SlideShare uma empresa Scribd logo

NDIA 2021 - solar winds overview and takeaways

Transferir como PPTX, PDF
B
Bryson Bort

NDIA preso

Esportes
1 de 28
@brysonbort SolarWinds Bryson Bort
@brysonbort
@brysonbort Agenda Do our adversaries have one? That’s our Agenda.
@brysonbort Who UNC 2452 - FireEye designation https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure
@brysonbort Who else ● Late 2020 ● API Auth Bypass: https://nvd.nist.gov/vuln/detail/CVE-2020-10148 ● Deploy Supernova, a .NET web shell, via Powershell https://www.zdnet.com/article/supernova-malware-clues-link-chinese-threat-group-spiral-to-solarwinds-hacks/
@brysonbort Ain’t no sunshine when you’re low SUPERNOVA Malware designed to appear to be part of a SolarWinds product. ● a malicious, unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896. dll” ● vulnerability in the Orion Platform to enable deployment of the malicious code.
@brysonbort See Sunspot. Sunspot run. SUNBURST SUNSPOT injected SUNBURST into the Orion Platform during the build process. SUNSPOT monitors running processes during compilation of the Orion product and replaces one of the source files. https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
@brysonbort Then… It Rains TEARDROP (FireEye) 1. memory only dropper that runs as a service, reads from the file “gracious_truth.jpg” 2. checks that HKUSOFTWAREMicrosoftCTF exists, decodes an embedded payload using a custom algorithm and manually loads into memory an embedded payload with custom PE-like file format. 3. customized Cobalt Strike BEACON. RAINDROP (Symantec) 1. loader which delivers Cobalt Strike. 2. unknown inject: appears to have been used for spreading across the victim’s network. 3. Shellcode 4. active directory query tool and credential dumper designed specifically for SolarWinds Orion databases. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain- compromises-with-sunburst-backdoor.html https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
@brysonbort GoldMax / SUNSHUTTLE ● unknown inject ● second-stage backdoor written in GoLang that features some detection evasion capabilities. ● SUNSHUTTLE - Mandiant cannot confirm connection ● decoy traffic! https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ https://www.fireeye.com/blog/threat- research/2021/03/sunshuttle-second-stage-backdoor-targeting- us-based-entity.html
@brysonbort Sibot ● dual-purpose malware implemented in VBScript. ○ persistence ○ download and execute a payload from a remote C2 server ● legitimate but compromised website to download a DLL to a folder under System32 https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
@brysonbort GoldFinder ● written in Go ● HTTP request to a hardcoded IP address ● logs the HTTP response to a plaintext log file ● identifies all HTTP proxy servers and other redirectors such as network security devices https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
@brysonbort Timeline https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to- teardrop-and-raindrop/
@brysonbort SolarWinds https://www.solarwinds.com/sa-overview/securityadvisory
@brysonbort SolarWinds SolarWinds CEO Sudhakar Ramakrishna provides a bit more detail about the three possible intrusion vectors that he referenced during Tuesday's Senate hearing. ● password spraying ● credential theft ● vulnerability in third-party software
@brysonbort Why was this targeted? Ubiquity Trust
@brysonbort What Else Happened 30% of govt & private-sector victims had no direct connection to SolarWinds: ○ The hackers took advantage of known Microsoft configuration issues to trick systems into giving them access to emails and documents stored in the cloud: ○ Russian hacking operation was “substantially more significant” than Cloudhopper: a 2016 Chinese-led espionage campaign. --Brandon Wales, Acting CISA Director
@brysonbort Status
@brysonbort What’d They Do ● Initial Focus: Security Docs and Staff ● Trade Secrets ● Tools
@brysonbort Pick a Number. Any Number. Fuck it, Let’s Make One Up.
@brysonbort Wait… You Mean There’s More Coming...
@brysonbort Why Would They Take These?
@brysonbort Deploy the Cavalry ((and the PR) and Fixes)
@brysonbort SW Defense YARA Rules: https://github.com/fireeye/sunburst_countermeasures/blob/main/all-yara.yar Detections: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker- leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot- analyzing-nobelium-malware/ SIGMA: https://github.com/SigmaHQ/sigma/pull/1376
@brysonbort Takeaways There is NO Cyber Defense https://cyberdefensereview.army.mil/Portals/6/Documents/CDR%20Journal%20Articles/There%20IS%20No%20Cyber_Bort.pdf?v er=2018-07-31-093713-563 The definition of Cybersecurity Nothing is unhackable
@brysonbort Takeaways ● The Perimeter is dead. ● Your Risk includes every vendor, every product, everything that you are connected with. ● Your largest Surface Area of Risk is PEOPLE. ● Assume Breach. ○ Detect ○ Respond ○ Remediate
@brysonbort All of the Resources MITRE ATT&CK Team: https://github.com/center-for-threat- informed-defense/public- resources/blob/master/solorigate/READ ME.md SCYTHE Emulation Library: https://www.scythe.io/threatthursday
@brysonbort
@brysonbort bryson@scythe.io scythe.io @scythe_io info@scythe.io Bryson Bort SCYTHE CEO & FOUNDER 28

