The DHS’ Cybersecurity and infrastructure Security Agency has created a website offering information about the current cyber activities of the advanced persistent threat (APT) gang behind the compromise of the SolarWinds Orion software supply chain.
The people responsible for the attack got access to the systems of federal, state, and local governments, private sector companies and critical infrastructure entities all over the world. Besides the breach of the software update mechanism of SolarWinds Orion, the attackers also took advantage of the vulnerabilities in often used authentication mechanisms to obtain persistent systems access.
Microsoft stated that the primary objective of the attackers seems to be to get persistent local system access by installing the Sunburst/Solarigate backdoor, then turn to victims’ cloud resources. Lately it became apparent that not just one threat group is doing cyber espionage after knowing about a new malware variant that came via the SolarWinds Orion software program update function. Microsoft and Palo Alto Networks think that the second malware variant, called Supernova, isn’t connected with the threat group that used the Sunburst/Solarigate backdoor.
A number of resources are already published to help companies review the risk linked with the cyber activity and identify and avoid potential breaches and get the attackers out of their systems. The new site shares the facts and gives quick access to pertinent resources on this worldwide incident. The website is going to be updated regularly when there are new facts with the ongoing cyber activity investigations.
The APT group has attacked the networks of a lot of companies and is carefully selecting its targets to exploit other network. However, any company that has the compromised software updates downloaded is likely to encounter an attack when no corrective action is done.
It is essential for all companies that utilize SolarWinds Orion to take steps to identify indicators of compromise. In case of doing nothing, the threat actor could repel eviction from breached systems and continue to pose trouble to impacted companies. CISA additionally points out that though entities have not downloaded the breached SolarWinds Orion update, that doesn’t actually suggest they won’t be impacted. Their managed service providers and partners might have been breached, which could allow the APT actor to get access to their systems.
The webpage includes a URL to a free tool that CISA issued for identifying strange and possibly malicious activity in Azure/Microsoft Office 365 platforms. The new tool focuses at activities associated with the attacks that are identity- and authentication-based throughout a broad range of areas after the Sunburst/Solarigate backdoor deployment.
The tool called Sparrow could be utilized to focus big data sets of investigation modules and telemetry to give facts about the attacks on federated identity sources and programs.