarWinds users for product improvement purposes.

Microsoft also corroborated the findings in a separate analysis, stating the attack leveraged the trust associated with SolarWinds software to insert malicious code as part of a larger campaign.

Earlier last week FireEye was breached and Red Teaming tools were exfilterated by the intruders

The theft also includes exploit payloads that leverage critical vulnerabilities in Pulse Secure SSL VPN (CVE-2019-11510), Microsoft Active Directory (CVE-2020-1472), Zoho ManageEngine Desktop Central (CVE-2020-10189), and Windows Remote Desktop Services (CVE-2019-0708).

This attacks seems to be a larger scale supply chain attack in MiddleEast, Europe and US regions

Tags:

Leave a Reply

You may have missed

BlackCat adds Clarion to its Victim list

September 24, 2023

TheCyberThrone Security Week In Review – September 23, 2023

September 24, 2023

MGM Resorts and Ceasars Attacks – Lesson Learnt

September 23, 2023

CISA KEV Update September 2023 – Part II

September 23, 2023

Air Canada Reveals Data Exposure due to a Cyberattack

September 23, 2023

SandMan APT Group in action against Telcos

September 22, 2023
%d bloggers like this: