Microsoft shared details of its investigation into how hackers managed to remain undetected when hacking SolarWinds systems.
The report was presented by experts from Microsoft 365 Defender, Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber Defense Operations Center (CDOC).
The new details relate to the second phase of the Solorigate hack, where hackers took steps to deploy Cobalt Strike loaders (Teardrop, Raindrop and others) after removing the Solorigate backdoor DLL (Sunburst).
The hackers followed best operations security (OpSec) practices to minimize their footprints and stay out of sight, experts found.
Some examples of hackers' evasion tactics:
methodically eliminating common indicators for each compromised host by deploying custom Cobalt Strike DLLs on each computer,
disguise by renaming tools and binaries to match files and programs on the jailbroken device,
disabling event logging using AUDITPOL before practical actions from the keyboard and enabling it back after them,
creating firewall rules to minimize outgoing packets for certain protocols before running network enumeration actions that are then deleted,
disabling security services on target hosts, using timestamps to change artifact timestamps, and cleanup routines and tools to prevent detection of malicious DLL injections in vulnerable environments.
In addition, Microsoft provides a list of the most interesting and unusual tactics, techniques, and procedures (TTPs) used in these attacks.
The company also said it is "actively working with MITER to ensure that any new technology arising from this incident is documented in future updates to the ATT&CK framework."
A detailed timeline of these attacks shows that the Solorigate DLL backdoor was deployed in February and on the compromised networks in late March.
After this stage, the attackers prepared the implementation of Cobalt Strike and selected targets by the beginning of May.
The removal of the backdoor creation feature and compromised code from SolarWinds binaries in June may indicate that by this time the attackers had hit enough targets that their interest had shifted from deploying and activating the backdoor (Stage 1) to operating on selected victim networks.
Earlier, Microsoft, after an audit of its Office 365 and Azure infrastructure, confirmed that hackers had gained access to the company’s internal network and server resources. During the hack, the attackers were able to view part of the source code of some products.
Microsoft suffered an attack in which hackers gained access to the networks of software maker SolarWinds. The incident involving a malicious update of this software affected the computer systems of several American government agencies, as well as thousands of companies around the world.
The report was presented by experts from Microsoft 365 Defender, Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber Defense Operations Center (CDOC).
The new details relate to the second phase of the Solorigate hack, where hackers took steps to deploy Cobalt Strike loaders (Teardrop, Raindrop and others) after removing the Solorigate backdoor DLL (Sunburst).
The hackers followed best operations security (OpSec) practices to minimize their footprints and stay out of sight, experts found.
Some examples of hackers' evasion tactics:
methodically eliminating common indicators for each compromised host by deploying custom Cobalt Strike DLLs on each computer,
disguise by renaming tools and binaries to match files and programs on the jailbroken device,
disabling event logging using AUDITPOL before practical actions from the keyboard and enabling it back after them,
creating firewall rules to minimize outgoing packets for certain protocols before running network enumeration actions that are then deleted,
disabling security services on target hosts, using timestamps to change artifact timestamps, and cleanup routines and tools to prevent detection of malicious DLL injections in vulnerable environments.
In addition, Microsoft provides a list of the most interesting and unusual tactics, techniques, and procedures (TTPs) used in these attacks.
The company also said it is "actively working with MITER to ensure that any new technology arising from this incident is documented in future updates to the ATT&CK framework."
A detailed timeline of these attacks shows that the Solorigate DLL backdoor was deployed in February and on the compromised networks in late March.
After this stage, the attackers prepared the implementation of Cobalt Strike and selected targets by the beginning of May.
The removal of the backdoor creation feature and compromised code from SolarWinds binaries in June may indicate that by this time the attackers had hit enough targets that their interest had shifted from deploying and activating the backdoor (Stage 1) to operating on selected victim networks.
Earlier, Microsoft, after an audit of its Office 365 and Azure infrastructure, confirmed that hackers had gained access to the company’s internal network and server resources. During the hack, the attackers were able to view part of the source code of some products.
Microsoft suffered an attack in which hackers gained access to the networks of software maker SolarWinds. The incident involving a malicious update of this software affected the computer systems of several American government agencies, as well as thousands of companies around the world.
