The hacker group 'UCN2452' that intercepted confidential information of government agencies and companies around the world is revealed

Security company FireEye said, 'Business software It was caused by a

supply chain attack by malware that was sneaked into the update file, 'he said.

Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | FireEye Inc

US Homeland Security, thousands of businesses scramble after suspected Russian hack | Reuters

The following article summarizes the case where the US government agency was intercepting the contents of the email. The attacker who is conducting a series of attacks is called 'UCN2452', and its identity is unknown at the time of article creation. However, the FBI suspects UCN2452 is the ' APT29 ' of a hacker group backed by the Russian government.

It turns out that a hacker supported by the Russian government was hacking a US government agency and monitoring the contents of emails etc. --GIGAZINE

Attacks by UCN2452 target not only the United States, but also governmental organizations and companies in Europe, Asia, and the Middle East. According to a FireEye investigation, it was discovered that UCN2452 was attacking by incorporating malware called 'SUNBURST' into a software update of SolarWinds ' IT infrastructure management system ' Orion '.

SUNBURST is a Trojan horse that includes SolarWinds.Orion.Core.BusinessLayer.dll, one of Orion's core framework plugins, with a backdoor that communicates with external servers over HTTP. After hiding for up to 2 weeks, SUNBURST will perform file transfers, file executions, system profiling, machine restarts, system service disabling, and more. Furthermore, by saving the reconnaissance result in a legitimate plug-in configuration file and transmitting network traffic by pretending to be a legitimate communication protocol, it steals data in the PC by pretending to be Orion's normal operation.

by Ming-yen Hsu

According to FireEye, from March to May 2020, multiple update files with SUNBURST were on the market, all of which contained a legitimate digital signature by SolarWinds. 'The attack targeted up to 18,000 people and targeted governments, businesses and advertising agencies for about nine months,' said SolarWinds, releasing a hotfix to urge response. The US government has also issued an emergency alert to stop using Orion immediately.

FireEye sees 'UCN2452 as a very skilled attacker' and has published a tool on GitHub to detect SUNBURST attacks.

GitHub --fireeye / sunburst_countermeasures

According to Reuters, the Russian government has denied a relationship with UCN2452.

in Software,   Security, Posted by log1i_yk