Breaking News

Researchers flagged off a fourth piece of malware seen in the SolarWinds hack and explained how Microsoft 365 was exploited

Researchers flagged off a fourth piece of malware seen in the SolarWinds hack and explained how Microsoft 365 was exploited

Two security vendors released more information about the SolarWinds hack and misuse of its Orion network management platform.

Symantec says the list of malware pieces that can be passed on to victims of the SolarWinds Orion supply chain hack has been reduced to four. New malware was found in it, a backdoor dubbing it Raindrop was used against select victims who were in the interest of the attackers.

Raindrop is a loader that delivers a payload of cobalt strike threat simulation software that is often used by InfoSec teams for penetration tests. It connects to other malware used by the attackers, including an initial backdoor called Sunburst / Solorigate and later another door called Teardrop. The malware used to move to SolarWinds network is called Sunspot.

Rainbands, Symantec says, are similar to teardrops. But the initial sunburst backdoor supplied the tear, while raindrops are used to spread to the victim's network. The security firm also notes that there is no evidence of its Raindrop being delivered directly by Sunburst to date. Instead, it appears elsewhere on the network where Sunburst has already compromised at least one computer.

The attack by a threat group FireEye calls UNC2452 - supposedly of US origin Russian - compromised updates downloaded by some 18,000 users of the Orion network management platform between March and August 2020. SolarWinds has evidence that an attack on its updated system began. Fall in early 2019.

FireEye also released a report today stating that the UNC2452 group used its access to the on-premises network to access victims' Microsoft 365 environments during certain attacks. In addition to issuing a detailed paper describing these attacks and hardening the Microsoft environment, FireEye released a free tool on GitHub called Azure AD Investigator. This tool is intended to help organizations determine if a SolarWinds hacker is found in Microsoft 365.

In his report, Symantec describes how the Raindrop was used against a victim. In early July 2020, Sunburst was installed via the SolarWinds Orion update, compromising the two computers. The next day, a teardrop was added to one of them. The computer was found to have an Active Directory query tool and a credential dumper designed specifically for the Orion database. The credential was similar to the dumper, but not the same as the open-source solarflare tool.

Eleven days later, a copy of a previously undiscovered raindrop was installed under the name bproxy.dll, on a third victim computer in the organization where no previous malicious activity was observed. This computer was running computer access and management software. Attackers could use this software to access any computer compromised organization.

An hour later, Raindrop malware installed an additional file called "7z.dll". Symantec was unable to recover this file, because within hours, a valid version of 7zip was used to remove a copy of what appeared to be directory services internals (DSInternals) on the computer. DSInternals is a valid tool that can be used to query Active Directory servers and retrieve data, typically destroying passwords, keys, or passwords.

A pattern emerges
The second victim organization seen by Symantec had a raindrop loader in late May. Several days later, PowerShell commands were executed on that computer, which tries to execute further instances of Raindrops on additional computers in the organization.

In a third victim, Symantec states that Raindrop was used to install a version of Cobalt Strike that did not have an HTTP-based command and control server. Instead, it was configured to use a network pipe over the Windows SMB (Server Message Block) protocol. Symantec said the victim's computer did not have direct access to the Internet, so command and control was routed through another computer on the local network. Otherwise, three Raindrop samples seen by Symantec used HTTPS communication.

The report describes how UNC2452 and other threat actors later migrated to the Microsoft 365 cloud using a combination of four primary technologies:

Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to token for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate a federated resource provider (such as Microsoft 365) as any user, without the need for that user's password or their associated multi-factor authentication (MFA) mechanism.
Modify or add trusted domains to Azure AD to add a new federated Identity Provider (IdP)

1 comment: