SolarWinds Campaign Even Wider Than First Thought

Uploaded on 2021-04-28 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW

A new analysis of the SolarWinds breach suggests that the attacker infrastructure behind the campaign is far larger than first believed. The catastrophic SolarWinds security incident involved the compromise of the IT software vendor's network and later the deployment of malicious SolarWinds Orion updates to clients that contained a backdoor called Sunburst

Now researchers have now uncovered eighteen additional command-and-control servers used in the SolarWinds hacking campaign, indicating that the operation was broader in scope than previously known.  The researchers found that this infrastructure was registered under varying names and at different times over several years to avoid establishing a traceable pattern. 

The White House, together with the UK government, has blamed the attacks on state-backed Russian cyber criminals, the  APT29 group otherwise known as Cozy Bear.

The servers, which the hackers used to communicate with infected machines and send additional malware to them, may help point investigators to previously unidentified victims, according to researchers with RiskIQ’s Atlas Team. Investigators had previously identified about three dozen command-and-control servers used in the operation. The new findings expand that infrastructure by more than half. 

RiskIQ also uncovered  evidence that two servers previously identified as part of the hackers’ infrastructure were active on February 27, 2020, evidently pushing malware out to infected victims. The two servers, which used the domain names globalnetworkissues.com and seobundlekit.com, were part of the so-called “second-stage” operation that delivered additional malware to victims after they were already infected with compromised SolarWinds software.

If the two servers were pushing out second-stage malware to victims in February, this raises the possibility that either a previously unknown version of the SolarWinds software was compromised and infected customers in February, or the attackers were pushing second-stage malware to victims who had been infected in some other way, not through the compromised SolarWinds software. 

RiskIQ say that their findings will "likely lead to newly identified targets." US-CERT was made aware of RiskIQ's findings prior to public disclosure. 

CERT CISA:     SolarWinds:      Risk IQ:      ZDNet:     Kim Zetter:      Image: Unsplash

You Might Also Read: 

A Successful Solar Winds Investigation:

 

« Better Cyber Security For Smart Devices
WEBINAR: How to fuel your DevSecOps in AWS »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CloudSigma

CloudSigma

CloudSigma, a pure-cloud IaaS provider offers flexible and innovative cloud hosting solutions for companies of all sizes both in Europe and the US.

EclecticIQ

EclecticIQ

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services.

Radiflow

Radiflow

Radiflow is a leading provider of cyber security solutions for critical infrastructure networks (i.e. SCADA), such as power utilities, oil & gas, water and others.

AVL Mobile Security

AVL Mobile Security

AVL Mobile Security is a market-leading mobile security company for anti-virus and threat intelligence in the mobile Internet.

redGuardian

redGuardian

redGuardian is a DDoS mitigation solution available both as a BGP-based service and as an on-premise platform.

OCM Business Systems

OCM Business Systems

OCM are experts in the safe, secure and responsible disposal of IT & EPoS assets.

Level39 (L39)

Level39 (L39)

Level39 is the world's most connected tech community, with over 200 tech startups and scaleups based onsite.

Threat Status

Threat Status

Threat Status are a Threat Intelligence company. We are the developers of Trillion. A cloud based Security As A Service (SaaS) platform.

Flix11

Flix11

Flix11 is a Cyber Security & ICT Solutions focused company. We provide a range of products and services in Cyber Security, Internet of Things (IoT) and infrastructure solutions.

e-Careers

e-Careers

e-Careers is an edtech institution that provides industry recognised courses and up-skilling solutions to individuals and organisations.

Fusion Risk Management

Fusion Risk Management

Fusion Risk Management focuses on operational resilience encompassing business continuity, risk management, IT risk, and crisis and incident management.

Vectra AI

Vectra AI

Vectra threat detection & response - see and stop threats across hybrid and multi-cloud enterprises.

Exalens

Exalens

With deep roots in AI-driven cyber-physical security research and intrusion detection, at Exalens, we are enhancing operational resilience for cyber-physical systems at the OT edge.

Trojan Horse Security

Trojan Horse Security

Trojan Horse Security are specialists in corporate security. Our services include: Comprehensive Cyber Security Analysis, Penetration Testing, Network Security and Security Audits.

PeoplActive

PeoplActive

PeoplActive is an IT consulting and recruitment services organization with leading capabilities in digital, cloud and security.

FearsOff

FearsOff

FearsOff is a global information security company serving clients worldwide. White hat operators with a black hat mindset to emulate real world attacks and everchanging threat vectors.