4. @brysonbort
Who
UNC 2452 - FireEye designation
https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure
5. @brysonbort
Who else
● Late 2020
● API Auth Bypass: https://nvd.nist.gov/vuln/detail/CVE-2020-10148
● Deploy Supernova, a .NET web shell, via Powershell
https://www.zdnet.com/article/supernova-malware-clues-link-chinese-threat-group-spiral-to-solarwinds-hacks/
6. @brysonbort
Ain’t no sunshine when you’re low
SUPERNOVA
Malware designed to appear to be part of a
SolarWinds product.
● a malicious, unsigned webshell .dll
“app_web_logoimagehandler.ashx.b6031896.
dll”
● vulnerability in the Orion Platform to enable
deployment of the malicious code.
7. @brysonbort
See Sunspot. Sunspot run.
SUNBURST
SUNSPOT injected SUNBURST
into the Orion Platform during the
build process.
SUNSPOT monitors running
processes during compilation of the
Orion product and replaces one of
the source files.
https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
8. @brysonbort
Then… It Rains
TEARDROP (FireEye)
1. memory only dropper that runs as a service, reads from the file “gracious_truth.jpg”
2. checks that HKUSOFTWAREMicrosoftCTF exists, decodes an embedded payload using a custom
algorithm and manually loads into memory an embedded payload with custom PE-like file format.
3. customized Cobalt Strike BEACON.
RAINDROP (Symantec)
1. loader which delivers Cobalt Strike.
2. unknown inject: appears to have been used for spreading across the victim’s network.
3. Shellcode
4. active directory query tool and credential dumper designed specifically for SolarWinds Orion
databases.
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-
compromises-with-sunburst-backdoor.html
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
9. @brysonbort
GoldMax / SUNSHUTTLE
● unknown inject
● second-stage backdoor written in GoLang that features some detection evasion capabilities.
● SUNSHUTTLE - Mandiant cannot confirm connection
● decoy traffic!
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
https://www.fireeye.com/blog/threat-
research/2021/03/sunshuttle-second-stage-backdoor-targeting-
us-based-entity.html
10. @brysonbort
Sibot
● dual-purpose malware implemented in VBScript.
○ persistence
○ download and execute a payload from a
remote C2 server
● legitimate but compromised website to
download a DLL to a folder under System32
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
11. @brysonbort
GoldFinder
● written in Go
● HTTP request to a hardcoded IP address
● logs the HTTP response to a plaintext log file
● identifies all HTTP proxy servers and other redirectors such as network security
devices
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
14. @brysonbort
SolarWinds
SolarWinds CEO Sudhakar Ramakrishna provides a bit more detail about the
three possible intrusion vectors that he referenced during Tuesday's Senate
hearing.
● password spraying
● credential theft
● vulnerability in third-party software
16. @brysonbort
What Else Happened
30% of govt & private-sector victims had no direct connection to SolarWinds:
○ The hackers took advantage of known Microsoft configuration issues to trick systems
into giving them access to emails and documents stored in the cloud:
○ Russian hacking operation was “substantially more significant” than Cloudhopper: a
2016 Chinese-led espionage campaign. --Brandon Wales, Acting CISA Director
24. @brysonbort
Takeaways
There is NO Cyber Defense
https://cyberdefensereview.army.mil/Portals/6/Documents/CDR%20Journal%20Articles/There%20IS%20No%20Cyber_Bort.pdf?v
er=2018-07-31-093713-563
The definition of Cybersecurity
Nothing is unhackable
25. @brysonbort
Takeaways
● The Perimeter is dead.
● Your Risk includes every vendor, every product,
everything that you are connected with.
● Your largest Surface Area of Risk is PEOPLE.
● Assume Breach.
○ Detect
○ Respond
○ Remediate
26. @brysonbort
All of the Resources
MITRE ATT&CK Team:
https://github.com/center-for-threat-
informed-defense/public-
resources/blob/master/solorigate/READ
ME.md
SCYTHE Emulation Library:
https://www.scythe.io/threatthursday
What it Says:
A Chinese-linked cyberattack exploiting vulnerabilities in Microsoft’s on-premises Exchange email software likely compromised 30,000+ U.S. businesses, govt offices, & schools:
Hafnium -- the Chinese hacking group -- stealthily attacked several targets in Jan., but escalated its efforts to find as many vulnerable networks as possible after MSFT’s Tuesday patch release.
The hackers were able to access victims’ email servers without a password, allowing them to steal emails & install “backdoors” for future surveillance.
Most victims appear to be small and medium-size organizations -- many large orgs now use Microsoft’s cloud-based O365, which wasn’t impacted.