SUPERNOVA Malware
SUPERNOVA is not malicious code embedded within the builds of the Orion® Platform as a supply chain attack. It is malware that is separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product. The SUPERNOVA malware consisted of two components. The first was a malicious, unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896.dll” specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code. This vulnerability in the Orion Platform has been resolved in the latest updates.
SUNBURST Malware
SolarWinds was the victim of a cyberattack to systems that inserted a vulnerability (SUNBURST) within the Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run. This attack was a very sophisticated supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with a goal of being able to attack subsequent users of the software. In this case, it appears that the code was intended to be used in a targeted way as its exploitation requires manual intervention.
Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card information. This occurs when an attacker pretends to be a trusted entity to dupe a victim into clicking a malicious link that can lead to the installation of malware, freezing of the system as part of a ransomware attack, or revealing of sensitive information. Phishing is still one of the most widespread and damaging cyberattacks. Phishing attacks can lead to financial loss, data loss and reputational damage.
How to Detect Phishing Attacks
Be suspicious of all requests. Ask, "Is this real?" Use the following checklist to check for common signs of phishing messages:
Types of Phishing Techniques
Five key phishing techniques that are commonly employed:
1) Link manipulation: Link manipulation is done by directing a user fraudulently to click a link to a fake website. This involves, use of sub-domains, Hidden URLs, Misspelled URLs, IDN homograph attacks.
2) Smishing: Smishing is a form of phishing where someone tries to trick a victim into giving their private information via a text message.
3) Vishing: Vishing is the telephone version of phishing, or a voice scam. Similar to email phishing and smishing, vishing is designed to trick victims into sharing personal information, such as PIN numbers, credit card security codes, passwords and other personal data. Vishing calls often appear to be coming from an official source such as a bank or a government organization.
4) Website forgery: Website forgery works by making a malicious website impersonate an authentic one, so as to make the visitors give up their sensitive information such as account details, passwords, and credit card numbers. Web forgery is mainly carried out in two ways: cross-site scripting and website spoofing.
5) Pop-ups: Pop-up messages, other than being intrusive, are one of the easiest techniques to conduct phishing scams. They allow hackers to steal login details by sending users pop-up messages and eventually leading them to forged websites.
Pirrit is a persistent Mac adware family notorious for pushing intrusive and deceptive advertisements to users that, when clicked, downloads and installs unwanted apps that come with information gathering features. Pirrit is one of the oldest and most active Mac adware families, and has been known to constantly change in an attempt to evade detection, so it is unsurprising that it has already begun adapting for the M1.
Furthermore, the GoSearch22 adware presents itself as a legitimate Safari browser extension, but collects user data and serves a large number of ads such as banners and popups, including some that link to malicious websites to proliferate more malware. The adware was signed with an Apple Developer ID in November 2020 to further conceal its malicious content, but it has since been revoked.
Windows Operating System (OS) is the most popular operating system used by more than 75% of desktop users and it has also become among the top products being targeted by cyberattacks. Windows has been a direct target of attacks by malware, more than 80% of malware detected are from windows according to latest discovery. Two updated versions of LodaRAT malware were discovered targeting Windows users. The attack vector used in these attacks was spam email with links to malicious applications or documents. Also, TrickBot malware which was reported earlier on came back with a newer version. This version was using a mechanism of Windows Task Scheduler as the way to reload the malware. Meanwhile, the cybersecurity experts have warned about using Windows 7, which reached end-of-life on January 14, 2020 to minimize the impact of the several attacks on windows products. Microsoft advised updating systems to address the critical Zerologon flaw (tracked as CVE-2020-1472). This vulnerability allows an attack against Microsoft Active Directory domain controllers.
In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.
However, if your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03, check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\. If you get a hit on that search, you’re now in incident response mode.
The campaign begins with attackers sending victims phishing emails that appear to come from a unified communications system used for streamlining corporate communication. This email contains a malicious email attachment. Once the victims open the attached HTML file, they are redirected to a. xyz phishing domain which is disguised as a legitimate Google reCAPTCHA page in order to trick the users. After the reCAPTCHA is verified, the victims are sent to a fake Microsoft login phishing page. The login pages also contain different logos from the companies where the victims work. This reveals that attackers have done their homework and are customizing their phishing landing pages to fit their victims’ profile, in order to make the attack appear more legitimate. Once the victims have entered their login credentials on the attackers' site, a fake message "validation successful," is prompted to add legitimacy to the campaign.