Recomendados

Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of CompromiseFireEye, Inc.
 
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security Netpluz Asia Pte Ltd
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...Cristian Garcia G.
 

Recomendados

Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of CompromiseFireEye, Inc.
 
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security Netpluz Asia Pte Ltd
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Cisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Web and Email Security Overview
Cisco Web and Email Security OverviewCisco Security
 
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...
Últimos retos en el ámbito de la Ciberseguridad: Análisis de amenazas Ciberné...Cristian Garcia G.
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)HITCON GIRLS
 
The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016William Slater III
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Radware
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...FireEye, Inc.
 
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Brian Bissett
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudGGV Capital
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSSylvain Martinez
 
The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016Shannon G., MBA
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityMarketingArrowECS_CZ
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceCharles Lim
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky
 
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurAnticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurSkybox Security
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
 
Cyber Security
Cyber SecurityCyber Security
Cyber Securityfrcarlson
 
Cisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco Security
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Rahul Neel Mani
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfLior Rotkovitch
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 

Mais conteúdo relacionado

Mais procurados

逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)HITCON GIRLS
 
The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016William Slater III
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Radware
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...FireEye, Inc.
 
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Brian Bissett
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudGGV Capital
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSSylvain Martinez
 
The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016Shannon G., MBA
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceCharles Lim
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky
 
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurAnticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurSkybox Security
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
 
Cyber Security
Cyber SecurityCyber Security
Cyber Securityfrcarlson
 
Cisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco Security
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Rahul Neel Mani
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 

Mais procurados (20)

逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
 
The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016The Mirai Botnet and Massive DDoS Attacks of October 2016
The Mirai Botnet and Massive DDoS Attacks of October 2016
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
 
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
 
INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICS
 
The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security Governance
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
Kaspersky Lab’s Webinar ‘Emerging Threats in the APT World: Predictions for 2...
 
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurAnticipate and Prevent Cyber Attack Scenarios, Before They Occur
Anticipate and Prevent Cyber Attack Scenarios, Before They Occur
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide Deck
 
Security Incident Response Readiness Survey
Security Incident Response Readiness Survey Security Incident Response Readiness Survey
Security Incident Response Readiness Survey
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 

Semelhante a NDIA 2021 - solar winds overview and takeaways

Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfLior Rotkovitch
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
Elastic user group London nov 2019
Elastic user group London nov 2019Elastic user group London nov 2019
Elastic user group London nov 2019Andrey Bezverkhiy
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...IRJET Journal
 
Everything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeepEverything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeepIvanti
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
CIS13: From Governance to Virtualization: The Expanding Arena of Privileged I...
CIS13: From Governance to Virtualization: The Expanding Arena of Privileged I...CIS13: From Governance to Virtualization: The Expanding Arena of Privileged I...
CIS13: From Governance to Virtualization: The Expanding Arena of Privileged I...CloudIDSummit
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35Felipe Prado
 
Presales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptxPresales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptxPawachMetharattanara
 
Presales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptxPresales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptxPawachMetharattanara
 
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveTargeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveCisco DevNet
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Trusted Third Parties are NOT Trust Worthy!
Trusted Third Parties are NOT Trust Worthy!Trusted Third Parties are NOT Trust Worthy!
Trusted Third Parties are NOT Trust Worthy!nettitude_labs
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityDr. Ramchandra Mangrulkar
 
IoT Sensor Sensibility - Hull Digital - C4Di - Feb 2016
IoT Sensor Sensibility - Hull Digital - C4Di - Feb 2016IoT Sensor Sensibility - Hull Digital - C4Di - Feb 2016
IoT Sensor Sensibility - Hull Digital - C4Di - Feb 2016Glynn Bird
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor FiorimTI Safe
 
