Other issues in this category (68)
A surprise-laden delivery
Tuesday, February 2, 2021
When people talk about embedded malicious software, the first things that come to mind are email, removable media, and infected websites. Indeed, hackers use all these intrusion methods. But these methods have a big disadvantage (in the eyes of cybercriminals, of course): it is unknown whether each concrete recipient will launch a trojan-laced message with the required permissions. In addition, a user can be shrewd, and the email message can be filtered out by anti-spam. Or, after all, the launch of programs on a PC may be very restricted.
Of course, cybercriminals can try to hack the PC of a specific user by cracking the password or exploiting vulnerabilities. But the password can be strong, and the vulnerabilities may have been closed with security updates.
However, these are not the only ways malware can penetrate computers. Instead of penetrating the PC of a specific user, it can penetrate the local network of the developer whose software is being used on the PC. A single hacking—and all the customers of this software developer (more specifically, those who install updates—this is the minimum requirement for closing vulnerabilities) will be infected. Choose any one you like!
Attacks on suppliers. This kind of attack became known to the public after the Not Petya outbreak (Trojan.Encoder.12544), when attackers hacked the Ukrainian company Intellect Service—the developer of M.E.Doc document flow systems. At the same time, recommendations on how to prevent such attacks were published. Although many years have passed, attacks are still being carried out.
Let's take a look back since we are talking about Trojan.Encoder.12544.
Reuters published an interview with M.E.Doc’s developers, who stated that their application contains no malicious functionality.
Such is life...
Some hackers compromised the servers of the American software developer SolarWinds and embedded a malicious update for its Orion software. As was reported, the hacking was discovered after software used by the information security company FireEye was leaked. An investigation determined that the malware "came" to FireEye during the SolarWinds software updating process. And immediately a news post was published about data having been leaked from the U.S. Treasury Department and the National Telecommunication and Information Administration (also clients of SolarWinds).
By the way, part of the SolarWinds software is being created on an outsourced basis in Belarus, in the Velcom business center, located in Minsk at 36 Internatsionalnaya Street, where the Belarusian office of SolarWinds with 100 developers is based. Maybe Orion was also written there.
SolarWinds confirmed that Orion was infected – it is software for the centralised monitoring and management of IT resources in large networks, including servers, workstations, mobile and IoT devices, etc. (it's a Network Management System—NMS). The malicious software was delivered to customers (and there are more than 300,000 of them—including Cisco and Apple) in March-June 2020.
What's interesting. The malware (named SUNBURST) did not start its activity immediately. It waited from 12 to 14 days before starting its malicious activity—this technique we’ve already met, in particular, for systems under Android. It is designed to make users forget what they have installed. Second, the trojan has a software blacklist. If processes from this list are detected, the trojan does not carry out any malicious activity. However, when services from the blacklist are found, it tries to give them a way to run Disabled. A rather primitive attempt to block system operation.
FireEye reports that the networks of many of SolarWinds's customers around the world—in North America, Europe and Asia—have been compromised. And, reportedly, in Russia, too. So, perhaps, Russian companies were under attack, and all the others caught a stray fist 😊 What's curious is that SolarWinds filed a report with the U.S. Securities and Exchange Commission (SEC), where it stated that fewer than 18,000 out of its 33,000 customers who use Orion downloaded the malicious update. What does that really mean? It means that 15,000 customers did not update Orion, and most likely, the other software was in use for at least six months. That's why they have a variety of loopholes.
Once the infection was detected, the National Security Council was gathered to discuss the consequences of the possible data theft from the U.S. Treasury Department and the National Telecommunication and Information Administration (NTIA). Most likely, another round of recommendations will be made. Once again.
Attacks carried out on supply chains are not news. Doctor Web has reported on a similar situation in 2011 when pharmacy chains were attacked in southern regions of the Russian Federation (that time our specialists gained full control over the Dande botnet, thanks to which, over the course of six months, our security analysts were able to monitor the behaviour of the botnet. And after the news post about SolarWinds, we published another one about the Amital software development company’s servers getting compromised, affecting dozens of Israeli importers and logistics companies.
We do not know whether anything was stolen from US government organisations. Pentest tools, belonging to FireEye, were stolen and made available on the Internet—essentially, for hacking into company networks. FireEye itself notes that it has not detected these tools having been distributed or used by attackers. But not much time has elapsed.
Interestingly, at one time, M.E.Doc recommended that all those using its software product disable the anti-virus. Time marches on, and the recommendations are still "alive". On the SolarWinds's technical support page (corrected, but the Internet remembers everything) users were given the tip to disable anti-virus scanning for NMS Orion files and folders.
And, in general, apparently, SolarWinds has many security issues. Even after the media published information about the hacking and the scandal that followed, SolarWinds did not care to remove several infected assemblies from its server. And earlier, it was reported that their company could possibly be accessed.
The Anti-virus Times recommends
- If possible, run the software without administrator permissions.
- The server software should be run on separate virtual machines or containers.
The strange behaviour can be detected with the help of Dr.Web Preventive Protection, which tracks all software requests to system resources, and the help of Dr.Web Application Control whose statistics show the launch of any software on a computer.
We also remind you that Doctor Web provides services that analyse software of any complexity.