Otto
Advanced
- Joined
- 22.09.20
- Messages
- 104
- Reaction score
- 423
- Points
- 63
As SecurityLab wrote earlier, on December 13, SolarWinds reported that it was the victim of a cyber attack on the supply chain. Hackers funded by a foreign government broke into the networks of an American software manufacturer and implemented a malicious update for its Orion software in order to infect the networks of government and commercial organizations using it.
FireEye specialists gave the cybercrime group the neutral code name UNC2452. Experts from the information security company Volexity, tracking this group as Dark Halo, reported that over the past two years, it has attacked at least three times a certain American analytical center.
In one of the attacks, hackers used a new technique to bypass the multi-factor authentication provided by Duo. After gaining administrator rights on the infected network, the criminals stole a key from a server running Outlook Web App (OWA), which businesses use to authenticate an account for various network services. The hackers then used the key to create a cookie needed to further intercept control of the account.
In the second incident, Dark Halo gained access to the user's email account through the OWA web client, which was protected by multi-factor authentication. The attackers gained access to the Duo integration secret key from the OWA server and learned the pre-calculated value that will be set in the duo-sid cookie. After successful password authentication, the server evaluated the duo-sid cookie and determined that it was valid. This allowed the attacker, knowing the user account and password, to then completely bypass the protection.
The third incident was related to the malicious use of SolarWinds Orion software. In July 2020, Volexity identified suspicious administrative commands and ActiveSync anomalies in the organization's Exchange environment. Further verification of the organization's endpoint software and network traffic confirmed the hack. The attacker executed commands to export email to specific users in the organization, and then output the data through the organization's Outlook Web Anywhere (OWA) server.
Attackers, apparently, are well versed in Exchange. They immediately listed various organization configuration options via PowerShell, and also used the file sqlceip.exe which at first glance may seem like a legitimate version of the SQL Server telemetry client provided by Microsoft. However, the tool was actually a version of adfind, a command-line tool used to query and retrieve data from Active Directory. Hackers stole email data from targeted accounts and created password-protected archives on the victim's OWA server so that they could be deleted with a simple HTTP request.
According to experts, the attackers repeatedly returned to the victim's network after the attacks. Eventually, the attackers were able to "remain undetected for several years."
FireEye specialists gave the cybercrime group the neutral code name UNC2452. Experts from the information security company Volexity, tracking this group as Dark Halo, reported that over the past two years, it has attacked at least three times a certain American analytical center.
In one of the attacks, hackers used a new technique to bypass the multi-factor authentication provided by Duo. After gaining administrator rights on the infected network, the criminals stole a key from a server running Outlook Web App (OWA), which businesses use to authenticate an account for various network services. The hackers then used the key to create a cookie needed to further intercept control of the account.
In the second incident, Dark Halo gained access to the user's email account through the OWA web client, which was protected by multi-factor authentication. The attackers gained access to the Duo integration secret key from the OWA server and learned the pre-calculated value that will be set in the duo-sid cookie. After successful password authentication, the server evaluated the duo-sid cookie and determined that it was valid. This allowed the attacker, knowing the user account and password, to then completely bypass the protection.
The third incident was related to the malicious use of SolarWinds Orion software. In July 2020, Volexity identified suspicious administrative commands and ActiveSync anomalies in the organization's Exchange environment. Further verification of the organization's endpoint software and network traffic confirmed the hack. The attacker executed commands to export email to specific users in the organization, and then output the data through the organization's Outlook Web Anywhere (OWA) server.
Attackers, apparently, are well versed in Exchange. They immediately listed various organization configuration options via PowerShell, and also used the file sqlceip.exe which at first glance may seem like a legitimate version of the SQL Server telemetry client provided by Microsoft. However, the tool was actually a version of adfind, a command-line tool used to query and retrieve data from Active Directory. Hackers stole email data from targeted accounts and created password-protected archives on the victim's OWA server so that they could be deleted with a simple HTTP request.
According to experts, the attackers repeatedly returned to the victim's network after the attacks. Eventually, the attackers were able to "remain undetected for several years."