Embedding security into your Terraform code
Embedding security into your Terraform codeEmbedding security into your Terraform code
Embedding security into your Terraform codeBarak Schoster Goihman
 
Spring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniSpring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniVMware Tanzu
 

Semelhante a NDIA 2021 - solar winds overview and takeaways (20)

Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 
Elastic user group London nov 2019
Elastic user group London nov 2019Elastic user group London nov 2019
Elastic user group London nov 2019
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
 
Everything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeepEverything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeep
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
CIS13: From Governance to Virtualization: The Expanding Arena of Privileged I...
CIS13: From Governance to Virtualization: The Expanding Arena of Privileged I...CIS13: From Governance to Virtualization: The Expanding Arena of Privileged I...
CIS13: From Governance to Virtualization: The Expanding Arena of Privileged I...
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
 
Presales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptxPresales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptx
 
Presales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptxPresales-Present_GravityZone Products_June2023.pptx
Presales-Present_GravityZone Products_June2023.pptx
 
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveTargeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Trusted Third Parties are NOT Trust Worthy!
Trusted Third Parties are NOT Trust Worthy!Trusted Third Parties are NOT Trust Worthy!
Trusted Third Parties are NOT Trust Worthy!
 
10. PI_Dunton - OT Security.pdf
10. PI_Dunton - OT Security.pdf10. PI_Dunton - OT Security.pdf
10. PI_Dunton - OT Security.pdf
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application Security
 
IoT Sensor Sensibility - Hull Digital - C4Di - Feb 2016
IoT Sensor Sensibility - Hull Digital - C4Di - Feb 2016IoT Sensor Sensibility - Hull Digital - C4Di - Feb 2016
IoT Sensor Sensibility - Hull Digital - C4Di - Feb 2016
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 
Embedding security into your Terraform code
Embedding security into your Terraform codeEmbedding security into your Terraform code
Embedding security into your Terraform code
 
R u hacked
R u hackedR u hacked
R u hacked
 
Spring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane MaldiniSpring Cloud Gateway - Stéphane Maldini
Spring Cloud Gateway - Stéphane Maldini
 

Último

08448380779 Call Girls In International Airport Women Seeking Men
08448380779 Call Girls In International Airport Women Seeking Men08448380779 Call Girls In International Airport Women Seeking Men
08448380779 Call Girls In International Airport Women Seeking MenDelhi Call girls
 
JORNADA 5 LIGA MURO 2024INSUGURACION.pdf
JORNADA 5 LIGA MURO 2024INSUGURACION.pdfJORNADA 5 LIGA MURO 2024INSUGURACION.pdf
JORNADA 5 LIGA MURO 2024INSUGURACION.pdfArturo Pacheco Alvarez
 
ALL NFL NETWORK CONTACTS- April 29, 2024
ALL NFL NETWORK CONTACTS- April 29, 2024ALL NFL NETWORK CONTACTS- April 29, 2024
ALL NFL NETWORK CONTACTS- April 29, 2024Brian Slack
 
Who Is Emmanuel Katto Uganda? His Career, personal life etc.
Who Is Emmanuel Katto Uganda? His Career, personal life etc.Who Is Emmanuel Katto Uganda? His Career, personal life etc.
Who Is Emmanuel Katto Uganda? His Career, personal life etc.Marina Costa
 
Albania Vs Spain Albania is Loaded with Defensive Talent on their Roster.docx
Albania Vs Spain Albania is Loaded with Defensive Talent on their Roster.docxAlbania Vs Spain Albania is Loaded with Defensive Talent on their Roster.docx
Albania Vs Spain Albania is Loaded with Defensive Talent on their Roster.docxWorld Wide Tickets And Hospitality
 
08448380779 Call Girls In Karol Bagh Women Seeking Men
08448380779 Call Girls In Karol Bagh Women Seeking Men08448380779 Call Girls In Karol Bagh Women Seeking Men
08448380779 Call Girls In Karol Bagh Women Seeking MenDelhi Call girls
 
TAM Sports_IPL 17 Till Match 37_Celebrity Endorsement _Report.pdf
TAM Sports_IPL 17 Till Match 37_Celebrity Endorsement _Report.pdfTAM Sports_IPL 17 Till Match 37_Celebrity Endorsement _Report.pdf
TAM Sports_IPL 17 Till Match 37_Celebrity Endorsement _Report.pdfSocial Samosa
 
