Cybersecurity company CrowdStrike, one of the companies directly investigating SolarWinds supply chain attacks, said today that it has identified a third type of malware directly related to the recent hacking attacks.
name sunspot, This discovery adds to the previously discovered Sunburst (Solorigate) and Teardrop malware strains.
However, although Sunspot is the latest discovery by SolarWinds hackers, Crowdstrike said that the malware was actually the first malware used.
Sunspot malware runs on SolarWinds̵
7; build server
In a report released today, Crowdstrike stated that Sunspot was deployed in September 2019, when hackers compromised SolarWinds’ internal network for the first time.
The Sunspot malware is installed on the SolarWinds build server, which is a type of software used by developers to pack smaller components into larger software applications.
CrowdStrike said that Sunspot has a unique purpose-to monitor the build commands of the build server, which assembles Orion (SolarWinds’ top product), an IT resource monitoring platform used by more than 33,000 customers worldwide.
Once the build command is detected, the malware silently replaces the source code files in the Orion application with the file loaded with the Sunburst malware, causing the Orion application version to also install the Sunburst malware.
Timeline of SolarWinds supply chain attacks
These Trojanized Orion customers eventually became SolarWinds’ official update server and were installed on the company’s many customers’ networks.
Once this happens, the Sunburst malware will be activated inside the internal networks of companies and government agencies, where it will collect the victim’s data and then send the information back to the SolarWinds hacker (see this Symantec report for how Send data back via DNS request).
The threat actor will then determine whether the victim is important enough to compromise and deploy a more powerful Teardrop backdoor Trojan on these systems, while instructing Sunburst to remove itself from the network deemed insignificant or too high.
However, there is evidence that a third malware strain was discovered in the SolarWinds attack, which is one of the three major updates about this incident that was exposed today.
In another announcement published on its blog, SolarWinds also released a timetable for hacking. The Texas-based software provider said that before deploying Sunburst malware to users between March 2020 and June 2020, the hackers also performed the operations between September 2019 and November 2019. Test run.
SolarWinds CEO Sudhakar Ramakrishna said in the evaluation today: “The subsequent Orion Platform version, October 2019, appears to contain modifications designed to test the perpetrator’s ability to insert code into our buildings.” The evaluation also received CrowdStrike Report response.
Code overlaps with Turla malware
Most importantly, the security company Kaspersky also published its findings in another report that day.
Kaspersky is not part of a formal investigation into the SolarWinds attack, but it is still analyzing the malware. The company stated that it investigated the source code of the Sunburst malware and found a code overlap between Sunburst and Kazuar, a state-sponsored cyber espionage organization with the most advanced malware related to the Russian Turla Group.
Kaspersky is very careful in its language today to point out that it only found “code overlap”, but it does not necessarily believe that it believes that Turla organized the SolarWinds attack.
The security company claims that this code overlap may be caused by SolarWinds hackers using the same coding idea, buying malware from the same encoder, moving the encoder between different threat actors, or simply a false marking operation. Designed to lead security companies on the wrong path.
However, although the security company avoided the attack, last week, US government officials officially blamed the SolarWinds hackers on Russia, saying that these hackers “may have originated in Russia.”
The US government statement did not attribute hacking to specific groups. Some news media targeted the attack on an organization called APT29 (or “Comfort Bear”), but all security companies and security researchers involved in the hacking attack expressed caution and very timidly attributed this hacker to So early. Under investigation.
Currently, SolarWinds hackers are tracked under different names, such as UNC2452 (FireEye, Microsoft), DarkHalo (Volexity) and StellarParticle (CrowdStrike), but once the company learns more, this name is expected to change.
At present, there is still a mystery, and that is how SolarWinds hackers first managed to disrupt the company’s network and install Sunspot malware. Is it an unpatched VPN, an email spear phishing attack, or a server that exposes a guessable password on the server?