FireEye Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/fireeye/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 05 Jan 2024 04:20:35 +0000 en-US hourly 1 https://wordpress.org/?v=78894 200474804 Microsoft Says Over 1,000 Developers Worked on SolarWinds Attack https://gridinsoft.com/blogs/microsoft-says-about-developers-that-worked-on-solarwinds-attack/ https://gridinsoft.com/blogs/microsoft-says-about-developers-that-worked-on-solarwinds-attack/#respond Tue, 16 Feb 2021 16:47:08 +0000 https://blog.gridinsoft.com/?p=5121 In an interview with CBSNews, Microsoft President Brad Smith said the recent attack on SolarWinds was “the largest and most sophisticated he has ever seen.” According to him, the analysis of the hack carried out by the company’s specialists suggests that more than 1,000 developers worked on this attack. At the same time, Smith says… Continue reading Microsoft Says Over 1,000 Developers Worked on SolarWinds Attack

The post Microsoft Says Over 1,000 Developers Worked on SolarWinds Attack appeared first on Gridinsoft Blog.

]]>
In an interview with CBSNews, Microsoft President Brad Smith said the recent attack on SolarWinds was “the largest and most sophisticated he has ever seen.” According to him, the analysis of the hack carried out by the company’s specialists suggests that more than 1,000 developers worked on this attack.

At the same time, Smith says that the attackers rewrote only 4032 lines of code in Orion, which contains millions of lines of code.

Let me remind you that in December 2020 it became known that unknown hackers attacked SolarWinds and infected its Orion platform with malware. Of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the infected version of the platform was installed on approximately 18,000 customers, according to official figures.

As a result, the victims included such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Security Administration.

Smith said that more than 500 Microsoft engineers are working on the analysis of this incident, but much more specialists “worked” on the side of the attackers:

When we analysed everything we found at Microsoft, we asked ourselves how many engineers could be working on these attacks? The answer we received was: well, obviously more than a thousand.said Brad Smith.

Since the attack is attributed to a Russian-speaking hack group that cybersecurity experts track under the names StellarParticle (CrowdStrike), UNC2452 (FireEye), and Dark Halo (Volexity), Smith also compared the SolarWinds hack to large-scale attacks on Ukraine, which are also attributed to Russia (although the Russian Federation authorities deny their involvement).

The head of FireEye, Kevin Mandia, also spoke to reporters and explained the recent events.

As it turned out, a compromise was discovered in FireEye almost by accident. The fact is that to remotely log into a company’s VPN, employees need a two-factor authentication code, and their accounts are tied to phone numbers. The FireEye security service accidentally noticed that one of the employees linked two phone numbers to his account.

When this person was called and asked if he really had two numbers or devices, he replied that he had not done anything like that. It turned out that the second number was tied to the account by the attackers.said Kevin Mandia.

Let me remind you that Microsoft says SolarWinds hackers hunted for access to cloud resources.

The post Microsoft Says Over 1,000 Developers Worked on SolarWinds Attack appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-says-about-developers-that-worked-on-solarwinds-attack/feed/ 0 5121
Experts discovered SolarLeaks website with data stolen in a recent massive hacker attack https://gridinsoft.com/blogs/experts-discovered-solarleaks-website-with-data-stolen-in-a-recent-massive-hacker-attack/ https://gridinsoft.com/blogs/experts-discovered-solarleaks-website-with-data-stolen-in-a-recent-massive-hacker-attack/#respond Wed, 13 Jan 2021 16:32:49 +0000 https://blog.gridinsoft.com/?p=4981 Bleeping Computer reports the discovery of the SolarLeaks website (solarleaks[.]net), where unidentified individuals claim to be selling data allegedly stolen from SolarWinds, Microsoft, Cisco, and FireEye during a recent supply chain attack. Just to recap, in December 2020, it was revealed that unknown hackers attacked SolarWinds, infecting its Orion platform with malware. Out of the… Continue reading Experts discovered SolarLeaks website with data stolen in a recent massive hacker attack

The post Experts discovered SolarLeaks website with data stolen in a recent massive hacker attack appeared first on Gridinsoft Blog.

]]>
Bleeping Computer reports the discovery of the SolarLeaks website (solarleaks[.]net), where unidentified individuals claim to be selling data allegedly stolen from SolarWinds, Microsoft, Cisco, and FireEye during a recent supply chain attack.

Just to recap, in December 2020, it was revealed that unknown hackers attacked SolarWinds, infecting its Orion platform with malware. Out of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the compromised version of the platform was installed on approximately 18,000 customers’ machines, according to official figures.

As a result, victims included major entities like Microsoft, Cisco, FireEye, as well as numerous US government agencies, including the US Department of State and the National Nuclear Security Administration.

