Feb 10 2021

US Response to SolarWinds Hack Has Been ‘Disorganized’: Senators

Category: HackingDISC @ 2:40 pm
US Response to SolarWinds Hack Has Been ‘Disorganized’: Senators

The U.S. government’s response to a massive hack of government and corporate networks has been “disjointed and disorganized,” according to the leaders of the Senate Intelligence Committee, who are urging the Biden administration to appoint someone to lead the effort.

In a letter made public Tuesday, Democrat Sen. Mark Warner of Virginia, who chairs the committee, and Marco Rubio of Florida, the ranking Republican, said that the federal response to what U.S. officials say was a hack by a Russian intelligence agency â€œhas lacked the leadership and coordination warranted by a significant cyber event, and we have little confidence we are on the shortest path to recovery.”

Experts say it make take months to oust the hackers from government networks, and the senators added that the threat the breach continues to pose to the country demands a single leader “who has the authority to coordinate the response, set priorities, and direct resources to where they are needed.”

Read the full story on NBCNews.com

Subscribe to DISC InfoSec blog by Email

Tags: SolarWinds hack

Feb 04 2021

Another SolarWinds Orion Hack

Category: HackingDISC @ 3:14 pm
Another SolarWinds Orion Hack

Tags: backdoors, china, cyberespionage, FBI, Hacking, Russia, SolarWinds hack, supply chain

Jan 31 2021

SIM National Unpacking the Hack

Category: Information SecurityDISC @ 8:22 pm

In this SIM DigiRisk Town Hall this panel of seasoned CIOs will share some of their valuable tips and advice for approaching this for your company.

Tags: SolarWinds hack

Dec 21 2020

SUPERNOVA, a backdoor found while investigating SolarWinds hack

Category: HackingDISC @ 5:48 pm

While investigating the recent SolarWinds Orion supply-chain attack security researchers discovered another backdoor, tracked SUPERNOVA.

The investigation of the SolarWinds Orion supply-chain attack revealed the existence of another backdoor that was likely used by a separate threat actor.

After the initial disclosure of the SolarWinds attack, several teams of researchers mentioned the existence of two second-stage payloads.

Security experts from Symantec, Palo Alto Networks, and Guidepoint reported that threat actors behind the SolarWinds attack were also planting a .NET web shell dubbed Supernova.

Researchers from Palo Alto Networks revealed that the malicious code is a tainted version of the legitimate .NET library “app_web_logoimagehandler.ashx.b6031896.dll” included in the SolarWinds Orion software.

“In the analysis of the trojanized Orion artifacts, the .NET .dll app_web_logoimagehandler.ashx.b6031896.dll was dubbed SUPERNOVA, but little detail of its operation has been publicly explored.” reads the analysis published by Palo Alto Networks.

“SUPERNOVA differs dramatically in that it takes a valid .NET program as a parameter. The .NET class, method, arguments and code data are compiled and executed in-memory. There are no additional forensic artifacts written to disk, unlike low-level webshell stagers, and there is no need for additional network callbacks other than the initial C2 request. In other words, the SolarStorm attackers have constructed a stealthy and full-fledged .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network.”

Source: SUPERNOVA, a backdoor found while investigating SolarWinds hack



Learning about .NET Malware by Going Over the SUNBURST SolarWinds Backdoor
httpv://www.youtube.com/watch?v=cMauHTV-lJg




Tags: Backdoor, SolarWinds hack, SUPERNOVA