Solar Winds: NSA & Co.

Groups of hackers behind serious cyber attacks involving software provider Solar Winds have expanded and refined their tactics, techniques and practices. They also now use security holes in Microsoft’s Exchange Server software, which were initially associated with other attackers. This comes from a new vulnerability report written by three US agencies, the FBI, the NSA and the CISA (Cyber ​​Security and Infrastructure Security Agency), in conjunction with the British National Center for Cyber ​​Security (NCSC), which is part of the GCHQ Intelligence Agency.

The Russian attackers are said to have increased their weapons

Solar Winds hackers initially detected U.S. security officials in Russia. By doing The new paper shows the authors on the Russian foreign intelligence service SWR And his cyber actors known as APT29, Cozy Pierre and Dukes. Among other things, these may be responsible for IT attacks on developers of the Covit-19 vaccine with malware such as WellMes and Wellmail.

The warning warns that Russian attackers have increased their weapons in order to create weak points in the case of Solar Winds & Co and continue to infiltrate undetected networks. Therefore, hacker groups have responded to the reactions of many organizations following warnings over the past few months.

Permanent access to compromised systems

Attackers now use the open source tool sliver to gain permanent access to already compromised systems and networks. You can use this to exploit a number of vulnerabilities, including the most recent zero day exploits for Microsoft Exchange, which are believed to lead to China.

Sliver is actually considered software for so-called red teams so that they can consult with service providers and test their network security. It should now be abused here to consolidate access to computers that have been compromised with WellMes and Wellmail. The Cobalt Strike tool is used for the same purpose. The report said the force used malware and tools such as Goldfinder and Goldmax, as well as a chipboard download app, to hack victims through Solar Winds software.

Solar Winds, VMware, Exchange-Server Petrod

According to Western security agencies, the attackers are keen to use a variety of exploits once they are released. The authors specifically mention eleven security warnings regarding vulnerabilities ranging from CVE-2018-13379 Fortigate to CVE-2019-19781 Citrix to CVE-2021-21972 VMware Whisper.

In recent times, actors have specifically sought Exchange servers to fill the gap associated with the Hafnium group. CVE-2021-26855 And other vulnerabilities associated with it are likely to occur. Such operations usually involve further exploitation and, if successful, web shell installation for remote server access. Attacks on mail servers are aimed at gaining passwords and administrator rights as well as accessing network information and access.

Update quickly – close gaps

Despite the sophisticated nature of the attacks, the authors insist that the attackers could be restrained if administrators followed “basic cyber security policies.” This includes quickly installing security updates to minimize known security gaps. The guide suggests using multiple factor authentication to counter password attacks.

The SWR is certified by its counterparts in the United States and Great Britain as having developed extensive capabilities to attack organizations around the world. This is especially true of NATO member states and Russia’s neighbors. The Secret Service “used a variety of tools and techniques, especially to obtain intelligence targeting targets in the fields of government, diplomacy, think tanks, health care and energy.” US President Joe Biden imposed sanctions on Russia a month ago in response to the Solar Winds attack.

(tiw)