Solarwinds Orion Security Breach正在以快速的步伐展开,供应商和受害者的数量继续增长。每天都会带来新的启示,即它的覆盖范围和深度。特别关注的是对政府系统的感染率和影响。
如果您错过了它,则在Solarwinds Orion IT监控和管理软件中找到了一个后门。一个名为solarwinds.orion.core.businesslayer.dll的动态链接库,发现orion软件框架的Solarwinds签名组件,包含一个后台,通过HTTP传送到第三方服务器。
After an initial dormant period of up to two weeks, the Trojan retrieves and executes commands, called jobs, that include the ability to transfer files, execute files, profile the system, reboot, and disable system services. In short, a total takeover of the machine.
The malware hides its network traffic in the Orion Improvement Program (OIP) protocol and stores its ill-gotten data within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity.
Solarwinds表示,它的30万名300,000名客户下载了木马,但这仍然是18,000太多。据报道,受害者包括世界各地的咨询,技术,电信和石油和天然气公司以及美国政府机构,如国防,库房和商务部。
The latest victim is Cisco Systems, which found the Orion Trojan on internal systems. "Following the SolarWinds attack announcement, Cisco Security immediately began our established incident-response processes," the company said in a statement.
"We have isolated and removed Orion installations from a small number of lab environments and employee endpoints. At this time, there is no known impact to Cisco products, services, or to any customer data."
Fireeye和Microsoft是第一个识别缺陷之中的,而且由于Solarwinds的广泛使用,更多的安全专家正在挖掘它。
One thing is for certain, the final shoe has not dropped yet. Here's a roundup of what has emerged in the last few days.
Killswitch Found
FireEye first documented the Trojan on December 13 in a详细的写作恶意软件,说“猎户座”软件可以哈ve been compromised as far back as March 2020. FireEye told the security site KrebsOnSecurity that it found a domain that has since been seized by Microsoft and has been reconfigured to act as a killswitch to prevent the malware from continuing to operate in some circumstances.
"SUNBURST is the malware that was distributed through SolarWinds software. As part of FireEye's analysis of SUNBURST, we identified a killswitch that would prevent SUNBURST from continuing to operate," the company said in a statement sent to me.
Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections.
“这款杀戮地区将通过禁用仍然致信到AVSVMCLOUD [。] COM的森伯斯特部署来影响新的和以前的森伯斯特感染。然而,在侵入Fireeye的情况下,这位演员迅速移动,建立额外的持久机制,以便超越受害者网络森伯斯特后卫。这个杀戮地带不会从受害者网络中删除他们建立其他后门的受害者网络。然而,对于演员来利用先前分布式的森伯斯特版本,这将使这将使它更加困难,“它补充道。
Second Group Found
微软announced第二个黑客集团部署了影响猎户座软件的恶意代码,但是这位研究人员作为超新星知名的恶意软件与原始木马不同,因为它似乎并未涉及供应链的妥协,微软表示。
虽然俄罗斯黑客被怀疑落后于第一个Orion软件特洛伊木马,但微软不确定谁在第二次妥协后面。“[t]对整个Solarwinds的调查妥协导致了发现额外的恶意软件,这些恶意软件也影响了Solarwinds Orion产品,但已被确定与这种妥协和由不同的威胁演员使用的折衷主义,”Microsoft研究团队“星期五在博客岗位上说。
该公司指出,Microsoft Defender防病毒,Windows 10上的默认抗动软件解决方案,检测和阻止恶意DLL及其行为。即使进程正在运行,它也会隔离恶意软件。
他们三年前警告了
根据an article published Monday by Bloomberg。IAN Thornton-Trump在2017年回到了三个Solarwinds高管的23页,敦促他们安装一个网络安全高级董事,因为他认为这篇文章说,他认为重大违规是不可避免的。
Thornton-Trump told Bloomberg he resigned from SolarWinds a month after his presentation because he claimed the company wasn't interested in making the changes he had suggested to improve cybersecurity. "My belief is that from a security perspective, SolarWinds was an incredibly easy target to hack," Thornton-Trump said.
内幕trading?
华盛顿邮政报道上周,在侵扰揭示前的日子之前,Solarwinds的顶级投资者在股票上售出数百万美元。过去几天,SolarWinds的股价下降了20%以上。该职位在美国证券交易委员会(SEC)上引用了以前执法官员(SEC),称销售可能会提示内部交易调查。
私募股权公司银湖和Thoma Bravo拥有四分之三的优秀Solarwinds股票,售价1300万美元,价值2.86亿美元,仅需一周,在披露供应链脆弱性之前。该股在下午16点以16.12美元关闭。根据该职位,11月,外出的Solarwinds首席执行官Kevin Thompson还销售了超过1500万份股票。
“在12月7日进入单一机构投资者的私募之前,在Solarwinds之前,Thoma Bravo和Silver Lake并不了解这座潜在的网络攻击,”公司在向职位的联合声明中表示。