The most prominent smart technologies used by “Solar Windows” hackers in their largest operations

About a year ago, security researchers uncovered one of the worst data breaches in recent history, a Kremlin-backed hacking campaign that compromised the servers of network management provider Solar Winds, and from there compromised networks of that company’s major clients, including nine US federal agencies.

Microsoft called the hackers “Nobleum” the hackers who were eventually expelled from the company’s networks, but the group never gave up and arguably became more daring and adept at hacking into large numbers of targets in one fell swoop.

And recently, the security company Mandiant, published on Monday, warned Search It details many of Nobelium’s tricks — and some of its mistakes — as it continues to infiltrate high-value networks.

abuse of trust

One of the things that has made Nobelium so damaging is the innovation in TTPs, which are in hacker language the tactics, techniques, and procedures involved in hacking. Instead of hacking each target one by one, the group hacked into the network of SolarWinds that had large customers and used the trust it had in front of the company’s customers, to drive a malicious update to nearly 18,000 of its customers.

This way hackers can instantly infiltrate all these entities. It would be similar to what a thief would do when breaking into a locksmith’s building and obtaining a master key that unlocks the doors of every building in the neighborhood, avoiding having to open each lock individually. Not only was the Nobelium method scalable and effective, it made it easier to hide its traces due to the trust of customers in SolarWinds.

The Mandiant report shows that the ingenuity of Noblemium has not waned. Since last year, company researchers say the two hacking groups associated with the SolarWinds breach – one called (UNC3004) and the other (UNC2652) – have continued to devise new ways to effectively hack large numbers of targets.

SAML Gold, like a master vault key that unlocks every service that uses Security Assurance Markup Language (Getty Images)

Instead of spoiling SolarWinds’ networks, the groups hit the networks of cloud solution providers and operational service providers—such as running servers, maintenance-related services, and other technical services needed to run—or what are known as CSPs, which are the third-party companies they rely on. Many large companies in a wide range of IT services. Then the hackers found clever ways to use these hacked providers to hack their customers.

“This intrusion activity reflects the capabilities of this group that is planning a high-level security threat targeting technical operations,” the Mandiant report said.

And the advanced skill didn’t stop there. According to Mandiant, other advanced tactics and ingenuity involved the use of stolen credentials by other financially motivated hackers, who use financial malicious software such as Cryptbot, an information thief software that collects the victim’s credentials and browser Web and cryptocurrency wallets for their account.

These programs allowed the hacking groups (UNC3004) and (UNC2652) to breach targets even when they were not using a compromised service provider.

Once there are groups of hackers within the network, the process of hacking the spam filtering system of organizations or other programs, these systems filter mail for the whole organization, and have the ability to access email or other types of data from any other account in the network. Hacking that single account saved you the hassle of having to break into each account separately.

They have also used clever ways to bypass security restrictions, such as creating virtual machines to structure internal routers for the networks they want to penetrate.

Also, gain access to an active directory stored in a business’s Azure cloud and use this comprehensive management tool to steal cryptographic keys that would generate tokens that could bypass businesses’ two-factor authentication protection.

This technology gave hackers what’s known as a gold SAML, which is like a master vault key that unlocks every service that uses security assurance markup language, the protocol that makes single sign-on, two-factor authentication, and other security mechanisms work.

More technology

Leave a Reply

Your email address will not be published. Required fields are marked *