Microsoft seizes domains used in attacks in response to hacking problems with large-scale government agencies
In December 2020, it was discovered that malware was loaded into a software update of
Ensuring customers are protected from Solorigate --Microsoft Security
https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/
Microsoft and industry partners seize key domain used in SolarWinds hack | ZDNet
https://www.zdnet.com/article/microsoft-and-industry-partners-seize-key-domain-used-in-solarwinds-hack/
SolarWinds Hack Could Affect 18K Customers — Krebs on Security
https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/
A large-scale hack targeting a large number of government agencies came to light in early December 2020 when cybersecurity firm
According to SolarWinds, 'a highly sophisticated and targeted state-based manual supply chain attack' has included a malware called 'SUNBURST (Solorigate)' in an update to SolarWinds' IT infrastructure management system Orion. That thing. SUNBURST is a Trojan horse that includes a backdoor that communicates with an external server via HTTP, and seems to steal data in the PC by pretending to be normal operation of Orion.
The hacker group that prepared SUNBURST is called 'UCN2452', and the FBI and others speculate that 'APT29 (CozyBear) ' supported by the Russian Foreign Intelligence Service (SVR) is related to UCN2452.
Hacker group 'UCN2452' that intercepted confidential information of government agencies and companies around the world revealed the method --GIGAZINE
SolarWinds said the SUNBURST-loaded update was released between March and June 2020, and nearly 18,000 customers may have installed the SUNBURST-loaded update. Institutions that have already been confirmed to have attacks include the United States Department of the Treasury , the National Telecommunications Information Agency (NTIA) , the American National Institutes of Health , the Cybersecurity and Infrastructure Security Agency (CISA) , the United States Department of Homeland Security, and the United States State Department . ..
Following a series of hacking issues, Microsoft updated its security blog on December 15th. Microsoft commented in its blog that it monitors the dynamic threat environment associated with attacks using the Orion platform. Microsoft Defender Antivirus has announced that it will block problematic Orion binaries from 8am Pacific Standard Time on December 16th to warn users of Orion binaries that may have been loaded with malware. ..
'It's important to understand that these binaries pose a serious threat to your environment. Users should consider devices with these binaries at risk and investigate the alerted device. There is. '
In addition, Microsoft and a coalition of other tech companies have seized the domain 'avsvmcloud.com', which played a central role in the hacking of SolarWinds, and made it the property of Microsoft. This domain acts as a malware command and control server (C & C server) , communicating with the compromised system. Therefore, by monitoring the IP address that accesses this domain, it is possible to identify the organization infected with SUNBURST. Microsoft plans to create a list of victims and notify all affected agencies and companies.
Jesse Rothstein, CEO of cyber analytics firm ExtraHop , told ZDNet that malware-related domains had been seized by international law enforcement agencies and providers before. Domains were seized or deleted in response to issues such as the Necurs botnet and TrickBot.
Security company
Dark Halo Leverages SolarWinds Compromise to Breach Organizations | Volexity
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
SolarWinds hackers have a clever way to bypass multi-factor authentication | Ars Technica
https://arstechnica.com/information-technology/2020/12/solarwinds-hackers-have-a-clever-way-to-bypass-multi-factor-authentication/
According to Volexity, Dark Halo was accessing the user's email account via Outlook Web App (OWA) in the second attack. The damaged email account had two-step authentication introduced by Cisco 's security system ' Duo Security ', but Dark Halo was using a new technology that bypasses the two-step authentication.
Volexity's investigation into the situation when a hacker logged in to an email account revealed that the hacker had gained administrator privileges on the infected network and stole Duo's integrated private key from a server running OWA. The hacker is believed to have used this integrated private key to generate a valid cookie, bypassing the two-step verification after authenticating the username and password.
Volexity and Duo officials pointed out that the mechanism by which hackers bypassed two-step authentication did not exploit Duo's vulnerability. The design of the two-step authentication did not take into account a complete system breach of the OWA server, and the problem was that the hacker had enough access to almost disable the two-step authentication.
Related Posts: