Pirates of Solar Winds a whole set of new tricks for fierce attacks

Pirates of Solar Winds a whole set of new tricks for fierce attacks Exterior view of SolarWinds headquarters in Austin  About a year ago, security researchers uncovered one of the worst data breaches in recent history, a Kremlin-backed hacking campaign that compromised the servers of network management provider Solar Winds, and from there compromised networks of major clients of this company, including 9 US federal agencies.  Microsoft called the hackers “Nobleum” the hackers who were eventually expelled from the company’s networks, but the group never gave up, and arguably became more daring and adept at hacking into large numbers of targets in one fell swoop.  After the SolarWinds hack, is the United States using digital identifiers as traps for hackers? Most recently, security firm Mandiant, which on Monday published a paper detailing many of Nobelium's tricks—and some of its mistakes—has continued to penetrate high-value networks.  Abuse of trust One of the things that has made Nobelium so much damage is the innovation in TTPs, which are in hacker language the tactics, techniques, and procedures involved in hacking. Instead of hacking each target one by one, the group hacked the SolarWinds network of large clients and used the trust it had in front of clients in the company, to drive a malicious update to nearly 18,000 of its clients.  This way hackers can instantly infiltrate all these entities. It would be similar to what a thief would do when breaking into a locksmith's building and obtaining a master key that unlocks the doors of every building in the neighborhood, avoiding having to open each lock individually. The Nobelium method was not only scalable and effective, but also made it easier to hide its traces because of the customers' trust in SolarWinds.  The Mandiant report shows that the ingenuity of Noblemium has not waned. Since last year, company researchers say the two hacking groups associated with the SolarWinds hack - one called (UNC3004) and the other (UNC2652) - have continued to devise new ways to effectively hack large numbers of targets.  SAML Gold is like a master vault key that unlocks every service that uses Security Assurance Markup Language (Getty Images) Instead of spoiling the networks of SolarWinds, the groups hit the networks of cloud solution providers and operational service providers — such as running servers, maintenance-related services, and other technical services needed to run — or CSPs, which are third-party companies. Outsourcing that many large companies rely on for a wide range of IT services. Then the hackers found clever ways to use these hacked providers to hack their customers.  "This intrusion activity reflects the capabilities of this group that is planning a high-level security threat targeting technical operations," the Mandiant report said.  And the advanced skill didn't stop there. According to Mandiant, other advanced tactics and ingenuity involved the use of stolen credentials by other financially motivated hackers, who use financial malicious software such as Cryptbot, an information-stealing program that collects the victim's credentials and browser Web and cryptocurrency wallets for their account.  These programs allowed the hacking groups (UNC3004) and (UNC2652) to breach targets even when a compromised service provider was not being used.  Once there are groups of hackers within the network, the process of hacking the spam filtering system of organizations or other programs, these systems filter mail for the whole organization, and have the ability to access email or other types of data from any other account in the network. Hacking this account saved the hassle of having to break into each account separately.  They also used clever ways to bypass security restrictions, such as creating virtual machines to structure internal routers for the networks they want to penetrate.  Also gain access to an active directory stored in a corporate Azure cloud, and use this comprehensive management tool to steal cryptographic keys that will generate tokens that can bypass corporate two-factor authentication protection.  This technology gave hackers what's known as a gold SAML, which is like a master vault key that unlocks every service that uses security assurance markup language, the protocol that makes single sign-on, two-factor authentication, and other security mechanisms work.

Pirates of Solar Winds a whole set of new tricks for fierce attacks

Exterior view of SolarWinds headquarters in Austin

About a year ago, security researchers uncovered one of the worst data breaches in recent history, a Kremlin-backed hacking campaign that compromised the servers of network management provider Solar Winds, and from there compromised networks of major clients of this company, including 9 US federal agencies.

Microsoft called the hackers “Nobleum” the hackers who were eventually expelled from the company’s networks, but the group never gave up, and arguably became more daring and adept at hacking into large numbers of targets in one fell swoop.

After the SolarWinds hack, is the United States using digital identifiers as traps for hackers?

Most recently, security firm Mandiant, which on Monday published a paper detailing many of Nobelium's tricks—and some of its mistakes—has continued to penetrate high-value networks.

Abuse of trust

One of the things that has made Nobelium so much damage is the innovation in TTPs, which are in hacker language the tactics, techniques, and procedures involved in hacking. Instead of hacking each target one by one, the group hacked the SolarWinds network of large clients and used the trust it had in front of clients in the company, to drive a malicious update to nearly 18,000 of its clients.

This way hackers can instantly infiltrate all these entities. It would be similar to what a thief would do when breaking into a locksmith's building and obtaining a master key that unlocks the doors of every building in the neighborhood, avoiding having to open each lock individually. The Nobelium method was not only scalable and effective, but also made it easier to hide its traces because of the customers' trust in SolarWinds.

The Mandiant report shows that the ingenuity of Noblemium has not waned. Since last year, company researchers say the two hacking groups associated with the SolarWinds hack - one called (UNC3004) and the other (UNC2652) - have continued to devise new ways to effectively hack large numbers of targets.

SAML Gold is like a master vault key that unlocks every service that uses Security Assurance Markup Language (Getty Images)

Instead of spoiling the networks of SolarWinds, the groups hit the networks of cloud solution providers and operational service providers — such as running servers, maintenance-related services, and other technical services needed to run — or CSPs, which are third-party companies. Outsourcing that many large companies rely on for a wide range of IT services. Then the hackers found clever ways to use these hacked providers to hack their customers.

"This intrusion activity reflects the capabilities of this group that is planning a high-level security threat targeting technical operations," the Mandiant report said.

And the advanced skill didn't stop there. According to Mandiant, other advanced tactics and ingenuity involved the use of stolen credentials by other financially motivated hackers, who use financial malicious software such as Cryptbot, an information-stealing program that collects the victim's credentials and browser Web and cryptocurrency wallets for their account.

These programs allowed the hacking groups (UNC3004) and (UNC2652) to breach targets even when a compromised service provider was not being used.

Once there are groups of hackers within the network, the process of hacking the spam filtering system of organizations or other programs, these systems filter mail for the whole organization, and have the ability to access email or other types of data from any other account in the network. Hacking this account saved the hassle of having to break into each account separately.

They also used clever ways to bypass security restrictions, such as creating virtual machines to structure internal routers for the networks they want to penetrate.

Also gain access to an active directory stored in a corporate Azure cloud, and use this comprehensive management tool to steal cryptographic keys that will generate tokens that can bypass corporate two-factor authentication protection.

This technology gave hackers what's known as a gold SAML, which is like a master vault key that unlocks every service that uses security assurance markup language, the protocol that makes single sign-on, two-factor authentication, and other security mechanisms work.

Post a Comment

Previous Post Next Post