Mandiant: SolarWinds Attackers Continue to Innovate –

Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management

Suspected Russian Group Hitting Cloud, Managed Service Providers

Mandiant: SolarWinds Attackers Continue to Innovate
Russian state hackers are using new stealth tactics. (Picture: Pixabay)

A suspected Russian group blamed for the SolarWinds compromise in 2020 is continuing to innovate and has been infiltrating technology services and resellers, according to a new report from Mandiant.

See Also: Live Discussion | Securing Business Growth: The Road to 24/7 Threat Detection and Response

Mandiant says the group, which it calls UNC2452 and Microsoft calls Nobelium, practices “top-notch operational security and advanced tradecraft.” Mandiant says the group is “one of the toughest actors we have encountered” (see: Nobelium Makes Russia Leader in Cyberattacks).

“However, they are fallible, and we continue to uncover their activity and learn from their mistakes,” Mandiant says in a report released Monday. “Ultimately, they remain an adaptable and evolving threat that must be closely studied by defenders seeking to stay one step ahead.”

The U.S. government has connected the group to Russia’s foreign intelligence services. Mandiant says it has been seeing clusters of activity likely related to UNC2452 that is targeting multiple cloud solution providers and managed service providers. The attackers are using credentials likely obtained from an information-stealer malware campaign by a third-party actor to gain initial access to organizations.

“We have seen this threat actor ultimately target government entities, consulting organizations and NGOs in North America and Europe who directly have data of interest to the Russian government,” says Douglas Bienstock, manager, consulting at Mandiant.

Bienstock says that the adversaries in some cases first compromised technology solutions, services and reseller companies in North America and Europe that have access to targets that are of interest to them.

The researchers discovered that post-compromise activities by these groups included the theft of data relevant to Russian interests. They also used the stolen data to create new routes to access other victim environments.

“The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts,” according to Mandiant’s report.

Custom-Made Malware

Researchers identified a Cobalt Strike Beacon – a backdoor written in C/C++ that is part of the Cobalt Strike framework – that supports backdoor commands, such as shell command execution, file transfer, file execution and file management.

Beacon is also capable of capturing keystrokes and screenshots as well as acting as a proxy server.

“Beacon may also be tasked with harvesting system credentials, port scanning and enumerating systems on a network. Beacon communicates with a command and control server via HTTP(S) or DNS,” the researchers write.

Another custom-developed malware dubbed Ceeloader, written in the C programming language, supports shellcode payloads that are executed in memory.

“An obfuscation tool has been used to hide the code in Ceeloader in between large blocks of junk code with meaningless calls to the Windows API. The meaningful calls to the Windows API are hidden within obfuscated wrapper functions that decrypt the name of the API and dynamically resolve it before calling,” the researchers say.

How the malware is distributed is still unknown.

Intrusion Activities

The researchers observed multiple instances in which threat actors compromised service providers and used privileged access and credentials belonging to these providers to compromise further downstream customers.

One instance observed by Mandiant researchers included a threat actor compromising a local VPN account and using this VPN account to perform reconnaissance and gain access to internal resources within the victim’s cloud service provider environment. This led to the compromise of internal domain accounts.

In another campaign, Mandiant observed the threat actors gaining access to the victim organization’s Microsoft 365 environment using a stolen session token.

The researchers assess with moderate confidence that the threat actor obtained the session token from the operators of the info-stealer malware. The tokens were used via public VPN providers to authenticate to the target’s Microsoft 365 environment.

Mandiant researchers say that they found evidence that the actors used Remote Desktop Protocol to pivot between systems that had limited internet access and used several devices to execute native Windows commands.

Operational Security

There is evidence of the threat actors compromising several accounts for reconnaissance, while the others were reserved for lateral movement within the organization, Mandiant reports.

“Mandiant identified attempts to compromise multiple accounts within an environment and kept use of each account separated by function. This reduced the likelihood that detecting one activity could expose the entire scope of the intrusion,” the researchers write.

The researchers previously reported that the threat actors used strict operational security for a specific account or systems in a victim environment for higher-risk activities, such as data theft and large-scale reconnaissance.

Once they enter an environment, the threat actors pivot to on-premises servers and crawl through them for technical documentation and credentials. Mandiant says that helps them to identify a route to gain access to their ultimate target’s network.

“This reconnaissance shows that the threat actor had a clear end goal in mind and was able to identify and exploit an opportunity to obtain required intelligence to further their goals,” the researchers say.

The Mandiant researchers also observed the threat actors avoid detection by deleting system logging within the victim’s environment. The threat actors also disabled SysInternals Sysmon and Splunk forwarders on victim machines that they accessed via Microsoft Remote Desktop.

Mandiant also saw the threat actors use residential IP address ranges to authenticate to victim environments. By doing so, the source logon IP address will belong to a major internet service provider that serves customers in the same country as the victim environment and may be less likely to raise suspicion.

