Dec 16, 2020 15:30:00

Microsoft seizes domains used in attacks in response to hacking problems with large-scale government agencies

In December 2020, it was discovered that malware was loaded into a software update of

cyber security company SolarWinds, and many government agencies and others were hacked. In response to this problem, Microsoft has updated the security software 'Microsoft Defender Antivirus ' to block the problematic SolarWinds binary, and has taken measures such as seizing the attacker's domain in cooperation with other high-tech companies. I am.

Ensuring customers are protected from Solorigate --Microsoft Security
https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/

Microsoft and industry partners seize key domain used in SolarWinds hack | ZDNet
https://www.zdnet.com/article/microsoft-and-industry-partners-seize-key-domain-used-in-solarwinds-hack/

SolarWinds Hack Could Affect 18K Customers — Krebs on Security
https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/

A large-scale hack targeting a large number of government agencies came to light in early December 2020 when cybersecurity firm

FireEye said that 'an internal tool for testing customers' cybersecurity was stolen.' It all started with the report. FireEye concludes that the attack is due to 'a governmental organization of a country with top-notch offensive capabilities.' Later, it was reported that e-mails from government agencies such as the US Treasury were intercepted, and it was also found that a series of hacks were likely carried out via malware embedded in SolarWinds software.

According to SolarWinds, 'a highly sophisticated and targeted state-based manual supply chain attack' has included a malware called 'SUNBURST (Solorigate)' in an update to SolarWinds' IT infrastructure management system Orion. That thing. SUNBURST is a Trojan horse that includes a backdoor that communicates with an external server via HTTP, and seems to steal data in the PC by pretending to be normal operation of Orion.

The hacker group that prepared SUNBURST is called 'UCN2452', and the FBI and others speculate that 'APT29 (CozyBear) ' supported by the Russian Foreign Intelligence Service (SVR) is related to UCN2452.

Hacker group 'UCN2452' that intercepted confidential information of government agencies and companies around the world revealed the method --GIGAZINE

SolarWinds said the SUNBURST-loaded update was released between March and June 2020, and nearly 18,000 customers may have installed the SUNBURST-loaded update. Institutions that have already been confirmed to have attacks include the United States Department of the Treasury , the National Telecommunications Information Agency (NTIA) , the American National Institutes of Health , the Cybersecurity and Infrastructure Security Agency (CISA) , the United States Department of Homeland Security, and the United States State Department . ..

Following a series of hacking issues, Microsoft updated its security blog on December 15th. Microsoft commented in its blog that it monitors the dynamic threat environment associated with attacks using the Orion platform. Microsoft Defender Antivirus has announced that it will block problematic Orion binaries from 8am Pacific Standard Time on December 16th to warn users of Orion binaries that may have been loaded with malware. ..

'It's important to understand that these binaries pose a serious threat to your environment. Users should consider devices with these binaries at risk and investigate the alerted device. There is. '

In addition, Microsoft and a coalition of other tech companies have seized the domain 'avsvmcloud.com', which played a central role in the hacking of SolarWinds, and made it the property of Microsoft. This domain acts as a malware command and control server (C & C server) , communicating with the compromised system. Therefore, by monitoring the IP address that accesses this domain, it is possible to identify the organization infected with SUNBURST. Microsoft plans to create a list of victims and notify all affected agencies and companies.

Jesse Rothstein, CEO of cyber analytics firm ExtraHop , told ZDNet that malware-related domains had been seized by international law enforcement agencies and providers before. Domains were seized or deleted in response to issues such as the Necurs botnet and TrickBot.

Security company

Volexity has linked the UCN2452 attack with a threat actor called 'Dark Halo,' which has been confirmed three times since late 2019. The Dark Halo's primary purpose seems to have been to monitor email messages, with a third attack being compromised through SolarWinds' Orion platform, Volexity said.

Dark Halo Leverages SolarWinds Compromise to Breach Organizations | Volexity
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

SolarWinds hackers have a clever way to bypass multi-factor authentication | Ars Technica
https://arstechnica.com/information-technology/2020/12/solarwinds-hackers-have-a-clever-way-to-bypass-multi-factor-authentication/

According to Volexity, Dark Halo was accessing the user's email account via Outlook Web App (OWA) in the second attack. The damaged email account had two-step authentication introduced by Cisco 's security system ' Duo Security ', but Dark Halo was using a new technology that bypasses the two-step authentication.

Volexity's investigation into the situation when a hacker logged in to an email account revealed that the hacker had gained administrator privileges on the infected network and stole Duo's integrated private key from a server running OWA. The hacker is believed to have used this integrated private key to generate a valid cookie, bypassing the two-step verification after authenticating the username and password.

Volexity and Duo officials pointed out that the mechanism by which hackers bypassed two-step authentication did not exploit Duo's vulnerability. The design of the two-step authentication did not take into account a complete system breach of the OWA server, and the problem was that the hacker had enough access to almost disable the two-step authentication.