New analysis uncovers extensive SolarWinds attack infrastructure
Researchers believe the discovery will highlight new SolarWinds attack victims
Cybersecurity researchers that have been tracking the infrastructure footprint of SolarWinds threat actors claim the network of servers used in the attack is "significantly larger than previously identified".
Back in December 2020, a massive cyber-espionage effort was discovered that tainted the software supply chain via a rigged update to SolarWinds software. Pinned on state-sponsored Russian hackers, the hack was found to have affected nine federal agencies, in addition to many private-sector companies.
There have been several congressional hearings regarding the SolarWinds hack, and the incident also led to sanctions on several Russian cybersecurity companies. However, no one has been able to determine the true extent of the hack, in part because tracing the steps of the threat actors has been quite challenging.
We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.
- Here's our choice of the best malware removal software on the market
- We’ve also rounded up the best ransomware protection tools
- These are the best firewall apps and services
“The threat actor, identified by the U.S. government as APT29 but tracked in the private industry as UNC2452, took great pains to avoid creating the type of patterns that make tracing them easy,” said RiskIQ's intelligence analysis team in a new report.
More targets?
According to its analysis, RiskIQ has identified an additional 18 command and control (C&C) servers that communicated with the malicious payloads that were dropped as part of the cyberattack.
In the report, RiskIQ said the attack had several stages. In the first-stage, the threat actors dropped the Sunburst backdoor, which was designed to identify, avoid, and disable different antivirus and endpoint detection and response (EDR) products.
The second and third stages are said to have included custom droppers (now referred to as Teardrop and Raindrop) together with additional malware and a tainted version of the Cobalt Strike pentesting tool.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
RiskIQ identified the new C&C servers while analyzing the second stage of the attack. The team picked up modified Cobalt Strike beacons and then correlated them with the SSL certificates used by the SolarWinds hackers to identify the extra servers, which “will likely lead to newly identified targets".
The cybersecurity company also notes that it has already notified the US Computer Emergency Readiness Team (US-CERT) of its findings.
- We've built a list of the best endpoint protection software available
Via ZDNet
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.