Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 22, 2023Severity Medium Analysis Summary Mekotio is a banking trojan that targets users in Latin America and Europe. It is primarily distributed via phishing emails and infected […]March 22, 2023Analysis Summary Overview – 23rd Mar – A Big Day – As we approach the 23rd of March, Pakistan Day, organizations and individuals should be aware […]March 22, 2023Severity High Analysis Summary CVE-2023-28684 CVSS:7.1 Jenkins remote-jobs-view-plugin Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 22, 2023Severity Medium Analysis Summary Mekotio is a banking trojan that targets users in Latin America and Europe. It is primarily distributed via phishing emails and infected […]March 22, 2023Analysis Summary Overview – 23rd Mar – A Big Day – As we approach the 23rd of March, Pakistan Day, organizations and individuals should be aware […]March 22, 2023Severity High Analysis Summary CVE-2023-28684 CVSS:7.1 Jenkins remote-jobs-view-plugin Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Spear-phishing Campaign Targets Office 365 Users
December 17, 2020Rewterz Threat Advisory – CVE-2020-3999 – VMware Multiple Products DoS Vulnerability
December 18, 2020
Severity
High
Analysis Summary
CISA has uncovered a widespread campaign that compromises U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor. Threat actors initial access for this activity is a supply chain compromise of a DLL in the following SolarWinds Orion products. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.
Technical Details
Initial Infection [TA0001]
In an ongoing investigation, researchers are investigating where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed. Threat actors using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multi-factor authentication protecting access to Outlook Web App (OWA). This indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known.
SolarWinds Orion Compromise
SolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring and network configuration management along with several different types of analyzing tools. SolarWinds Orion is used to monitor and manage on-premise and hosted infrastructures. The threat actor has been observed leveraging a software supply chain compromise of SolarWinds Orion products. The adversary added a malicious version of the binary solarwinds.orion.core.businesslayer.dll into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This binary, once installed, calls out to a victim-specific avsvmcloud[.]com domain using a protocol designed to mimic legitimate SolarWinds protocol traffic. After the initial check-in, the adversary can use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for interactive command and control (C2) traffic.
The adversary is making extensive use of obfuscation to hide their C2 communications. The adversary is using virtual private servers (VPSs), often with IP addresses in the home country of the victim, for most communications to hide their activity among legitimate user traffic. It is also reported that the threat actors are using Obfuscated Files or Information: Steganography to obscure C2 communications. This technique negates many common defensive capabilities in detecting the activity. The adversary has been observed using multiple persistence mechanisms across a variety of intrusions. Threat actor adding authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism.
It has been understood that the threat actor’s initial objective to collect vital information from victim’s environment. Threat actor’s are compromising Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges.
MITRE ATT&CK Techniques Used by Threat Actors
- Query Registry [T1012]
- Obfuscated Files or Information [1027]
- Obfuscated Files or Information: Steganography [T1027.0Steganography [T1027.003]
- Process Discovery [T1057]03]
- Indicator Removal on Host: File Deletion [T1070.004]
- Application Layer Protocol: Web Protocols [T1071.001]
- Application Layer Protocol: DNS [T1071.004]
- File and Directory Discovery [T1083]
- Ingress Tool Transfer [T1105]
- Data Encoding: Standard Encoding [T1132.001]
- Compromise Software Dependencies and Development Tools [ [T1195.001]
- Supply Chain Compromise: Compromise Software Supply Chain [T1195.002]
- Software Discovery [T1518]
- Software Discovery: Security Software Discovery [T1518.001]
- Create or Modify System Process: Windows Service [T1543.003]
- Subvert Trust Controls: Code Signing [T1553.002]
- Dynamic Resolution: Domain Generation Algorithms [T1568.002]
- System Services: Service Execution [T1569.002]
- Compromise Infrastructure [T1584]
Impact
- Network compromise
- Unauthorized Access
- Data Theft
- Detection Evasion
- Exposure of sensitive data
Affected Vendors
SolarWinds
Affected Products
- Orion Platform 2019.4 HF5 version 2019.4.5200.9083
- Orion Platform 2020.2 RC1 version 2020.2.100.12219
- Orion Platform 2020.2 RC2 version 2020.2.5200.12394
- Orion Platform 2020.2
- 2020.2 HF1 version 2020.2.5300.12432
Indicators of Compromise
IP
- 13[.]59[.]205[.]66
- 65[.]153[.]203[.]68
- 3[.]87[.]182[.]149
SHA-256
- ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
- 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
- d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment
- Keep your software updated to latest patch.
Refer to CISA alert for more updates and IOCs