SolarWinds Campaign Even Wider Than First Thought

Uploaded on 2021-04-28 in TECHNOLOGY--Hackers, NEWS-News Analysis, GOVERNMENT-National, FREE TO VIEW

A new analysis of the SolarWinds breach suggests that the attacker infrastructure behind the campaign is far larger than first believed. The catastrophic SolarWinds security incident involved the compromise of the IT software vendor's network and later the deployment of malicious SolarWinds Orion updates to clients that contained a backdoor called Sunburst

Now researchers have now uncovered eighteen additional command-and-control servers used in the SolarWinds hacking campaign, indicating that the operation was broader in scope than previously known.  The researchers found that this infrastructure was registered under varying names and at different times over several years to avoid establishing a traceable pattern. 

The White House, together with the UK government, has blamed the attacks on state-backed Russian cyber criminals, the  APT29 group otherwise known as Cozy Bear.

The servers, which the hackers used to communicate with infected machines and send additional malware to them, may help point investigators to previously unidentified victims, according to researchers with RiskIQ’s Atlas Team. Investigators had previously identified about three dozen command-and-control servers used in the operation. The new findings expand that infrastructure by more than half. 

RiskIQ also uncovered  evidence that two servers previously identified as part of the hackers’ infrastructure were active on February 27, 2020, evidently pushing malware out to infected victims. The two servers, which used the domain names globalnetworkissues.com and seobundlekit.com, were part of the so-called “second-stage” operation that delivered additional malware to victims after they were already infected with compromised SolarWinds software.

If the two servers were pushing out second-stage malware to victims in February, this raises the possibility that either a previously unknown version of the SolarWinds software was compromised and infected customers in February, or the attackers were pushing second-stage malware to victims who had been infected in some other way, not through the compromised SolarWinds software. 

RiskIQ say that their findings will "likely lead to newly identified targets." US-CERT was made aware of RiskIQ's findings prior to public disclosure. 

CERT CISA:     SolarWinds:      Risk IQ:      ZDNet:     Kim Zetter:      Image: Unsplash

You Might Also Read: 

A Successful Solar Winds Investigation:

 

« Better Cyber Security For Smart Devices
WEBINAR: How to fuel your DevSecOps in AWS »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Cato Networks

Cato Networks

Cato connects your branch locations, physical and cloud datacenters, and mobile users into a secure and optimized global network in the cloud.

BPC Banking Technologies

BPC Banking Technologies

BPC’s advanced fraud prevention solution helps card issuers and acquirers combat the growing threat by monitoring 100% of transactions, online, in real-time across all channels.

Red Balloon Security (RBS)

Red Balloon Security (RBS)

Red Balloon Security is a leading embedded device security company, delivering deep host-based defense for all devices.

FarrPoint

FarrPoint

FarrPoint is a specialist telecoms consultancy providing a range of services including cyber security assessments and technical assurance to safeguard your data.

Spherical Defense

Spherical Defense

Spherical Defense offers an alternative approach to WAFs and first generation API security tools.

RedShield Security

RedShield Security

RedShield is the world's first web application shielding-with-a-service company.

Approach

Approach

Approach is a leading provider of cyber security consulting and secure application development services in Belgium.

SQN Banking Systems

SQN Banking Systems

SQN Banking Systems fraud detection software products are a critical step towards overcoming the growing problem of fraud across the various payment channels.

Celerium

Celerium

Celerium transforms cyber defense for both companies and industry sectors by leveraging cyber threat intelligence to defend against cyber threats and attacks.

CloudVector

CloudVector

CloudVector's API Detection & Response platform is the only API Threat Protection solution that goes beyond the gateway to provide Shadow API Prevention and Deep API Risk Monitoring and Remediation.

Saporo

Saporo

Saporo helps organizations increase their cyber-resistance. Continuously map your attack surface and get the recommendations you need to make your organization more resistant to attacks.

Cyber Security Works (CSW)

Cyber Security Works (CSW)

Cyber Security Works is your organization’s early cybersecurity warning system to help prevent attacks before they happen.

Devolutions

Devolutions

Devolutions make best-in-class Privileged Access Management, Password Management, and Remote Connection Management solutions available to ALL organizations — including SMBs.

PROW Information Technology

PROW Information Technology

PROW is at the forefront of the technology and digital revolution with a focus and mastery in the cybersecurity, information security and data management realms.

Bores Security Consultancy

Bores Security Consultancy

Bores Security Consultancy are an established family-run business delivering expertise in security and technology.

First Focus

First Focus

First Focus is a managed service provider for medium-sized organisations.