Windows 10 News and info | Forum
March 09, 2021, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Microsoft SolarWinds analysis  (Read 35 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 32288


I Do Windows


WWW Email
« on: January 22, 2021, 11:14:56 AM »
ReplyReply

Attackers hid inside Windows systems by wearing the skins of legit processes.

The SolarWinds hackers triggered one of their Cobalt Strike implants in the firm's network through a cunning VBScript that was activated by a routine system process, Microsoft has said.

Microsoft's deep dive, published yesterday following SolarWinds' own take on the malware, repeated earlier findings that the hackers went to unusual lengths to disguise their intrusion and avoid detection.

Specifically, the compromised DLL file was quietly deployed onto targeted systems by mimicking legitimate file names – and the attackers worked between 8 am and 5 pm to increase the odds of not being spotted.

Micros~1 summarised its findings in a blog post by saying:

Quote
Each Cobalt Strike DLL implant was prepared to be unique per machine and avoided at any cost overlap and reuse of folder name, file name, export function names, C2 domain/IP, HTTP requests, timestamp, file metadata, config, and child process launched. This extreme level of variance was also applied to non-executable entities, such as WMI persistence filter name, WMI filter query, passwords used for 7-zip archives, and names of output log files.


It continued: "Applying this level of permutations for each individual compromised machine is an incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims."

Much of the infosec commentary around the SolarWinds supply chain attack has reused the tired old clichés of stating the attackers were sophisticated, advanced, cunning, soft, strong, thoroughly absorbent, and so on. In this case, the clichés appear to be true because the attackers "first enumerated remote processes and services running on the target host" and only moved through the target network "after disabling certain security services."

Those techniques included editing the Windows registries of target machines to disable autostarting of security processes – and then waiting until the target machine was rebooted before moving in for the kill.

"The combination of a complex attack chain and a protracted operation means that defensive solutions need to have comprehensive cross-domain visibility into attacker activity and provide months of historical data with powerful hunting tools to investigate as far back as necessary," Microsoft sighed.

The analysis includes indicators of compromise and techniques used by the attackers to skate around SolarWinds's networks but, unusually for infosec research, expresses them in plain English that any averagely skilled IT pro can follow. It's well worth a read.

The attackers also used the mildly unusual reflective DLL loading attack technique. A full explanation can be read here, also from Microsoft. Briefly, the technique allows malicious DLL files to be loaded into a process without first having been registered with it – and does so from memory, via a custom loader deployed by the attacker, rather than pulling it from a potentially detectable disk location.

Relatedly, custom Cobalt Strike loaders developed by the hackers strongly resembled "legitimate Windows file and directory names, once again demonstrating how the attackers attempted to blend in the environment and hide in plain sight," said MS.

The autopsies of the biggest supply chain attack for years will doubtless continue, but one thing's for sure: whichever nation-state was behind it, they really knew what they were doing and really didn't want to be caught in the act.

source
« Last Edit: January 23, 2021, 01:31:47 AM by javajolt » Logged


Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page February 05, 2021, 04:00:32 AM