Microsoft seizes domains used in attacks in response to hacking problems with large-scale government agencies

× Security

In December 2020, it was discovered that malware was loaded into a software update for cybersecurity company SolarWinds , and many government agencies and others were hacked. In response to this problem, Microsoft has updated the security software " Microsoft Defender Antivirus " to block the problematic SolarWinds binary, and has taken measures such as collaborating with other high-tech companies to seize the attacker's domain. I am. Ensuring customers are protected from Solorigate --Microsoft Security https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/ Microsoft and industry partners seize key domain used in SolarWinds hack | ZDNet https://www.zdnet.com/article/microsoft-and-industry-partners-seize-key-domain-used-in-solarwinds-hack/ SolarWinds Hack Could Affect 18K Customers — Krebs on Security https: //krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/

Massive hacks targeting a large number of government agencies came to light in early December 2020 when cybersecurity firm FireEye "stolen an internal tool to test a customer's cybersecurity." It all started with the report. FireEye concludes that the attack is due to "a national government organization with top-notch offensive capabilities." Later, it was reported that emails from government agencies such as the US Treasury were being intercepted, and it was also discovered that a series of hacks were most likely via malware built into SolarWinds software. According to SolarWinds, "a highly sophisticated and targeted state-based manual supply chain attack" has included a malware called "SUNBURST (Solorigate)" in the update of SolarWinds' IT infrastructure management system " Orion ." That. SUNBURST is a Trojan horse that includes a backdoor that communicates with an external server via HTTP, and seems to steal data in the PC by pretending to be normal operation of Orion. The hacker group that trained SUNBURST is called "UCN2452", and the FBI and others speculate that " APT29 (Cozy Bear) " supported by the Russian Foreign Intelligence Service (SVR) is related to UCN2452. Hacker group "UCN2452" that intercepted confidential information of government agencies and companies around the world revealed the method --GIGAZINE

SolarWinds said the SUNBURST-loaded update was released between March and June 2020, and nearly 18,000 customers may have installed the SUNBURST-loaded update. Organizations that have already been confirmed to have attacks include the United States Department of the Treasury , the National Telecommunications Information Agency (NTIA) , the National Institutes of Health , the Cybersecurity and Infrastructure Security Agency (CISA) , the United States Department of Homeland Security, and the United States Department of Homeland Affairs. .. Following a series of hacking issues, Microsoft updated its security blog on December 15th. Microsoft said in a blog that it monitors the dynamic threat environment associated with attacks using the Orion platform. To warn users of Orion binaries that may have been loaded with malware, we announced that Microsoft Defender Antivirus will block problematic Orion binaries from 8am Pacific Standard Time on December 16th. ..

"It's important to understand that these binaries are a serious threat to your environment. Users should consider devices with this binary at risk and investigate the device that has been warned. There is. " In addition, Microsoft and a coalition of other tech companies have seized the domain "avsvmcloud.com", which played a central role in the hacking of SolarWinds, and made it the property of Microsoft. This domain acts as a malware command and control server (C & C server) , communicating with the compromised system. Therefore, by monitoring the IP address that accesses this domain, it is possible to identify the organization infected with SUNBURST. Microsoft will create a list of victims to notify all affected agencies and companies. Jesse Rothstein, CEO of cyber analytics firm ExtraHop , told ZDNet that malware-related domains had been seized by international law enforcement agencies and providers before. Domains were seized or deleted in response to issues such as the Necurs botnet and TrickBot .

Security company Volexity has linked the UCN2452 attack with a threat actor called "Dark Halo," which has been confirmed three times since late 2019. The main purpose of the Dark Halo seems to have been to monitor email messages, and Volexity said the third attack was a breach through SolarWinds' Orion platform. Dark Halo Leverages SolarWinds Compromise to Breach Organizations | Volexity https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ SolarWinds hackers have a clever way to bypass multi-factor authentication | Ars Technica https://arstechnica.com/information-technology/2020/12/solarwinds-hackers-have-a-clever-way-to-bypass-multi-factor-authentication/

According to Volexity, Dark Halo was accessing the user's email account via Outlook Web App (OWA) in the second attack. The damaged email account had two-step verification introduced by Cisco 's security system, Duo Security , but Dark Halo said it was using a new technology to bypass the two-step verification. Volexity investigated the situation when the hacker logged in to his email account and found that the hacker had gained administrator privileges on the infected network and stole Duo's integrated private key from the server running OWA. Hackers are believed to have used this integrated private key to generate a valid cookie, bypassing two-step verification after authenticating a username and password. Volexity and Duo officials pointed out that the mechanism by which hackers bypassed two-step verification did not exploit Duo's vulnerability. The design of two-step verification doesn't take into account a complete system breach of the OWA server, and the problem is that hackers have gained enough access to almost disable two-step verification.

Copy the title and URL of this article

・ Related article The method of the hacker group "UCN2452" that intercepted confidential information of government agencies and companies around the world is revealed --GIGAZINE Microsoft releases information on malware "Adrozek" that hijacks the browser and inserts advertisements in search results --GIGAZINE Cyber ​​security company FireEye is hacked into "a country with first-class attack capability" --GIGAZINE courier locker 2732 cyber attacks occur all at once --GIGAZINE cyber attack group "Turla" steals data I was using Dropbox to save --GIGAZINE It turned out that a hacker supported by the Russian government was hacking a US government agency and monitoring the contents of mail etc. --GIGAZINE

・ Related content

Tweet Tweet

in Software, Security, Posted by log1h_ik

You can read the machine translated English article here.