UEFA Euro 2024 Squad Check-in Who is Most Favorite.docx
UEFA Euro 2024 Squad Check-in Who is Most Favorite.docxUEFA Euro 2024 Squad Check-in Who is Most Favorite.docx
UEFA Euro 2024 Squad Check-in Who is Most Favorite.docxEuro Cup 2024 Tickets
 
08448380779 Call Girls In Lajpat Nagar Women Seeking Men
08448380779 Call Girls In Lajpat Nagar Women Seeking Men08448380779 Call Girls In Lajpat Nagar Women Seeking Men
08448380779 Call Girls In Lajpat Nagar Women Seeking MenDelhi Call girls
 
9990611130 Find & Book Russian Call Girls In Ghazipur
9990611130 Find & Book Russian Call Girls In Ghazipur9990611130 Find & Book Russian Call Girls In Ghazipur
9990611130 Find & Book Russian Call Girls In GhazipurGenuineGirls
 
Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...
Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...
Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...World Wide Tickets And Hospitality
 
🔝|97111༒99012🔝 Call Girls In {Delhi} Cr Park ₹5.5k Cash Payment With Room De...
🔝|97111༒99012🔝 Call Girls In {Delhi} Cr Park ₹5.5k Cash Payment With Room De...🔝|97111༒99012🔝 Call Girls In {Delhi} Cr Park ₹5.5k Cash Payment With Room De...
🔝|97111༒99012🔝 Call Girls In {Delhi} Cr Park ₹5.5k Cash Payment With Room De...Diya Sharma
 
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...baharayali
 
Top Call Girls In Jankipuram ( Lucknow ) 🔝 8923113531 🔝 Cash Payment
Top Call Girls In Jankipuram ( Lucknow ) 🔝 8923113531 🔝 Cash PaymentTop Call Girls In Jankipuram ( Lucknow ) 🔝 8923113531 🔝 Cash Payment
Top Call Girls In Jankipuram ( Lucknow ) 🔝 8923113531 🔝 Cash Paymentanilsa9823
 
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual serviceanilsa9823
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best Female service 🦺
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best Female service 🦺CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best Female service 🦺
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best Female service 🦺anilsa9823
 
Atlanta Dream Exec Dan Gadd on Driving Fan Engagement and Growth, Serving the...
Atlanta Dream Exec Dan Gadd on Driving Fan Engagement and Growth, Serving the...Atlanta Dream Exec Dan Gadd on Driving Fan Engagement and Growth, Serving the...
Atlanta Dream Exec Dan Gadd on Driving Fan Engagement and Growth, Serving the...Neil Horowitz
 
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docxSlovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docxWorld Wide Tickets And Hospitality
 
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...Eticketing.co
 
( Sports training) All topic (MCQs).pptx
( Sports training) All topic (MCQs).pptx( Sports training) All topic (MCQs).pptx
( Sports training) All topic (MCQs).pptxParshotamGupta1
 

Último (20)

08448380779 Call Girls In International Airport Women Seeking Men
08448380779 Call Girls In International Airport Women Seeking Men08448380779 Call Girls In International Airport Women Seeking Men
08448380779 Call Girls In International Airport Women Seeking Men
 
JORNADA 5 LIGA MURO 2024INSUGURACION.pdf
JORNADA 5 LIGA MURO 2024INSUGURACION.pdfJORNADA 5 LIGA MURO 2024INSUGURACION.pdf
JORNADA 5 LIGA MURO 2024INSUGURACION.pdf
 
ALL NFL NETWORK CONTACTS- April 29, 2024
ALL NFL NETWORK CONTACTS- April 29, 2024ALL NFL NETWORK CONTACTS- April 29, 2024
ALL NFL NETWORK CONTACTS- April 29, 2024
 
Who Is Emmanuel Katto Uganda? His Career, personal life etc.
Who Is Emmanuel Katto Uganda? His Career, personal life etc.Who Is Emmanuel Katto Uganda? His Career, personal life etc.
Who Is Emmanuel Katto Uganda? His Career, personal life etc.
 
