Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Sunshuttle. Show all posts

Newly Discovered 'Tomiris’ Backdoor Linked to SolarWinds Attack Malware

 

Kaspersky security researchers have unearthed a new backdoor likely designed by the Nobelium advanced persistent threat (APT) behind last year's SolarWinds supply chain attack. 

The new malware, dubbed Tomiris, was first identified in June 2021 from samples dating back to February, a month before the “sophisticated second stage backdoor” Sunshuttle was spotted by FireEye and linked to Nobelium. Nobelium is also known by the monikers UNC2452, SolarStorm, StellarParticle, Dark Halo, and Iron Ritual. 

"While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims. Evidence gathered so far indicates that Dark Halo spent six months inside Orion IT's networks to perfect their attack and make sure that their tampering of the build chain wouldn't cause any adverse effects,” Kaspersky researchers stated. 

Moscow-headquartered firm Kaspersky identified Tomiris while examining a series of DNS hijacking attacks mounted against multiple government organizations in a CIS member state between December 2020 and January 2021, which allowed threat actors to redirect traffic from government mail servers to devices under their possession.

Their victims were redirected to webmail login pages that helped hackers steal their email credentials and, in some cases, tricked them into installing a malware update that instead downloaded the Tomiris backdoor. 

“During these times, the authoritative DNS servers for the above zones were switched to attacker-controlled resolvers. Most of these hijackings were relatively brief and appear to have primarily targeted the mail servers of the affected organizations. We don’t know how the threat author was able to achieve this, but we assume that he somehow obtained credentials from the Registrar’s control panel used by the victims,” researchers added. 

Multiple similarities between Tomiris and Sunshuttle malware 

Researchers discovered multiple similarities between the Sunshuttle and Tomiris backdoors (e.g., both developed in GB, persistence through scheduled tasks, the same coding scheme for C2 communications, automated sleep triggers to reduce network noise). They also spotted the Kazuar backdoor, a .NET-based backdoor linked to the Turla group which shares multiple features with the Sunburst malware used in the SolarWinds attack on the same network as Tomiris. 

Earlier this year in March 2021, Microsoft and FireEye describe Sunshuttle as a Golang-based malware that acts as a command-and-control backdoor, establishing a secure connection with an attacker-controlled server to fetch and execute arbitrary commands on the exploited device as well as exfiltrate files from the system to the server. 

Despite this, researchers have not established a conclusive link between the new backdoor and Russia-backed Nobelium state hackers due to the possibility of a false flag attack designed to mislead researchers. 

The revelation comes days after Microsoft released the details of a passive and highly targeted implant dubbed ‘FoggyWeb’ that was employed by the Nobelium hacking group to deploy additional payloads and steal sensitive information from Active Directory Federation Services (ADFS) servers.

Sunshuttle, the Latest Strain Allegedly Linked to SolarWinds Hackers

 

FireEye researchers have discovered a new strain of backdoor malware on the servers of an organization exploited by the SolarWinds hackers. The new strain is identified as ‘Sunshuttle’ and it was uploaded by a U.S.-based entity to a public malware repository in August 2020.

FireEye researchers Lindsay Smith, Jonathan Leathery, and Ben Read believe this new strain is connected to the hackers behind the SolarWinds supply-chain attack. Sunshuttle is a second-stage backdoor written in Go that uses HTTP to link with a command-and-control server for data exfiltration and adding a new code. 


Hacking of cybercrime forums ‘Mazafaka and Exploit’


Mysterious threat actors are targeting popular Russian language cybercrime forums ‘Mazafaka and Exploit’ and are leaking the stolen data on the dark web. On Tuesday, unknown threat actors dumped thousands of usernames, email addresses, and passwords on the dark web apparently stolen from Mazafaka. Threat actors have also leaked a 35-page PDF online which is a private encryption key allegedly used by Maza administrators. 

According to cyber intelligence firm Intel 471, “the file comprised more than 3,000 rows, containing the username, partially obfuscated passwords hashes, email addresses, and other contact details. Initial analysis of the leaked data pointed to its probable authenticity, as at least portion of the leaked user records correlated with our own data holdings.”

Antivirus Creator John McAfee charged with $13M cryptocurrency fraud 


John McAfee has been charged with securities fraud over a ‘pump-and-dump’ cryptocurrency scheme. Federal prosecutors unsealed a case against McAfee and his executive advisor and bodyguard Jimmy Gale Watson Jr. claiming the pair has raked in more than $13 million from the investors they victimized with their fraudulent schemes.

In late 2017 and early 2018, McAfee urged his hundreds of thousands of Twitter followers to invest in a number of obscure cryptocurrencies. Prosecutors say he failed to disclose his own financial stake in those tokens and in some cases outright lied about it. 

“The defendants allegedly used McAfee’s Twitter account to publish messages to his hundreds of thousands of Twitter followers touting various cryptocurrencies through false and misleading statements to conceal their true, self-interested motives,” Manhattan US Attorney Audrey Strauss stated.