Ad End 1 February 2024
Ad Ends 13 January 2025
Ad End 26 February 2025
ad End 25 April 2025
Ad Ends 20 January 2025
Ad expire at 5 August 2024
banner Expire 25 April 2025
What's new
banner Expire 15 January 2025
banner Expire 20 October 2024
UniCvv
casino
swipe store
adv exp at 23 August 2024
Carding.pw carding forum
BidenCash Shop
Kfc CLub

New Malware Implant Discovered as Part of SolarWinds Attack

File_closed07

TRUSTED VERIFIED SELLER
Staff member
Joined
Jun 13, 2020
Messages
7,544
Reaction score
916
Points
212
Awards
2
  • trusted user
  • Rich User
Security researchers have uncovered a new malware tool used by Russian attackers to compromise SolarWinds.

Sunspot was used by attackers to inject the Sunburst backdoor code into the vendor’s Orion platform without setting off any internal alarms, CrowdStrike said in a blog post yesterday.

According to the security firm, which did not attribute the attack to anyone, the attackers went to great lengths to “ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers.”

Sunspot worked by sitting on SolarWinds’ build server and monitoring running processes for instances of MsBuild.exe, which is part of Microsoft Visual Studio development tools. If it saw that Orion software was being built, it would hijack the operation to insert Sunburst.

The resulting Trojanized version of Orion was then installed on SolarWinds customer systems. SolarWinds contacted Infosecurity to claim that the newly discovered implant isn't a new malware strain per se but part of the Sunburst attack.

Around 33,000 Orion customers exist around the world, but only a relatively small handful were singled out by the attackers for the next stage of the campaign.

These victims, including multiple US government entities such as the Department of Justice, were monitored by Sunburst and then hit with a secondary Trojan, Teardrop, which delivered further payloads.

According to a timeline from SolarWinds released yesterday, the attackers first accessed its internal systems in September 2019, and around a week later they injected test code to effectively check the efficacy of Sunspot.

Sunburst was then compiled and deployed into the Orion platform in February 2020, although it was only in December, when FireEye discovered it was hit in the same campaign, that the whole story started to become clear.

Also yesterday, Kaspersky released new research indicating that the Sunburst malware contains multiple similarities with the Kazuar remote access backdoor previously linked to the long-running Russian APT group Turla.
 
Ad End 1 February 2024
Top