Microsoft has posted another update on the Solarwinds attack which infected 18,000 companies last year, including Microsoft’s network.
This time their post is a deep dive on how the attackers worked to evade detection and spread silently through company networks.
Each Cobalt Strike DLL implant was prepared to be unique per machine and avoided at any cost overlap and reuse of folder name, file name, export function names, C2 domain/IP, HTTP requests, timestamp, file metadata, config, and child process launched. This extreme level of variance was also applied to non-executable entities, such as WMI persistence filter name, WMI filter query, passwords used for 7-zip archives, and names of output log files.
Applying this level of permutations for each individual compromised machine is an incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims.
The attackers were not only very diligent but also patient. One of the ways they avoided detection, for example, was to first enumerated remote processes and services running on the target machine. They then disabled specific security services by editing the registry of the target machine to disable autostarting of security processes. The hackers then waited for machines to be rebooted during the normal course of events before attacking.
Some elements were mundane, but still genius, for example only attacking systems during business hours, so normal activity would obscure theirs.
“The combination of a complex attack chain and a protracted operation means that defensive solutions need to have comprehensive cross-domain visibility into attacker activity and provide months of historical data with powerful hunting tools to investigate as far back as necessary,” Microsoft noted.
Read Microsoft’s full and detailed report, which also includes advice on protecting your network from similar attacks, here.
via The Register