Solarwinds breach
![solarwinds breach solarwinds breach](https://rthreat.net/wp-content/uploads/2020/12/SolarWinds-Breach-Blog-Cover--1080x475.png)
The credentials used for lateral movement were always different from those used for remote access.
![solarwinds breach solarwinds breach](https://bwgstrategy.com/wp-content/uploads/Solar_Winds_FP_Q4_2020.png)
Once the attacker gained access to the network with compromised credentials, they moved laterally using multiple different credentials. Lateral movement using different credentials *The implant uses SSL, but may be identified as HTTP if using a proxy. Compromise / HTTP Beaconing to New Endpoint*.Compromise / SSL Beaconing to New Endpoint.Compromise / Agent Beacon to New Endpoint.The models were not specifically designed to detect SolarWinds modifications but have been in place for years – they are designed to detect the subtle but significant attacker activities occurring within an organization’s network. This would be very likely to trigger the following Darktrace Cyber AI models. Darktrace is unaffected by this type of tradecraft as it does not have implicit, pre-defined trust of any geo-locations. They further used C2 servers in geopolitical proximity to their victims, further circumventing static geo-based trusts lists. This allowed the adversary to blend into the environment, avoid suspicion, and evade detection. The threat-actor set the hostnames on their later-stage command and control (C2) infrastructure to match a legitimate hostname found within the victim’s environment. This post is not aiming to add anything to these findings, but instead takes a look at the potential post-infection activities. These automated first stages of the attack have been sufficiently researched in depth by the community.
#SOLARWINDS BREACH DOWNLOAD#
While the automated, initial malware execution is a critical initial step to understand, the behavior was pre-configured for the malware and included the download of further payloads and the connection to domain-generation-algorithm (DGA) based subdomains of avsvmcloudcom. These stages are also near-impossible to predict, as they are driven by the attacker’s intentions and goals for each individual victim at this stage – making the use of signatures, threat intelligence or static use cases virtually useless. This post-exploitation part of the attack is much more varied and stealthy. We want to focus on the most sophisticated details of the hands-on intrusion that in many cases followed the initial automated attack. Cyber AI Analyst saves critical time for security teams, and its results should be treated with a high priority during this period of vigilance. Using a self-learning approach is the best possible mechanism to catch an attacker who gains access into your systems using a degree of stealth so as to not trigger signature-based detection.Ī number of these models may fire in combination with other models in order to make a strong detection over a time-series – and this is exactly where Darktrace’s autonomous incident triage capability, Cyber AI Analyst, plays a crucial role in investigating the alerts on behalf of security teams. The technology automatically clusters devices into ‘peer groups’, allowing it to detect cases of an individual device behaving unusually. These examples stress the value of self-learning Cyber AI capable of understanding the evolving normal ‘patterns of life’ within an enterprise – as opposed to a signature-based approach that looks at historical data to predict today’s threat.Īs Darktrace detects device activity patterns rather than known malicious signatures, detecting use of these techniques will fall into the scope of Darktrace’s capabilities without further need for configuration. This is not an example of a SolarWinds compromise, but examples of anomalous behaviors we can expect to see from this type of breach. In what follows, we explore a set of Darktrace detections that highlight and alert security teams to the types of behaviors related to this breach. However, SolarWinds is an IT discovery tool that is used by a significant number of Darktrace customers.
![solarwinds breach solarwinds breach](https://assets.perimeter81.com/uploads/2020/12/blog_1450167512.jpg)
#SOLARWINDS BREACH SOFTWARE#
Malware installed during software updates in March 2020 has allowed advanced attackers to gain unauthorized access to files that may include customer data and intellectual property.ĭarktrace does not use SolarWinds, and its operations remain unaffected by this breach.
![solarwinds breach solarwinds breach](https://img.etimg.com/thumb/msid-79807705,width-1015,height-761,imgsize-804519,resizemode-8,quality-100/tech/information-tech/solarwinds-breach-unlikely-to-ground-indian-it-cos-analysts.jpg)
The SUNBURST malware attacks against SolarWinds have heightened companies’ concerns about the risk to their digital environments. For a high-level explanation of the SolarWinds hack, watch our video below.