Albania Vs Spain Albania is Loaded with Defensive Talent on their Roster.docx
Albania Vs Spain Albania is Loaded with Defensive Talent on their Roster.docxAlbania Vs Spain Albania is Loaded with Defensive Talent on their Roster.docx
Albania Vs Spain Albania is Loaded with Defensive Talent on their Roster.docx
 
08448380779 Call Girls In Karol Bagh Women Seeking Men
08448380779 Call Girls In Karol Bagh Women Seeking Men08448380779 Call Girls In Karol Bagh Women Seeking Men
08448380779 Call Girls In Karol Bagh Women Seeking Men
 
TAM Sports_IPL 17 Till Match 37_Celebrity Endorsement _Report.pdf
TAM Sports_IPL 17 Till Match 37_Celebrity Endorsement _Report.pdfTAM Sports_IPL 17 Till Match 37_Celebrity Endorsement _Report.pdf
TAM Sports_IPL 17 Till Match 37_Celebrity Endorsement _Report.pdf
 
UEFA Euro 2024 Squad Check-in Who is Most Favorite.docx
UEFA Euro 2024 Squad Check-in Who is Most Favorite.docxUEFA Euro 2024 Squad Check-in Who is Most Favorite.docx
UEFA Euro 2024 Squad Check-in Who is Most Favorite.docx
 
08448380779 Call Girls In Lajpat Nagar Women Seeking Men
08448380779 Call Girls In Lajpat Nagar Women Seeking Men08448380779 Call Girls In Lajpat Nagar Women Seeking Men
08448380779 Call Girls In Lajpat Nagar Women Seeking Men
 
9990611130 Find & Book Russian Call Girls In Ghazipur
9990611130 Find & Book Russian Call Girls In Ghazipur9990611130 Find & Book Russian Call Girls In Ghazipur
9990611130 Find & Book Russian Call Girls In Ghazipur
 
Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...
Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...
Spain Vs Albania- Spain at risk of being thrown out of Euro 2024 with Tournam...
 
🔝|97111༒99012🔝 Call Girls In {Delhi} Cr Park ₹5.5k Cash Payment With Room De...
🔝|97111༒99012🔝 Call Girls In {Delhi} Cr Park ₹5.5k Cash Payment With Room De...🔝|97111༒99012🔝 Call Girls In {Delhi} Cr Park ₹5.5k Cash Payment With Room De...
🔝|97111༒99012🔝 Call Girls In {Delhi} Cr Park ₹5.5k Cash Payment With Room De...
 
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...
Asli Kala jadu, Black magic specialist in Pakistan Or Kala jadu expert in Egy...
 
Top Call Girls In Jankipuram ( Lucknow ) 🔝 8923113531 🔝 Cash Payment
Top Call Girls In Jankipuram ( Lucknow ) 🔝 8923113531 🔝 Cash PaymentTop Call Girls In Jankipuram ( Lucknow ) 🔝 8923113531 🔝 Cash Payment
Top Call Girls In Jankipuram ( Lucknow ) 🔝 8923113531 🔝 Cash Payment
 
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best Female service 🦺
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best Female service 🦺CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best Female service 🦺
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best Female service 🦺
 
Atlanta Dream Exec Dan Gadd on Driving Fan Engagement and Growth, Serving the...
Atlanta Dream Exec Dan Gadd on Driving Fan Engagement and Growth, Serving the...Atlanta Dream Exec Dan Gadd on Driving Fan Engagement and Growth, Serving the...
Atlanta Dream Exec Dan Gadd on Driving Fan Engagement and Growth, Serving the...
 
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docxSlovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
Slovenia Vs Serbia UEFA Euro 2024 Fixture Guide Every Fixture Detailed.docx
 
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...
Croatia vs Italy Euro Cup 2024 Three pitfalls for Spalletti’s Italy in Group ...
 
( Sports training) All topic (MCQs).pptx
( Sports training) All topic (MCQs).pptx( Sports training) All topic (MCQs).pptx
( Sports training) All topic (MCQs).pptx
 

