Mandiant analyzes new tools from groups linked to attack on Solarwinds

A group of Russian government-backed hackers linked to the SolarWinds attack developed new malware that has been used to carry out attacks against companies and governments in North America and Europe. These attacks were carried out as part of a campaign to covertly compromise networks, steal information, and lay the groundwork for future attacks.

Solarwinds Pirates News

The attacks also involve the engagement of multiple cloud and managed service providers as part of a campaign designed to allow hackers to gain access to the providers’ downstream clients in software supply chain attacks.

This massive campaign was detailed by cybersecurity researchers at Mandiant Company, who linked it to two groups of hackers named UNC3004 and UNC2652.

Mandiant associates these groups with UNC2452, also known as Nobelium at Microsoft, a group that works on behalf of Russia’s Foreign Intelligence Service and is behind the cyber attack on SolarWinds.

However, while each of these groups operates out of Russia and appears to share similar goals, the researchers cannot say with certainty that they are all part of the same unit.

“Although it is plausible that this is the same group, Mandiant does not currently have enough evidence to determine with certainty that it is in fact the same group,” the report said.

Ceeloader, common denominator

The recently detailed campaigns include the use of a custom-developed malware loader that researchers dubbed Ceeloader.

Written in the C programming language, this malware decrypts shellcode-type payloads and executes them in the memory of the victim’s Windows machine, allowing the distribution of other malware. Ceeloader avoids detection by using large blocks of unnecessary code that make the anti-virus software unable to detect malicious code.

“An obfuscation tool was used to hide the Ceeloader code between unnecessary large code blocks containing meaningless Windows API calls. Meaningful Windows API calls are hidden in wrapper functions that decipher the API name and make it they resolve dynamically before calling it, “the report says.

It is not clear how Ceeloader is distributed, but it does provide a stealth gateway for other malicious activities.

Other tactics used by attackers include misusing the Cobalt Strike penetration testing tool to put a backdoor into the compromised system. This can be used to execute commands and transfer files, as well as to provide a keylogger that can be used to steal usernames and passwords.

In addition to deploying malware, the attackers compromised targets through cloud services.

Like other Russia-related campaigns, these attacks also target Remote Desktop Protocol (RDP) login credentials.

Victimology and modus operandi

But regardless of how the network has been compromised, the attacked organizations appear to align with the targets of previous campaigns attributed to the Russian state.

“We have seen this malicious actor ultimately targeting government entities, advisory organizations, and NGOs in North America and Europe that have direct data of interest to the Russian government. In some cases, they have engaged first. Technology solutions, service companies and resellers in the Northern United States and Europe that have access to the goals that ultimately matter to them, ”Douglas Bienstock, Mandiant’s head of consulting, told .

For attackers, targeting cloud service providers through the new and existing methods of compromise detailed in the report remains one of the key methods for compromising a wide range of organizations. By compromising the provider, they have the ability to gain access to customer systems.

Incidents such as the attack on SolarWinds attributed to the Russian state, as well as cybercriminal activities such as Kaseya’s compromise and the resulting ransomware attacks have demonstrated the power of this tool in the context of hacking campaigns. This is why cloud computing providers and their services remain an important target.

By compromising the environment of a single cloud service provider, the malicious actor can gain access to the networks of multiple organizations that are of interest to them and that are customers of that provider. In this way, the actor can focus his efforts on a small number of organizations and then reap great rewards, “said Bienstock.

Mandiant researchers say they are aware of a few dozen organizations that have been affected by the campaigns in 2021 and, in cases where attackers have compromised them, steps have been taken to notify them.

Source: “.com”

Woodmart Theme Nulled, WP Reset Pro, Newspaper 11.2, Newspaper – News & WooCommerce WordPress Theme, Premium Addons for Elementor, Rank Math Seo Pro Weadown, WeaPlay, WordPress Theme, Plugins, PHP Script, Jannah Nulled, Elementor Pro Weadown, Woocommerce Custom Product Ad, Business Consulting Nulled, Jnews 8.1.0 Nulled, Avada 7.4 Nulled, Nulledfire, Dokan Pro Nulled, Yoast Nulled, Flatsome Nulled, PW WooCommerce Gift Cards Pro Nulled, Astra Pro Nulled, Woodmart Theme Nulled, Slider Revolution Nulled, Wordfence Premium Nulled, Elementor Pro Weadown, Wpml Nulled, Consulting 6.1.4 Nulled, Fs Poster Plugin Nulled

Back to top button