Posted on Leave a comment

SolarWinds Hackers Are Back Again With New Techniques To Compromise Victims

Almost a year ago, security researchers discovered one of the worst data leakage in modern history, if not ever: a Kremlin-backed hacking campaign that compromised the servers of network management provider SolarWinds and  from there, the networks of 100 of the company’s most prominent customers such as  nine US federal agencies.

Nobelium, as Microsoft called the attackers, was eventually removed, but the organisation never gave up and, if anything, has grown more bold and adept at attacking vast numbers of targets in a single attack. The latest evidence of Nobelium’s skill comes from security firm Mandiant, which published research on Monday showing the group’s various accomplishments—and a few gaffes—as it continued to enter the networks of some of its most valuable targets.

Nobelium’s TTPs (hacker terminology meaning tactics, methods, and procedures) were one of the factors that made it so dangerous. Rather than breaking into each target one by one, the group hacked into SolarWinds’ network and leveraged the access, as well as customers’ faith in the company, to distribute a malicious update to around 18,000 clients.

Some of the tactics Mandiant has recently observed include:

  • Compromise of multiple technology solutions, services, and reseller companies since 2020.
  • Use of credentials likely obtained from an info-stealer malware campaign by a third-party actor to gain initial access to organizations.
  • Use of accounts with Application Impersonation privileges to harvest sensitive mail data since Q1 2021.
  • Use of both residential IP proxy services and newly provisioned geo located infrastructure to communicate with compromised victims.
  • Use of novel TTPs to bypass security restrictions within environments including, but not limited to the extraction of virtual machines to determine internal routing configurations.
  • Use of a new bespoke downloader we call CEELOADER.
  • Abuse of multi-factor authentication leveraging “push” notifications on smartphones

Last December, security firm Volexity reported that , how Nobelium was able to bypass multi-factor authentication by stealing a cryptographic key from a server running Outlook Web App, which enterprises use to provide account authentication for various network services, after gaining administrator privileges on a target’s network.

In October, Microsoft revealed that Nobelium-affiliated hackers infiltrated cloud service providers in the United States and Europe in order to “abuse existing technical trust connections between the provider organisations and the governments, think tanks, and other corporations they serve.”

Finally the researchers concluded that “this intrusion activity shows a well-resourced threat actor set operating with a high level of care for operational security.” “By abusing a third party, in this case a CSP, access to a large number of prospective victims can be facilitated with a single compromise.”

Indicators of Compromise

Hashes for Known Activity:

  • diag.ps1 (MD5: 1d3e2742e922641b7063db8cafed6531)
    • BEACON.SMB malware connecting to \\.\pipe\chrome.5687.8051.183894933787788877a1
  • vcredist.ps1 (MD5: 273ce653c457c9220ce53d0dfd3c60f1)
    • BEACON malware connecting via HTTPS to nordicmademedia[.]com
  • logo.png (MD5: 3304036ac3bbf6cb2205e30226c89a1a)
  • LocalData.dll (MD5: 3633203d9a93fecfa9d4d9c06fc7fe36)
  • Unknown (MD5: e5aacf3103af27f9aaafa0a74b296d50)
    • BEACON malware connecting via HTTPS to nordicmademedia[.]com
  • DiagView.dll (MD5: f3962456f7fc8d10644bf051ddb7c7ef)

IP Addresses Used for Authenticating Through Public VPN Providers:

Note: Mandiant have removed anonymized addresses from this list, the remaining addresses are from legitimate hosting providers.

  • 20.52.144[.]179
  • 20.52.156[.]76
  • 20.52.47[.]99
  • 51.140.220[.]157
  • 51.104.51[.]92
  • 146.105.10[.]215
  • 176.67.86[.]130
  • 176.67.86[.]52

IP Addresses Used for Authenticating From the Mobile Proxy Providers:

  • 216.155.158[.]133
  • 63.75.244[.]119
  • 63.162.179[.]166
  • 63.162.179[.]94
  • 63.75.245[.]144
  • 63.75.245[.]239
  • 63.75.247[.]114

IP Addresses Used for Command and Control:

  • 91.234.254[.]144
  • 23.106.123[.]15

URL Addresses Used for Command and Control:

  • nordicmademedia[.]com
  • stonecrestnews[.]com

URL Addresses of Compromised WordPress Sites Hosting CEELOADER Payloads:

Note: Mandiant believes the actor hosted a malicious payload on the following domains.

  • tomasubiera[.]com
  • theandersonco[.]com

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply