Season’s Good News! SentinelOne Detection Inhibits Solar Wind Orion Hackers…
It’s true! After a nasty breach at FireEye and within less than a week of the company’s alert that Russian hackers had breached RED TEAM software penetration tools, FireEye identified that the source was an earlier breach at Solar Winds where hackers took over and infected the Solar Winds Orion update process. (SolarWinds Orion is used mainly by IT professionals to monitor corporate and government networks.)
CEO Kevin Thompson was forthcoming with this statement:
“We are aware of a potential vulnerability which if present is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products. We believe that this vulnerability is the result of a highly sophisticated, targeted and manual supply chain attack by a nation state. We are acting in close coordinate with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters. As such, we are limited as to what we can share at this time.”
The victims are reported to include the U.S. Commerce and Treasury Departments; the Department of Homeland Security (DHS), the National Institutes of Health, and the State Department … all of whom utilize Solar Winds Orion business software to monitor critical data.
What actually happened? “Russian hackers weaponized SolarWinds Orion business software updates in order to distribute malware called SUNBURST. From there, they attacked multiple government, consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East” according to FireEye.
We were many in the industry (after FireEye’s initial announcement) to conclude that the hackers were going after high value targets (Government!) only but now with the breach details becoming known across the board there is verifiable concern that hackers will attack additional, smaller-sized companies whose backdoor can be activated, thus compromised. Additionally, the jury is out as to what else may need done to detect and further mitigate damage that the SUNBURST ransomware will cause. Let’s admit it: This breach is complicated. Anyone who has infected Solar Winds files best be on high alert, and hold onto their proverbial “backdoor” with both hands!
Some good news: Cybersecurity giant, SentinelOne, recently shed light on the entire Solar Winds breach with news that the selected malware of devastation would only activate after it made sure that the host wasn’t running certain tools which could detect it -one of which is SentinelOne. Hackers began their unveiling of the malware from the onset with horns pulled in and far removed from the watchful eye of Cybersecurity Partners like DG365. Data-Guard 365’s proprietary software, platform, and cybersecurity package run those ‘certain tools’ which can detect SUNBURST ransomware, among others. Extremely good news for any/all businesses whose vendor partner is DG365.
Here is how the cybercriminals get away with your data and operations as observed and reported by SentinelOne:
“… After a 12-day dormant period, SUNBURST’s malicious code looks for processes, services, and drivers: List of processes: includes mostly monitoring tools like Sysinternals and researchers’ tools. If those are present, SUNBURST exits and does not run. List of services: includes security products that have weak and anti-tamper measures. SUNBURST goes to the registry and tries to disable them. The backdoor may have bypassed these products, or at least tried to. (SentinelOne is not on this list because its anti-tamper capability protects from such attempts, without any special configuration needed.) List of drivers: The third list is shorter and includes a list of drivers; among them SentinelOne. When SUNBURST sees the drivers, it exits like a scared rabbit before initiating any C2 communication or enabling additional payload.
If this blacklist check is passed, only then is the backdoor code initiated. The first testing action the backdoor code takes is to call out to C2 to receive instructions/commands that will be parsed and passed to the job engine. This C2 callout is to a URL, generated at runtime by the malware’s DGA, which will end up being a subdomain of avsvmcloud[.]com. We have observed that no endpoints monitored by SentinelOne are calling out to any subdomain of *.https://www.linkedin.com/redir/general-malware-page?url=avsvmcloud%2ecom …”
Don’t lose sleep over the breaches you read about. Secure a Cybersecurity Partner and let them do what they are experts at, together with educating and alerting your internal IT staff so none of you stand long-faced and with liabilities you cannot overcome. Beating cybercriminals is actually easy with a qualified, solid security partner!
Data-Guard 365 is a MSSP firm headquartered in Indianapolis, Indiana, with offices in Chicago, Atlanta, and other strategic locations across the globe. The company is a one-of-a-kind business partner whose people, processes, and technology provide armored cybersecurity for a price point that pays for itself. www.Data-Guard365.com / (317) 967-6767 / info@data-guard365.com
Back to Articles/Blog