In early January, the FBI, NSA, CISA, and ODNI issued a joint statement indicating that an unnamed APT group of “probably Russian origin” was responsible for the extensive attack. The SolarWinds hack was described by officials as “an attempt to gather intelligence.”

Now, the unknown individuals claim to be ready to sell the following stolen data:

  • $600,000: Microsoft Windows source codes and other data from the company’s repositories (2.6 GB);
  • $500,000: source codes of various Cisco products and an internal bug tracker dump (1.7 GB);
  • $50,000: private red team FireEye tools, source codes, binaries, and documentation (39 MB);
  • $250,000: SolarWinds product source code (including Orion) and customer portal dump (612 MB).

The hackers offer to sell all this data in bulk for one million dollars. Additionally, the site operators mimic the well-known hack group The Shadow Brokers, stating that initially, the stolen information will be sold in batches, and later, it will be freely published in the public domain.

It’s noteworthy that while Microsoft representatives previously confirmed the possibility of source code theft, Cisco announced having no evidence of the theft of its intellectual property. The solarleaks[.]net domain is registered through the NJALLA registrar, which is popular with hackers. Attempting to check WHOIS information results in the message “You can get no info”.

Experts discovered the SolarLeaks website

It remains unknown whether the site operators possess the data they claim to have, or if SolarLeaks is an ambitious scam attempt. Journalists attempted to contact the attackers using the email address provided on the website, but it was found to be nonexistent.

Experts discovered the SolarLeaks website

The post Experts discovered SolarLeaks website with data stolen in a recent massive hacker attack appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/experts-discovered-solarleaks-website-with-data-stolen-in-a-recent-massive-hacker-attack/feed/ 0 4981
Microsoft says SolarWinds hackers hunted for access to cloud resources https://gridinsoft.com/blogs/microsoft-says-solarwinds-hackers-hunted-for-access-to-cloud-resources/ https://gridinsoft.com/blogs/microsoft-says-solarwinds-hackers-hunted-for-access-to-cloud-resources/#respond Wed, 30 Dec 2020 16:40:02 +0000 https://blog.gridinsoft.com/?p=4906 Microsoft continues to investigate the supply chain attack that SolarWinds and its customers have suffered this year. Microsoft analysts reported that SolarWinds hackers were hunting for access to cloud resources. Let me remind you that unknown hackers attacked SolarWinds and infected its Orion platform with malware. Among the victims were such giants as Microsoft, Cisco,… Continue reading Microsoft says SolarWinds hackers hunted for access to cloud resources

The post Microsoft says SolarWinds hackers hunted for access to cloud resources appeared first on Gridinsoft Blog.

]]>
Microsoft continues to investigate the supply chain attack that SolarWinds and its customers have suffered this year. Microsoft analysts reported that SolarWinds hackers were hunting for access to cloud resources.

Let me remind you that unknown hackers attacked SolarWinds and infected its Orion platform with malware.

Among the victims were such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Security Administration.

Let me remind you that SolarWinds was hacked because its credentials were publicly available on GitHub.

A new blog post on Microsoft 365 Defender does not contain new technical details, but experts write that they seem to have identified the ultimate goal of the hackers: after infiltrating companies ‘networks using the SUNBURST (or Solorigate) backdoor, hackers sought to gain access to victims’ cloud resources.

SolarWinds hackers cloud resources

This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being detected.

With such a massive initial foothold, attackers could choose specific organizations in which they want to continue working (while others remained a fallback, available at any time, as long as the backdoor was installed and not detected).the researchers write.

Microsoft experts note that the end goal of the hackers, apparently, was the creation of SAML (Security Assertion Markup Language) tokens in order to forge authentication tokens that provide access to cloud resources. Thus, hackers were able to extract emails from the accounts of interest.

Microsoft detailed the tactics that attackers used to gain access to cloud resources of their victims:

  • Using a compromised SolarWinds DLL to activate a backdoor that allowed remote control and operation of the device;
  • Using a backdoor to steal credentials, escalate privileges, and sideways to create valid SAML tokens in one of two ways: steal the SAML signing certificate, add or modify existing federation trusts.
  • Using generated SAML tokens to access cloud resources and perform actions leading to theft of emails and retain access to the cloud.

Let me also remind you that SolarWinds hack allowed Russian attackers to infiltrated dozens of US Treasury Department mailboxes.

