1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

1/26/2021

0 Comments

Hunt for Earliest Artifacts of Compromise

 
Picture

Hunt for Earliest Artifacts of Compromise

Three of Microsoft’s cyber defense teams recently published their collective findings on how threat actors got away in viewing the company’s crown jewel: Microsoft source code.

In the blog post "Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop," three of Microsoft’s cyber defense teams, Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center, and Microsoft Cyber Defense Operations Center revealed new details on how threat actors were able to view the company’s source code.

Last December 31st, Microsoft admitted that one internal account had been compromised and used to view source code in a number of source code repositories. "The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made," Microsoft said.

Background

Microsoft earlier admitted that it was one of the victims of the Solarwinds supply chain attack. Microsoft is one of the thousands of Solarwinds’ clients that unwittingly downloaded the Solarwinds update that was maliciously modified with attached malicious software (malware) called "Solorigate" to further compromise the networks of those that downloaded the poisoned update.

In a report to the U.S. Securities and Exchange Commission, Solarwinds said, "SolarWinds currently believes the actual number of customers that may have had an installation of the [SolarWinds] Orion products that contained this vulnerability to be fewer than 18,000."

Microsoft provided the following timeline in which the attackers were able to compromise SolarWinds update:

Sept. 4, 2019: Attackers start assessing SolarWinds

Sept. 12, 2019: Attackers start injecting test code

Nov. 4, 2019: Attackers stop injecting test code

Feb. 20, 2020: Solorigate malware backdoor is compiled and deployed

March 2020: Estimated start of distribution of Solorigate malware backdoor

May 2020: Estimated start of actual hands-on-keyboard attacks

June 4, 2020: Attackers remove malware from SolarWinds build environment

Dec. 12, 2020: Solorigate malware supply chain attack disclosed

How the Attack Transpired

According to FireEye, one of the victims of the SolarWinds supply chain attack, the supply chain attack on SolarWinds enabled the attackers to execute a customized Cobalt Strike.

Cobalt Strike is a publicly available penetration testing tool that’s marketed as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors". Cobalt Strike’s post-exploit capabilities include tools such as Mimikatz and Metasploit.

Mimikatz is a tool that’s capable of obtaining plaintext Windows account logins and passwords. Mimikatz also comes with many other features that test the security of networks.

Metasploit, meanwhile, is another penetration testing tool popularly used by both attackers and defenders. With Metasploit, attackers just pick a target, pick an exploit, and pick a payload to drop.

"One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader," Microsoft’s cyber defense teams said.

According to Microsoft’s cyber defense teams, the following tactics allowed the attackers to hid their malware and malicious actions:

  1. Avoidance of Shared Indicators for Each Compromised Host

Each Cobalt Strike implant was assembled to be unique for every compromised computer and avoided any overlap and reuse of file name, folder name, export function names, HTTP requests, C2 domain/IP, file metadata, and timestamp.

  1. Camouflage and Blending into the Environment

Tools used by the attackers, including the legitimate tool called "ADFIND" (a search utility that can be used to query the Active Directory), were always renamed and placed in folders that imitated existing programs and files already present on the compromised computer. 

  1. Disabling of Event Logging

Event logging captures network activities such as login sessions, account lockouts, and failed password attempts. Prior to conducting hands-on keyboard activity, the attackers disabled event logging through the use of a tool called "AUDITPOL." The attackers enabled event logging after conducting hands-on keyboard activity.

  1. Firewall Rules Modifications

Prior to running network enumeration activities, the attackers prepared special firewall rules to lessen outgoing packets for certain protocols. After running network enumeration activities, the attackers removed the special firewall rules.

  1. Disabling of Certain Security Services

Prior to conducting lateral movement activities, the attackers first disabled certain security services. Lateral movement refers to activities that are conducted by attackers after gaining access to the victim’s network.

Attackers, in this case, gained initial access to the victims’ networks via the poisoned Solarwinds update. Post initial access activities are typically done in search of sensitive data and other high-value assets.

  1. Timestomping

Microsoft’s cyber defense teams believed that the attackers used timestomping. In timestomping, attackers change the timestamps of a file – referring to the access, create, and change times of a file. The goal of timestomping is to derail forensic investigators or file analysis tools.

If All Else Fails

To date, the identities of the attackers behind the Solarwinds supply chain attack that spiraled into the compromise of other networks such as Microsoft and FireEye remain inconclusive.

One takeaway from this supply chain attack is the need for network segmentation. If all else fails, one way to protect your organization’s crown jewels is to implement network segmentation.

In network segmentation, your organization’s network is divided into sub-networks so that in case one sub-network is compromised, the other sub-networks won’t be affected.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit