At the same time, Smith says that the attackers rewrote only 4032 lines of code in Orion, which contains millions of lines of code.

Let me remind you that in December 2020 it became known that unknown hackers attacked SolarWinds and infected its Orion platform with malware. Of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the infected version of the platform was installed on approximately 18,000 customers, according to official figures.

As a result, the victims included such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Security Administration.

Smith said that more than 500 Microsoft engineers are working on the analysis of this incident, but much more specialists “worked” on the side of the attackers:

Since the attack is attributed to a Russian-speaking hack group that cybersecurity experts track under the names StellarParticle (CrowdStrike), UNC2452 (FireEye), and Dark Halo (Volexity), Smith also compared the SolarWinds hack to large-scale attacks on Ukraine, which are also attributed to Russia (although the Russian Federation authorities deny their involvement).

The head of FireEye, Kevin Mandia, also spoke to reporters and explained the recent events.

As it turned out, a compromise was discovered in FireEye almost by accident. The fact is that to remotely log into a company’s VPN, employees need a two-factor authentication code, and their accounts are tied to phone numbers. The FireEye security service accidentally noticed that one of the employees linked two phone numbers to his account.

Let me remind you that Microsoft says SolarWinds hackers hunted for access to cloud resources.

The post Microsoft Says Over 1,000 Developers Worked on SolarWinds Attack appeared first on Gridinsoft Blog.

Just to recap, in December 2020, it was revealed that unknown hackers attacked SolarWinds, infecting its Orion platform with malware. Out of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the compromised version of the platform was installed on approximately 18,000 customers’ machines, according to official figures.

As a result, victims included major entities like Microsoft, Cisco, FireEye, as well as numerous US government agencies, including the US Department of State and the National Nuclear Security Administration.

In early January, the FBI, NSA, CISA, and ODNI issued a joint statement indicating that an unnamed APT group of “probably Russian origin” was responsible for the extensive attack. The SolarWinds hack was described by officials as “an attempt to gather intelligence.”

Now, the unknown individuals claim to be ready to sell the following stolen data:

• $600,000: Microsoft Windows source codes and other data from the company’s repositories (2.6 GB);
• $500,000: source codes of various Cisco products and an internal bug tracker dump (1.7 GB);
• $50,000: private red team FireEye tools, source codes, binaries, and documentation (39 MB);
• $250,000: SolarWinds product source code (including Orion) and customer portal dump (612 MB).

The hackers offer to sell all this data in bulk for one million dollars. Additionally, the site operators mimic the well-known hack group The Shadow Brokers, stating that initially, the stolen information will be sold in batches, and later, it will be freely published in the public domain.

It’s noteworthy that while Microsoft representatives previously confirmed the possibility of source code theft, Cisco announced having no evidence of the theft of its intellectual property. The solarleaks[.]net domain is registered through the NJALLA registrar, which is popular with hackers. Attempting to check WHOIS information results in the message “You can get no info”.

It remains unknown whether the site operators possess the data they claim to have, or if SolarLeaks is an ambitious scam attempt. Journalists attempted to contact the attackers using the email address provided on the website, but it was found to be nonexistent.

The post Experts discovered SolarLeaks website with data stolen in a recent massive hacker attack appeared first on Gridinsoft Blog.

Let me remind you that unknown hackers attacked SolarWinds and infected its Orion platform with malware.

Among the victims were such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Security Administration.

Let me remind you that SolarWinds was hacked because its credentials were publicly available on GitHub.

A new blog post on Microsoft 365 Defender does not contain new technical details, but experts write that they seem to have identified the ultimate goal of the hackers: after infiltrating companies ‘networks using the SUNBURST (or Solorigate) backdoor, hackers sought to gain access to victims’ cloud resources.

This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being detected.

Microsoft experts note that the end goal of the hackers, apparently, was the creation of SAML (Security Assertion Markup Language) tokens in order to forge authentication tokens that provide access to cloud resources. Thus, hackers were able to extract emails from the accounts of interest.

Microsoft detailed the tactics that attackers used to gain access to cloud resources of their victims:

• Using a compromised SolarWinds DLL to activate a backdoor that allowed remote control and operation of the device;
• Using a backdoor to steal credentials, escalate privileges, and sideways to create valid SAML tokens in one of two ways: steal the SAML signing certificate, add or modify existing federation trusts.
• Using generated SAML tokens to access cloud resources and perform actions leading to theft of emails and retain access to the cloud.

Let me also remind you that SolarWinds hack allowed Russian attackers to infiltrated dozens of US Treasury Department mailboxes.

The post Microsoft says SolarWinds hackers hunted for access to cloud resources appeared first on Gridinsoft Blog.

The list of victims continues to grow, and it is now known that hackers have compromised:

• American information security company FireEye;
• US Department of the Treasury;
• US Department of Commerce National Informatics and Telecommunications Administration (NTIA);
• National Institutes of Health, US Department of Health (NIH);
• Agency for Cybersecurity and Infrastructure Protection, organized by the US Department of Homeland Security (DHS CISA);
• Department of Homeland Security (DHS);
• US Department of State.

Unknown hackers infected the Orion platform, designed for centralized monitoring and control, with SUNBURST (aka Solorigate) malware. Typically, Orion is used in large networks to track all IT resources such as servers, workstations, mobile phones and IoT devices.

Microsoft, FireEye and the US Department of Homeland Security Agency for Cybersecurity and Infrastructure Protection (DHS CISA) released their own indicators of compromise and instructions for working with infected systems.

Among the company’s 300,000 customers, only 33,000 are known to have used Orion, and all of them have already been notified of the incident. At the same time, according to SolarWinds, an infected version of the Orion platform was installed on 18,000 clients.

SolarWinds has not officially disclosed exactly how the hackers managed to infiltrate its network. Many medias drew attention to the statements of cybersecurity researcher Vinoth Kumar, who claims that the credentials from the SolarWinds update server were freely available in the company’s official GitHub repository back in 2018. According to Kumar, he noticed this leak in November, and the password for the server was simple: “solarwinds123”.

The researcher does not state that this particular credential played any role in the hacking of the Orion platform, but admits that it is possible. The fact is that the malicious Orion binaries were nevertheless signed, which points at a wider compromise of the company’s network.

The theory of leaked credentials is also confirmed by the Reuters news agency, according to whose sources, access to SolarWinds systems for a long time has been for sale on the darknet.

Meanwhile, ZDNet, citing its own industry sources, writes that Microsoft and its partners have seized control of the domain that played a major role in compromising SolarWinds and gave it a sinkhole.

Sources of the publication describe this operation as “protective”, aimed at preventing malware operators from sending new commands to infected computers.

Let me also remind you that Microsoft accused Russia and North Korea of attacks on pharmaceutical companies.

The post SolarWinds was hacked because its credentials were publicly available on GitHub appeared first on Gridinsoft Blog.

This data is based on dozens of ransomware incident investigations from 2017 to 2019.

“In 76% of incidents we reviewed, ransomware was executed in victim environments after hours, that is, on a weekend or before 8:00 a.m. or after 6:00 p.m. on a weekday, using the time zone and customary work week of the victim organization. This observation underscores that threat actors continue working even when most employees may not be”, — said FireEye specialists.

Such statistic is easily explainable, and in most companies there is simply no IT staff who would be on duty at night and on weekends. So, if there is no one to quickly respond to the attack, then attackers have good chances that the encryption process will have time to finish seamlessly on machines throughout the company’s network.

Researchers write that, as a rule, ransomware operators penetrate company networks in advance (as, for example, in the case of an attack on Epiq Global), then spend time on side movements to gain access to the maximum number of workstations, and only then manually install malware on all systems and start the encryption process.

“In other cases, attackers linked ransomware deployment to user actions. For example, in 2019 incidents at retail and professional services firms, attackers created an Active Directory Group Policy Object to trigger ransomware execution based on user log on and log off”, — explain FireEye specialists.

According to FireEye, the time from the initial compromise to the actual attack is on average three days.

As mentioned above, today ransomware attacks are started manually by attackers, but not automatically: most hackers carefully control their malware, and carefully choose when the most suitable time to attack and disable the network.

According to FireEye estimates, since 2017 the number of such people-driven ransomware attacks has increased by a huge 860%, that is, now such incidents affect all sectors and all geographical areas, and not just companies from North America.

The most popular vectors of such attacks, according to the report, were brute force attacks on open RDP ports aimed at phishing employees, pirated software, drive-by attacks, as well as using one infected host to spread the malware to others.

The good news is that particularly with post-compromise infections, there is often a window of time between the first malicious action and ransomware deployment. If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection.

The post Ransomware attacks most often occur at night and on weekends appeared first on Gridinsoft Blog.

Recall that according to experts, this problem threatens 80,000 companies in 158 countries and allows hackers to seize devices.

In almost all cases, Citrix applications are available on the perimeter of a company’s network, which means they are most prone to attacks. Thus, the vulnerability allows an external unauthorized attacker not only gaining access to published applications, but also carrying out attacks from the Citrix server on other resources of the victim company’s internal network”, – report experts of Positive Technologies.

The bug is so serious that it is considered one of the most dangerous errors discovered in the latest years.

The main problem is that more than a month has passed since the vulnerability was discovered, but Citrix developers were in no hurry to release the patch. At first, the company limited itself to only safety recommendations, explaining to customers how to reduce risks, and the actual correction appeared only on January 19, 2020.

After the publication of the exploits, attacks on vulnerable versions of Citrix intensified, just it was expected, as many hackers hope to compromise some important goal – a corporate network, a state server, or a government agency.

FireEye experts warned that at least one of the many attackers is working under Tor and exhibits strange behavior: it deployes NotRobin payload on hacked servers.

NotRobin has two main goals. Firstly, it serves as a backdoor for a hacked Citrix device. Secondly, it is a kind of antivirus, removing another malware found in the system and thereby preventing leaving payload on this host. No additional malware was installed on infected servers besides NotRobin”, – say FireEye analysts.

FireEye researchers doubt that some kind Samaritan is behind these attacks. In their report, they write that the hacker, most likely, only collects access to vulnerable devices, “cleans them” and prepares for the next campaign

As at the same time image of Greta Tunberg helps other hackers to penetrate the network, it is unclear what or who is more cynical and dangerous.

The post Unknown hacker patches vulnerable Citrix servers appeared first on Gridinsoft Blog.