A Swiss cybersecurity firm says it has accessed servers utilized by a hacking group attached to the SolarWinds breach, uncovering details concerning who the attackers targeted and how they did their operation. The firm, PRODAFT, likewise said the hackers have proceeded with their campaign as the month progressed.
PRODAFT, Proactive Defense Against Future Threats, is a cybersecurity and cyber intelligence organization providing solutions for business clients and government establishments.
PRODAFT researchers said they were able to break into the hackers' computer infrastructure and audit-proof of an enormous campaign between August and March, which targeted a great many organizations and government associations across Europe and the U.S. The point of the hacking group, named SilverFish by the researchers, was to keep an eye on victims and steal information, as per PRODAFT's report. SilverFish did an “extremely sophisticated” cyber-attack on at least 4,720 targets, including government organizations, worldwide IT providers, many banking establishments in the U.S. and EU, major auditing firms, one of the world's leading Covid-19 test kit makers, and aviation and defense companies, as per the report.
SilverFish is centered around network reconnaissance and information exfiltration and utilizes an assortment of software and scripts for both initial and post-exploitation activities. These incorporate promptly accessible tools like Empire, Cobalt Strike, and Mimikatz, as well as customized rootkits, PowerShell, BAT, and HTA files. Prodaft says that SilverFish attackers tend to follow specific standards of conduct while specifying domains, including running orders to list domain controllers and trusted domains, as well as displaying stored credentials and admin user accounts.
Scripts are then dispatched for post-exploit reconnaissance and information theft exercises. Hacked, legitimate domains are here and there used to reroute traffic to the C2. "The SilverFish group has designed an unprecedented malware detection sandbox formed by actual enterprise victims which enables the adversaries to test their malicious payloads on victim servers with different enterprise AV and EDR solutions, further expanding the high success rate of the SilverFish group attacks," the company says.
"SilverFish are still using relevant machines for lateral movement stages of their campaigns," the company added. "Unfortunately, despite being large critical infrastructure, most of their targets are unaware of the SilverFish group's presence on their networks."