The researchers also say that they identified the threat actors hosting second-stage payloads as encrypted blobs on legitimate websites running WordPress, and in multiple campaigns researchers witnessed the use of TOR, Virtual Private Servers – or VPS, and public Virtual Private Networks – or VPNs – to access victim environments.

Source of this news:

Related posts:

Nostalgia trip: Old Macs show how far we've come - PC World
When I started working for MacUser magazine in 1993, I was assigned to a gray cubicle with an old Mac IIci inside. (The summer intern didn't get the latest and greatest.) I don't know how that...
Best VPN services to use in Thailand - The Thaiger
Due to a series of laws that censor websites and increase surveillance powers for local authorities, internet freedom has changed dramatically in Thailand. Over 100,000 websites are blocked in the co...
Proxy Vs VPN: Definitions And Differences – Forbes Advisor UK - Forbes
VPNs and proxies both obscure your internet protocol (IP) address, making it seem as though you are browsing from a different location. However, while they may have some similar benefits (like spoofi...
'House Of Sticks' Is An Immigrant Success Story With Filial Bonds At The Core - NPR
House of Sticks: A Memoir, Ly Tran Scribner hide caption toggle caption Scribner House of Sticks: A Memoir, Ly Tran Scribner Ly Tran's memoir House of Sticks bring...
How can you unblock websites in UAE? - Web Hosting | Cloud Computing | Datacenter | Domain News - Da...
UAE is a business hub acknowledged for its sleek skyscrapers. At the moment, UAE’s new political environment is getting influenced because of new cybersecurity threats.As per gulf businesses, four ou...
Analyst says iPhone 13 will make calls even without a cellular signal - Lodi Valley
With the expected launch of the next generation iPhone appears to be coming to an end (Will it be in September?), rumors and speculation are spreading around the world, seeking to anticipate news of...
How To Change your Location and Local Stations in YouTube TV - Alphr
How To Change your Location and Local Stations in YouTube TV Get Secure with ExpressVPN and Get 3 Months Free! Download Now Disclaimer: Some pages on this sit...
May well be a slightly fiddly way to re-download P. T. - Eurogamer. net
Having the dream  alive. Ah, P. T. Hideo Kojima's wonderful "playable teaser" was designed to spark a new Still stilly noiseless soundless hushed mute Hill game starring Each Walking D...
The best free VPN for Chrome - PCWorld
Best free VPN for Chrome | PCWorld Skip to content <!-- --> Google If you have a Chromebook or don’t want yet another prog...
MECHANIC TALK WITH MIKE: Use CloudFlare to speed up your business article - Goshen News
There are three key elements who will be important when finding a hosting server for your business website: speed, security and scalability. The best website can boost website positioning, impro...
Hiltzik: The threat of ransomware - Los Angeles Times
Fran Finnegan was on vacation in New York just before the Fourth of July weekend when he received a disturbing text message from one of his customers: How come his website was down?Finnegan quickly s...
Xiaomi Mi Router AX9000 review - news -
Introduction Xiaomi has been in the network game for a long time now. As with most product spaces it enters, the Chinese giant tends to make the biggest splash in the lower end of the market, bringin...
Solution: Cannot add PPA: "This PPA does not support focal" in Linux Mint 20 - Linux News - BollyIns...
If you are adding PPA repo in Linux mint 20.02 and getting an error Cannot add PPA: ”This PPA does not support focal”. Then follow the simple command given in the article that will solve this error.I...
Hiding IP Address Behind A Proxy: Is It A Smart Move? - Todayuknews - Todayuknews
We all love the immense benefits and convenience that comes with quickly accessing the internet. Some people are never concerned about the inherent danger caused by identity theft and data security b...
Bloom Energy and Heliogen Join Forces to Harness the Power of the Sun to Produce Low-Cost Green Hydr...
PASADENA, Calif. & SAN JOSE, Calif.--(BUSINESS WIRE)--Jul 22, 2021--Heliogen and Bloom Energy (NYSE: BE) today announced plans to produce green hydrogen using only concentrated solar power and w...
Flowers Energy Sees Promise in SK ecoplant Deal supports Sovereign Wealth Fund Health and wellness
Submitted to 10/25/2021 SK ecoplant Co., Ltd., part of the SK Group, is always buying 10, 000, thousand shares of zero ticket, non-voting redeemable convertible Pipe A preferred stock, equal foot...
Get inside Wall Street with StreetInsider Premium. Claim your 1-week free trial here. File No.                 &...
US Government Blames China For Microsoft Exchange Hack - CRN
The Biden administration has formally accused hackers affiliated with China’s Ministry of State Security (MSS) of exploiting Microsoft Exchange Server vulnerabilities in a massive cyberattack. The U...

IP Rotating Proxy Onsale


First month free with coupon code FREE30