This week, Microsoft shared details on the tactics, techniques and procedures (TPPs) that were utilized by the hackers involved with the SolarWinds situation, which enabled them to remain undetected. This is arguably one of the most sophisticated attacks to occur in recent (IT) history.
It remains uncertain as to who the specific group was that caused the breach, but evidence mostly suggests that the perpetrators originate from Russia.
Key things to note about the “trojanized” attack:
- Methodic avoidance of shared indicators for each compromised host by deploying custom Cobalt Strike DLL implants on each system
- Camouflaging malicious tools and binaries to mimic existing files and programs already present on the compromised machine
- Disabling event logging using AUDITPOL before hands-on keyboard activity and enabling it back once complete
- Creating special firewall rules to minimize outgoing packets for certain protocols before running noisy network enumeration activities that were later removed after the network survey
- Executing lateral movement activities only after disabling security services on targeted hosts
- Allegedly using timestamping to change artifacts’ timestamps and leveraging wiping procedures and tools to prevent discovery of malicious DLL implants
How to prevent an attack like this? Zero Trust Mentality
To protect against an attack like this, especially in the future, companies must adopt a Zero Trust Mentality. Users should only have access to what they should be able to access, and nothing more. Having proper permissions will help prevent an abundance of problems. To learn more about the Zero Trust Model, click here.
Information reported by TheHackerNews
Michael is an Information Technology consultant, with a focus on cybersecurity. Every day, Michael strives to learn something new, with an aim to share it with you all!