The post Microsoft says SolarWinds hackers hunted for access to cloud resources appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-says-solarwinds-hackers-hunted-for-access-to-cloud-resources/feed/ 0 4906
SolarWinds was hacked because its credentials were publicly available on GitHub https://gridinsoft.com/blogs/solarwinds-was-hacked-because-its-credentials-were-publicly-available-on-github/ https://gridinsoft.com/blogs/solarwinds-was-hacked-because-its-credentials-were-publicly-available-on-github/#respond Wed, 16 Dec 2020 22:07:35 +0000 https://blog.gridinsoft.com/?p=4857 Earlier this week was reported a massive attack on the supply chain that affected SolarWinds and its customers. SolarWinds may have been hacked because its credentials were publicly available on GitHub for a while. The list of victims continues to grow, and it is now known that hackers have compromised: American information security company FireEye;… Continue reading SolarWinds was hacked because its credentials were publicly available on GitHub

The post SolarWinds was hacked because its credentials were publicly available on GitHub appeared first on Gridinsoft Blog.

]]>
Earlier this week was reported a massive attack on the supply chain that affected SolarWinds and its customers. SolarWinds may have been hacked because its credentials were publicly available on GitHub for a while.

The list of victims continues to grow, and it is now known that hackers have compromised:

  • American information security company FireEye;
  • US Department of the Treasury;
  • US Department of Commerce National Informatics and Telecommunications Administration (NTIA);
  • National Institutes of Health, US Department of Health (NIH);
  • Agency for Cybersecurity and Infrastructure Protection, organized by the US Department of Homeland Security (DHS CISA);
  • Department of Homeland Security (DHS);
  • US Department of State.

Unknown hackers infected the Orion platform, designed for centralized monitoring and control, with SUNBURST (aka Solorigate) malware. Typically, Orion is used in large networks to track all IT resources such as servers, workstations, mobile phones and IoT devices.

Microsoft, FireEye and the US Department of Homeland Security Agency for Cybersecurity and Infrastructure Protection (DHS CISA) released their own indicators of compromise and instructions for working with infected systems.

Among the company’s 300,000 customers, only 33,000 are known to have used Orion, and all of them have already been notified of the incident. At the same time, according to SolarWinds, an infected version of the Orion platform was installed on 18,000 clients.

SolarWinds has not officially disclosed exactly how the hackers managed to infiltrate its network. Many medias drew attention to the statements of cybersecurity researcher Vinoth Kumar, who claims that the credentials from the SolarWinds update server were freely available in the company’s official GitHub repository back in 2018. According to Kumar, he noticed this leak in November, and the password for the server was simple: “solarwinds123”.

Using these credentials, I was able to upload the file to the company’s server, thus proving the system was insecure, about which I notified SolarWinds about in November 2020. As a result, the leak was fixed on November 22.wrote Kumar.

The researcher does not state that this particular credential played any role in the hacking of the Orion platform, but admits that it is possible. The fact is that the malicious Orion binaries were nevertheless signed, which points at a wider compromise of the company’s network.

If they had access to the build servers, they would not need FTP credentials. But if they just got hold of the signing certificate and credentials from FTP, they could modify the .dll, sign it and upload it to the FTP server.Kumar told The Register.

The theory of leaked credentials is also confirmed by the Reuters news agency, according to whose sources, access to SolarWinds systems for a long time has been for sale on the darknet.

Meanwhile, ZDNet, citing its own industry sources, writes that Microsoft and its partners have seized control of the domain that played a major role in compromising SolarWinds and gave it a sinkhole.

The domain avsvmcloud [.] Com served as the command-and-control server for the SUNBURST malware, which spread across the networks of 18,000 SolarWinds clients via the malicious version of Orion.according to journalists ZDNet.

Sources of the publication describe this operation as “protective”, aimed at preventing malware operators from sending new commands to infected computers.

Let me also remind you that Microsoft accused Russia and North Korea of attacks on pharmaceutical companies.

The post SolarWinds was hacked because its credentials were publicly available on GitHub appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/solarwinds-was-hacked-because-its-credentials-were-publicly-available-on-github/feed/ 0 4857
Ransomware attacks most often occur at night and on weekends https://gridinsoft.com/blogs/ransomware-attacks-most-often-occur-at-night-and-on-weekends/ https://gridinsoft.com/blogs/ransomware-attacks-most-often-occur-at-night-and-on-weekends/#respond Wed, 18 Mar 2020 16:30:07 +0000 https://blog.gridinsoft.com/?p=3576 According to a report published by the American company FireEye, 76% of all ransomware attacks in the corporate sector occur in the off-hours: 49% of them are recorded at night on weekdays, and another 27% at weekends. This data is based on dozens of ransomware incident investigations from 2017 to 2019. “In 76% of incidents… Continue reading Ransomware attacks most often occur at night and on weekends

The post Ransomware attacks most often occur at night and on weekends appeared first on Gridinsoft Blog.

]]>
According to a report published by the American company FireEye, 76% of all ransomware attacks in the corporate sector occur in the off-hours: 49% of them are recorded at night on weekdays, and another 27% at weekends.

This data is based on dozens of ransomware incident investigations from 2017 to 2019.

