The hacker group 'UCN2452' that intercepted confidential information of government agencies and companies around the world is revealed
Security company FireEye said, 'Business software It was caused by a
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | FireEye Inc
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
US Homeland Security, thousands of businesses scramble after suspected Russian hack | Reuters
https://www.reuters.com/article/global-cyber-idUSKBN28O26X
The following article summarizes the case where the US government agency was intercepting the contents of the email. The attacker who is conducting a series of attacks is called 'UCN2452', and its identity is unknown at the time of article creation. However, the FBI suspects UCN2452 is the ' APT29 ' of a hacker group backed by the Russian government.
It turns out that a hacker supported by the Russian government was hacking a US government agency and monitoring the contents of emails etc. --GIGAZINE
Attacks by UCN2452 target not only the United States, but also governmental organizations and companies in Europe, Asia, and the Middle East. According to a FireEye investigation, it was discovered that UCN2452 was attacking by incorporating malware called 'SUNBURST' into a software update of SolarWinds ' IT infrastructure management system ' Orion '.
SUNBURST is a Trojan horse that includes SolarWinds.Orion.Core.BusinessLayer.dll, one of Orion's core framework plugins, with a backdoor that communicates with external servers over HTTP. After hiding for up to 2 weeks, SUNBURST will perform file transfers, file executions, system profiling, machine restarts, system service disabling, and more. Furthermore, by saving the reconnaissance result in a legitimate plug-in configuration file and transmitting network traffic by pretending to be a legitimate communication protocol, it steals data in the PC by pretending to be Orion's normal operation.
by Ming-yen Hsu
According to FireEye, from March to May 2020, multiple update files with SUNBURST were on the market, all of which contained a legitimate digital signature by SolarWinds. 'The attack targeted up to 18,000 people and targeted governments, businesses and advertising agencies for about nine months,' said SolarWinds, releasing a hotfix to urge response. The US government has also issued an emergency alert to stop using Orion immediately.
FireEye sees 'UCN2452 as a very skilled attacker' and has published a tool on GitHub to detect SUNBURST attacks.
GitHub --fireeye / sunburst_countermeasures
https://github.com/fireeye/sunburst_countermeasures
According to Reuters, the Russian government has denied a relationship with UCN2452.
Related Posts:
