SolarWinds: NSA & Co. warn with a vulnerability report to patch


The groups of hackers behind the serious cyber attacks involving vulnerabilities at the software provider SolarWinds have expanded and refined their tactics, techniques and procedures. They are now also using security holes in Microsoft’s Exchange server software, which were initially associated with other attackers. This emerges from a new vulnerability report that the three US agencies FBI, NSA and CISA (Cybersecurity and Infrastructure Security Agency) have written together with the British National Cyber ​​Security Center (NCSC), which is part of the GCHQ intelligence agency.

The SolarWinds hackers located US security authorities in Russia at an early stage. By doing new paper show the authors on the Russian foreign intelligence service SWR and his attributed cyber actors known as APT29, Cozy Bear, and the Dukes. Among other things, these should be responsible for IT attacks with malware such as WellMess and WellMail on developers of Covid-19 vaccines.

The warning says that the Russian attackers have increased their arsenal in order to be able to continue to infiltrate networks undetected, building on the weak points in the SolarWinds & Co. case. The hacker groups have therefore reacted to the countermeasures that many organizations have taken after the warnings of the past few months.

The attackers are now using the open source tool Sliver to gain permanent access to systems and networks that have already been compromised. You could use it to exploit numerous vulnerabilities, including the most recent zero-day exploits for Microsoft Exchange, which are said to lead to China.

Sliver is actually intended as software for so-called red teams, with which they can test their network security in consultation with service providers. It is now supposed to be abused here to consolidate access to systems that have been compromised with WellMess and WellMail. The Cobalt Strike commercial tool is also being deployed for the same purpose. The force also used malware and tools such as GoldFinder and GoldMax, as well as the Sibot download app, after hacking victims through SolarWinds software, according to the report.

According to Western security agencies, the attackers are keen to use a variety of exploits as soon as they are published. The authors specifically refer to eleven security warnings that relate to vulnerabilities from CVE-2018-13379 FortiGate to CVE-2019-19781 Citrix to CVE-2021-21972 VMWare vSphere.

In recent times, the actors have also specifically searched for Exchange servers that fill the gap associated with the Hafnium group CVE-2021-26855 and associated other vulnerabilities are prone, it said. Such activities are usually followed by the use of further exploits and, if successful, the installation of a web shell for remote server access. The attacks on mail servers are aimed at obtaining passwords and administrator rights and the possibility of obtaining further network information and access.

Despite the sophisticated nature of the attacks, the authors emphasize that the attackers could be kept in check if administrators followed “basic cybersecurity principles”. This includes the quick installation of security updates in order to at least seal known security gaps. The guideline also recommends using multi-factor authentication to counter password attacks.

The SWR is certified by its colleagues from the USA and Great Britain to have developed extensive skills to attack organizations all over the world. This included in particular NATO member states and Russia’s neighbors. The secret service used “a variety of tools and techniques, especially targets in the areas of government, diplomacy, think tanks, health care and energy worldwide to target and to gain intelligence”. US President Joe Biden had imposed sanctions on Russia a month earlier in response to the SolarWinds attacks.