Microsoft published a new report that includes additional details of the SolarWinds supply chain attack. The new analysis shad lights on the handover from the Solorigate DLL backdoor to the Cobalt Strike loader.
The attackers focused on separate these two components of the attack chain as much as possible to evade detection.
The known information on the attacks confirms that the Solorigate DLL backdoor was compiled at the end of February 2020 and distributed to the potential victims in late March. Then attackers removed the Solorigate backdoor code from SolarWinds’ build environment in June 2020.
Considering that the Solorigate backdoor was designed to stay dormant for at least two weeks, the analysis of the timeline suggests that attackers spent approximately a month selecting the victims and preparing unique Cobalt Strike implants as well as command-and-control (C2) infrastructure. This means that the “hands-on-keyboard activity” likely started as early as May.
“The removal of the backdoor-generation function and the compromised code from SolarWinds binaries in June could indicate that, by this time, the attackers had reached a sufficient number of interesting targets, and their objective shifted from deployment and activation of the backdoor (Stage 1) to being operational on selected victim networks, continuing the attack with hands-on-keyboard activity using the Cobalt Strike implants (Stage 2).” states the report published by Microsoft.
Microsoft experts analyzed forensic data across the entire environment of impacted organizations to discover how the attackers made lateral movements and how long they remaining within their target networks.
The experts conducted a deep analysis of data collected by Microsoft 365 Defender data and Microsoft Defender telemetry.
While investigating the attack, Microsoft identified several second-stage malware and tools, including TEARDROP, Raindrop, and also other custom loaders for the Cobalt Strike beacon.
“TEARDROP, Raindrop, and the other custom Cobalt Strike Beacon loaders observed during the Solorigate investigation are likely generated using custom Artifact Kit templates.” continues the report. “Each custom loader loads either a Beacon Reflective Loader or a preliminary loader that subsequently loads the Beacon Reflective Loader. Reflective DLL loading is a technique for loading a DLL into a process memory without using the Windows loader.”
Microsoft added that additional attacker tactics, anti-forensic behavior, and operational security allowed them to avoid detection and outstand for operations security (OpSec) best practices.
Below a list of some examples of why threat actors stand out for their professional OpSec methodology and anti-forensic behavior:
Some examples of why these attackers stand out for their professional OpSec methodology and anti-forensic behavior are listed below:
“As we continue to gain deeper understanding of the Solorigate attack, we get a clearer picture of the skill level of the attackers and the extent of planning they put into pulling off one of the most sophisticated attacks in recent history. The combination of a complex attack chain and a protracted operation means that defensive solutions need to have comprehensive cross-domain visibility into attacker activity and provide months of historical data with powerful hunting tools to investigate as far back as necessary.” concludes Microsoft.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, SolarWinds)