According to SEC filings by SolarWinds, threat actors inserted the malicious code into otherwise legitimate code, which means anyone who downloaded the software was potentially at risk. It is believed that Sunburst was delivered via a trojanized version of the Orion network monitoring application. It can also execute web shell commands via a specific HTTP request format. Once running, it inspects and responds to HTTP requests with appropriate HTTP query strings, cookies, and HTML form values. It is a second-stage payload in the attack. NET web shell backdoor that presents itself as a legitimate SolarWinds web service handler. Supernova, one of the malicious components associated with the attack, is a. File operations (read, write, and delete files).Registry operations (read, write, and delete registry keys/entries).The commands that can be executed include: This gathered information is used either to generate a user ID for the affected machine, or to check against blocklists - if certain drivers, processes, or services are found on the machine, the backdoor will cease to function. Once in a system, it can both gather information about the affected system and execute various commands. The subdomain is one of the following strings: It connects back to its command-and-control server via various domains, which take the following format: This specific set of circumstances makes analysis by researchers more difficult, but it also limits the scope of its victims to some degree. It will also only run if the execution time is twelve or more days after the system was first infected it will also only run on systems that have been attached to a domain. It has several peculiarities in its behavior, however.īefore it runs, it checks that the process name hash and a registry key have been set to specific values. Sunburst is a sophisticated backdoor that provides an attacker nearly complete control over an affected system. This backdoor provided the attacker with complete access to the targeted organization’s network. The attackers used the access provided by this application to plant a backdoor known as Sunburst onto affected machines. This was carried out via a compromised version of a network monitoring application called SolarWinds Orion. Various sources have recently disclosed a sophisticated attack that hit organizations via the supply chain. These vulnerabilities, when combined, could allow an unauthenticated attacker to execute arbitrary code as Administrator on an affected system. CVE-2020-14005, one of these vulnerabilities, has been linked to the recent SUNBURST cyberattack on SolarWinds.
#TYPE TO LEARN SUNBURST FREE DOWNLOAD UPDATE#
Update on 4:56 PM PST: Trend Micro's Zero-Day Initiative (ZDI) provided technical analysis of recently patched vulnerabilities in the SolarWinds Orion Platform. Update on 2:40 PM PST: Information on Supernova added
0 kommentar(er)
