The DHS’ Cybersecurity and infrastructure Security Agency has published a website with resources concerning the recent activities of the advanced persistent threat (APT) group liable for the breach of the SolarWinds Orion software supply chain.
The group behind the attack acquired access to the networks of federal, state, and local governments, private sector establishments and critical infrastructure entities worldwide. Aside from the compromise of the software update mechanism of SolarWinds Orion, the cyber criminals also exploited the vulnerabilities in frequently used authentication measure to get persistent network access.
Microsoft mentioned that the major aim of the attackers seems to be to obtain persistent local network access by downloading the Sunburst/Solarigate backdoor, then exploit the victims’ web assets. Just recently, it was found out that not only one threat group is doing cyber espionage after knowing about a another malware variant that came by means of the SolarWinds Orion program update feature. Microsoft and Palo Alto Networks feel that the second malware variant known as Supernova, isn’t related to the group that released the Sunburst/Solarigate backdoor.
A few resources are already available to help entities analyze their risk connected with the cyber activity and determine and stop potential breaches and take out the threat actors from their networks. The new webpage collects the information and allows easy access to pertinent facts on this global happening. The website will be consistently updated when there are new data with the continuing cyber activity investigations.
The APT actor has breached the networks of a huge number of entities and is meticulously choosing its targets to exploit further network. But any establishment that has the compromised software updates installed can possibly suffer an attack in case no corrective action is taken.
It is crucial for all entities that have SolarWinds Orion to do something to check for signs of compromise. If nothing is done, the threat actor can avoid removal from compromised networks and continue to pose risks to affected organizations. CISA likewise explained that although users have not installed the compromised SolarWinds Orion update, that doesn’t mean they won’t be affected. Their managed service providers and partners could have been compromised, which could enable the APT actor to obtain access to their networks.
The website has a link to a free tool that CISA released for finding odd and probably malicious activity in Azure/Microsoft Office 365 accounts. The new tool looks closely at activities connected to attacks that are identity- and authentication-based in a wide range of sectors following the Sunburst/Solarigate backdoor deployment.
The tool known as Sparrow may be employed to access large data sets of investigation modules and telemetry to present data specified to the attacks on federated identity sources and apps.