NDIA 2021 - solar winds overview and takeaways

  • 3. @brysonbort Agenda Do our adversaries have one? That’s our Agenda.
  • 4. @brysonbort Who UNC 2452 - FireEye designation https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure
  • 5. @brysonbort Who else ● Late 2020 ● API Auth Bypass: https://nvd.nist.gov/vuln/detail/CVE-2020-10148 ● Deploy Supernova, a .NET web shell, via Powershell https://www.zdnet.com/article/supernova-malware-clues-link-chinese-threat-group-spiral-to-solarwinds-hacks/
  • 6. @brysonbort Ain’t no sunshine when you’re low SUPERNOVA Malware designed to appear to be part of a SolarWinds product. ● a malicious, unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896. dll” ● vulnerability in the Orion Platform to enable deployment of the malicious code.
  • 7. @brysonbort See Sunspot. Sunspot run. SUNBURST SUNSPOT injected SUNBURST into the Orion Platform during the build process. SUNSPOT monitors running processes during compilation of the Orion product and replaces one of the source files. https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
  • 8. @brysonbort Then… It Rains TEARDROP (FireEye) 1. memory only dropper that runs as a service, reads from the file “gracious_truth.jpg” 2. checks that HKUSOFTWAREMicrosoftCTF exists, decodes an embedded payload using a custom algorithm and manually loads into memory an embedded payload with custom PE-like file format. 3. customized Cobalt Strike BEACON. RAINDROP (Symantec) 1. loader which delivers Cobalt Strike. 2. unknown inject: appears to have been used for spreading across the victim’s network. 3. Shellcode 4. active directory query tool and credential dumper designed specifically for SolarWinds Orion databases. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain- compromises-with-sunburst-backdoor.html https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
  • 9. @brysonbort GoldMax / SUNSHUTTLE ● unknown inject ● second-stage backdoor written in GoLang that features some detection evasion capabilities. ● SUNSHUTTLE - Mandiant cannot confirm connection ● decoy traffic! https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ https://www.fireeye.com/blog/threat- research/2021/03/sunshuttle-second-stage-backdoor-targeting- us-based-entity.html
  • 10. @brysonbort Sibot ● dual-purpose malware implemented in VBScript. ○ persistence ○ download and execute a payload from a remote C2 server ● legitimate but compromised website to download a DLL to a folder under System32 https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
  • 11. @brysonbort GoldFinder ● written in Go ● HTTP request to a hardcoded IP address ● logs the HTTP response to a plaintext log file ● identifies all HTTP proxy servers and other redirectors such as network security devices https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
  • 14. @brysonbort SolarWinds SolarWinds CEO Sudhakar Ramakrishna provides a bit more detail about the three possible intrusion vectors that he referenced during Tuesday's Senate hearing. ● password spraying ● credential theft ● vulnerability in third-party software
  • 15. @brysonbort Why was this targeted? Ubiquity Trust
  • 16. @brysonbort What Else Happened 30% of govt & private-sector victims had no direct connection to SolarWinds: ○ The hackers took advantage of known Microsoft configuration issues to trick systems into giving them access to emails and documents stored in the cloud: ○ Russian hacking operation was “substantially more significant” than Cloudhopper: a 2016 Chinese-led espionage campaign. --Brandon Wales, Acting CISA Director
  • 18. @brysonbort What’d They Do ● Initial Focus: Security Docs and Staff ● Trade Secrets ● Tools
  • 19. @brysonbort Pick a Number. Any Number. Fuck it, Let’s Make One Up.
  • 20. @brysonbort Wait… You Mean There’s More Coming...
  • 22. @brysonbort Deploy the Cavalry ((and the PR) and Fixes)
  • 23. @brysonbort SW Defense YARA Rules: https://github.com/fireeye/sunburst_countermeasures/blob/main/all-yara.yar Detections: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker- leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot- analyzing-nobelium-malware/ SIGMA: https://github.com/SigmaHQ/sigma/pull/1376
  • 24. @brysonbort Takeaways There is NO Cyber Defense https://cyberdefensereview.army.mil/Portals/6/Documents/CDR%20Journal%20Articles/There%20IS%20No%20Cyber_Bort.pdf?v er=2018-07-31-093713-563 The definition of Cybersecurity Nothing is unhackable
  • 25. @brysonbort Takeaways ● The Perimeter is dead. ● Your Risk includes every vendor, every product, everything that you are connected with. ● Your largest Surface Area of Risk is PEOPLE. ● Assume Breach. ○ Detect ○ Respond ○ Remediate
  • 26. @brysonbort All of the Resources MITRE ATT&CK Team: https://github.com/center-for-threat- informed-defense/public- resources/blob/master/solorigate/READ ME.md SCYTHE Emulation Library: https://www.scythe.io/threatthursday

Notas do Editor

  1. What it Says: A Chinese-linked cyberattack exploiting vulnerabilities in Microsoft’s on-premises Exchange email software likely compromised 30,000+ U.S. businesses, govt offices, & schools: Hafnium -- the Chinese hacking group -- stealthily attacked several targets in Jan., but escalated its efforts to find as many vulnerable networks as possible after MSFT’s Tuesday patch release. The hackers were able to access victims’ email servers without a password, allowing them to steal emails & install “backdoors” for future surveillance. Most victims appear to be small and medium-size organizations -- many large orgs now use Microsoft’s cloud-based O365, which wasn’t impacted.