- December 24, 2020
- Posted by: administrator
- Category: Threat News
As security researchers dig through forensic evidence in the aftermath of the SolarWinds supply chain attack, victim names are slowly starting to surface.
Multiple security researchers and research teams have published over the weekend lists ranging from 100 to 280 organizations that installed a trojanized version of the SolarWinds Orion platform and had their internal systems infected with the Sunburst malware.
The list includes the names of tech companies, local governments, universities, hospitals, banks, and telecom providers.
The biggest names on this list include the likes of Cisco, SAP, Intel, Cox Communications, Deloitte, Nvidia, Fujitsu, Belkin, Amerisafe, Lukoil, Rakuten, Check Point, Optimizely, Digital Reach, and Digital Sense.
MediaTek, one of the world’s largest semiconductor companies, is also believed to have been impacted; although, security researchers aren’t 100% on its inclusion on their lists just yet.
CRACKING THE SUNBURST SUBDOMAIN MYSTERIES
The way security researchers compiled these lists was by reverse-engineering the Sunburst (aka Solorigate) malware.
For ZDNet readers learning of the Sunburst malware for the first time, this malware was injected inside updates for the SolarWinds Orion app released between March and June 2020.
The boobytrapped updates planted the Sunburst malware deep inside the internal networks of many companies and government organizations which relied on the Orion app to monitor and keep inventories of internal IT systems.
According to deep-dive reports published last week by Microsoft, FireEye, McAfee, Symantec, Kaspersky, and US Cybersecurity and Infrastructure Security Agency (CISA), on infected systems, the malware would gather information about the victim company’s network, wait 12 to 14 days, and then send the data to a remote command and control server (C&C).
The hackers — believed to be a Russian state-sponsored group — would then analyze the data they received and escalated attacks only on networks that were of interest to their intelligence gathering goals.
Last week, SolarWinds admitted to the hack and said that based on internal telemetry, almost 18,000 of its 300,000 customers downloaded versions of the Orion platform that contained the Sunburst malware.
Initially, it was thought that only SolarWinds would be able to identify and notify all the impacted organizations. However, as security researchers kept analyzing Sunburst’s inner-workings, they also discovered some quirks in the malware’s operations, namely in the way the malware pinged its C&C server.
According to research published last week, Sunburst would send the data it collected from an infected network to a C&C server URL that was unique per victim.
This unique URL was a subdomain for avsvmcloud[.]com and contained four parts, where the first part was a random-looking string. But security researchers said that this string wasn’t actually unique but contained the encoded name of the victim’s local network domain.
Since last week, several security firms and independent researchers have been sifting through historical web traffic and passive DNS data to collect information on traffic going to the avsvmcloud[.]com domain, crack the subdomains and then track down companies that installed a trojanized SolarWinds Orion app — and had the Sunburst malware beaconing from inside their networks back to the attackers’ server (now sinkholed thanks to Microsoft and FireEye).
A GROWING LIST OF FIRST-STAGE AND SECOND-STAGE VICTIMS
Cybersecurity firms TrueSec and Prevasio, security researcher Dewan Chowdhury, and Chinese security firm QiAnXin are among the several who have now published lists of Sunburst-infected organizations or tools to decode the avsvmcloud[.]com subdomains.
Companies like Cisco and Intel have formally confirmed they got infected in interviews with reporters over the weekend. Both companies have said they found no evidence that the hackers escalated access to deliver second-stage payloads on their systems.
VMWare and Microsoft, whose names were not on these public lists, also confirmed they installed trojanized Orion updates on their internal networks but also specified that they also did not find any evidence of escalation from the attackers.
However, the hackers did escalate their attacks on the networks of some of their targets. In an interview on Friday, FireEye CEO Kevin Mandia, whose company discovered the SolarWinds hack when investigating a breach of its internal systems, said that hackers, despite infecting almost 18,000 networks, only escalated access to around 50 targets, based on FireEye’s visibility.
In a separate report, also published on Friday, Microsoft also said it identified 40 of its own customers that had installed infected Orion apps and where attackers escalated access.
“Escalation” usually happened when the avsvmcloud[.]com C&C server replied to an infected company with a very specific DNS response that contained a special CNAME field.
This special DNS CNAME field contained the location of a second C&C server from where the Sunburst malware would get additional commands and sometimes download other malware.
Currently, the only publicly known company where hackers escalated access is FireEye, whose breach response helped uncover the entire SolarWinds hack.
Making the difference between the two (a simple Sunburst infection and escalation) is crucial for incident responders. In the first case, they might only need to remove the Sunburst malware, while in the second, they might need to review logs to identify what internal systems hackers escalated access to and what data was stolen from their networks.
Several security researchers have told ZDNet today that a large part of the cybersecurity community is now working with content delivery networks, internet service providers, and other internet companies to collect passive DNS data and hunt down traffic to and from the avsvmcloud[.]com domain in order to identify other victims where attackers escalated access.
NOTE:: This article is copyright by zdnet.com and we are using it for educational or Information purpose only