Other issues in this category (68)
Who’s hiding in there?
Monday, January 18, 2021
Our research on the APT attacks carried out against state institutions in Kazakhstan and Kyrgyzstan, the results of which were published in October 2020, showed among other things that cybercriminals had unauthorised access to networks for more than three years, and that multiple hacker groups could simultaneously have been behind those attacks – networks were simultaneously inhabited by malicious programs of various origins. And this is understandable: if a corporate security system has loopholes (a weak password, a vulnerability in the software as a result of uninstalled security updates, users working with permissions that allow them to install unauthorised software in a company...), many hacker groups can take advantage of such opportunities. One example that everyone is talking about is SolarWinds.
Meanwhile, additional details have emerged in connection with the scandal caused by SolarWings. The credentials of the SolarWinds updating server, from which the malicious updates were distributed, were made freely available on GitHub as early as last year – information about that has been available since at least November 2019. Recall that the SolarWinds updates containing malicious content were available for the company's clients from March to June 2020 on the company's servers and had a legitimate developer's digital signature. This means that the password became available on the Internet substantially later. And we do not know whether the password was changed. The trial attack on the SolarWings network was reportedly carried out in October 2019. However, this may just be coincidence because the password published on GitHub was extremely simple (solarwinds123 — without even any capital letters) and therefore could be selected via a simple search before it was discovered on GitHub.
So, it's hardly surprising that assumptions have arisen that the SolarWings network has traces of the activities of one more hacker group—one using a Supernova web shell that is not signed by a legitimate SolarWings certificate (unlike the previously detected SUNBURST). Supernova is assumed to have been used to infect the SolarWinds Orion installations exposed on the Internet, by exploiting vulnerabilities similar to CVE-2019-8917.
The Anti-virus Times recommends
Above we noted that the malicious updates were distributed over several months — and none of the companies that downloaded those updates noticed anything suspicious. This reminded us of other research we conducted about a miner that had been built into software used widely in Russia, in various companies with a variety of protection systems. And nobody paid any attention to the increased load on their servers.
Unfortunately, our research and the example of SolarWings show that companies' networks can be compromised by malware programs. Including in cases when they can be delivered with updates for the systems being used.
Therefore, we recommend that you check program updates in our Dr.Web vxCube service before installing them.