The Cybersecurity Infrastructure Agency (“CISA”) has issued a report stating that they are aware of compromises of U.S. government agencies, critical infrastructure entities and the private sector organized by an advanced persistent threat (“APT”) nation-state actor dating back to March of this year. Please see the above-referenced report for a list of SolarWinds affected products, IOCs (indicators of compromise) and up-to-date SolarWinds Orion Specific Mitigations.
Key Take-Aways:
- On 12/13 CISA issued an Emergency Directive ordering federal civilian executive branch departments and agencies to disconnect affected SolarWinds Orion devices.
- SolarWinds Orion often leverages a number of highly privileged accounts and access to perform normal business functions. The successful compromise of one such system can lead to further access and privileges granted in an environment in which these accounts are trusted.
- Not all organizations with the SolarWinds trojanized update/products have yet been targeted for follow-on malicious activity.
- Other than SolarWinds, CISA has evidence of other initial access vectors, but they are still being investigated.
- One of the initial attack objectives appears to be the collection of data.
Observed Techniques:
Some of the observed expert obfuscation techniques CISA reports on include:
- The use of steganography to obscure communications
- The use of a complex set of IP addresses.
- Hiding of activity amid legitimate user traffic through the use of virtual private servers with IP addresses native to the country of the victim.
- Frequent rotation of ”last mile” IP addresses to different endpoints to avoid detection.
- Malware which will abort execution if it detects that it’s running in a sandbox environment.
- Malware backdoor which is capable of time threshold checks.
- User impersonation via SAML compromise.
Related Blog Posts:
12/15/20, SolarWinds Software is Being Actively Exploited
12/16/20, Update SolarWinds Exploit