“In 76% of incidents we reviewed, ransomware was executed in victim environments after hours, that is, on a weekend or before 8:00 a.m. or after 6:00 p.m. on a weekday, using the time zone and customary work week of the victim organization. This observation underscores that threat actors continue working even when most employees may not be”, — said FireEye specialists.

Such statistic is easily explainable, and in most companies there is simply no IT staff who would be on duty at night and on weekends. So, if there is no one to quickly respond to the attack, then attackers have good chances that the encryption process will have time to finish seamlessly on machines throughout the company’s network.

Ransomware attacks occur at night

Researchers write that, as a rule, ransomware operators penetrate company networks in advance (as, for example, in the case of an attack on Epiq Global), then spend time on side movements to gain access to the maximum number of workstations, and only then manually install malware on all systems and start the encryption process.

“In other cases, attackers linked ransomware deployment to user actions. For example, in 2019 incidents at retail and professional services firms, attackers created an Active Directory Group Policy Object to trigger ransomware execution based on user log on and log off”, — explain FireEye specialists.

According to FireEye, the time from the initial compromise to the actual attack is on average three days.

As mentioned above, today ransomware attacks are started manually by attackers, but not automatically: most hackers carefully control their malware, and carefully choose when the most suitable time to attack and disable the network.

According to FireEye estimates, since 2017 the number of such people-driven ransomware attacks has increased by a huge 860%, that is, now such incidents affect all sectors and all geographical areas, and not just companies from North America.

Ransomware attacks occur at night

The most popular vectors of such attacks, according to the report, were brute force attacks on open RDP ports aimed at phishing employees, pirated software, drive-by attacks, as well as using one infected host to spread the malware to others.

The good news is that particularly with post-compromise infections, there is often a window of time between the first malicious action and ransomware deployment. If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection.

The post Ransomware attacks most often occur at night and on weekends appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ransomware-attacks-most-often-occur-at-night-and-on-weekends/feed/ 0 3576
Unknown hacker patches vulnerable Citrix servers https://gridinsoft.com/blogs/unknown-hacker-patches-vulnerable-citrix-servers/ https://gridinsoft.com/blogs/unknown-hacker-patches-vulnerable-citrix-servers/#respond Mon, 20 Jan 2020 16:58:36 +0000 https://blog.gridinsoft.com/?p=3369 Recently, in the public domain appeared exploits for the critical vulnerability CVE-2019-19781, earlier found in the Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway). Now it was reported that an unknown hacker accesses vulnerable Citrix servers and patches them. Recall that according to experts, this problem threatens 80,000 companies in 158 countries… Continue reading Unknown hacker patches vulnerable Citrix servers

The post Unknown hacker patches vulnerable Citrix servers appeared first on Gridinsoft Blog.

]]>
Recently, in the public domain appeared exploits for the critical vulnerability CVE-2019-19781, earlier found in the Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway). Now it was reported that an unknown hacker accesses vulnerable Citrix servers and patches them.

Recall that according to experts, this problem threatens 80,000 companies in 158 countries and allows hackers to seize devices.

In almost all cases, Citrix applications are available on the perimeter of a company’s network, which means they are most prone to attacks. Thus, the vulnerability allows an external unauthorized attacker not only gaining access to published applications, but also carrying out attacks from the Citrix server on other resources of the victim company’s internal network”, – report experts of Positive Technologies.

The bug is so serious that it is considered one of the most dangerous errors discovered in the latest years.

The main problem is that more than a month has passed since the vulnerability was discovered, but Citrix developers were in no hurry to release the patch. At first, the company limited itself to only safety recommendations, explaining to customers how to reduce risks, and the actual correction appeared only on January 19, 2020.

After the publication of the exploits, attacks on vulnerable versions of Citrix intensified, just it was expected, as many hackers hope to compromise some important goal – a corporate network, a state server, or a government agency.

FireEye experts warned that at least one of the many attackers is working under Tor and exhibits strange behavior: it deployes NotRobin payload on hacked servers.

NotRobin has two main goals. Firstly, it serves as a backdoor for a hacked Citrix device. Secondly, it is a kind of antivirus, removing another malware found in the system and thereby preventing leaving payload on this host. No additional malware was installed on infected servers besides NotRobin”, – say FireEye analysts.

FireEye researchers doubt that some kind Samaritan is behind these attacks. In their report, they write that the hacker, most likely, only collects access to vulnerable devices, “cleans them” and prepares for the next campaign

As at the same time image of Greta Tunberg helps other hackers to penetrate the network, it is unclear what or who is more cynical and dangerous.

The post Unknown hacker patches vulnerable Citrix servers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/unknown-hacker-patches-vulnerable-citrix-servers/feed/ 0 3369