New SolarWinds hack victims emerging every day, as Malwarebytes goes public on breach
No quick fix to massive hack say security experts as a fourth malware strain is discovered
The spate of cyber attacks launched by suspected Russian hackers through compromised SolarWinds software have no easy fix and the effects will be felt for years to come, says security company FireEye.
FireEye, one of the first to spot the activities of the hackers on its systems in December, said the multi-faceted, multi-layered nature of the hack involving several different types of malware, together with the sophistication of the attackers means that admins will find it very hard to know whether their systems are clean or if they are still vulnerable to further intrusions.
Around 18,000 organisations, including US government departments and prominent private sector companies are known to have been using the compromised SolarWinds Orion network monitoring software, but many have not yet declared the nature of any breaches, said FireEye CTO Charles Carmakal.
"This threat actor is so good, so sophisticated, so disciplined, so patient and so elusive that it's just hard for organisations to really understand what the scope and impact of the intrusions are. But I can assure you there are a lot of victims beyond what has been made public to date," he said.
"We continue to learn about new victims almost every day. I still think that we're still in the early days of really understanding the scope of the threat-actor activity."
The threat group, which US intelligence agencies believe to be Turla (also known as Venomous Bear), a Russian hacking team associated with the FSB intelligence service with a long history of espionage-focused hacking, has focused on high-value targets such as government agencies, policy-based think tanks and technology companies. Yesterday, FireEye released a white paper explaining how to remediate some vulnerabilities used by the attackers in Microsoft Azure and Office 365.
Cyber security firm Malwarebytes says it believes it is one of the group's victims, although in this case the attackers used a different route, suspected to be a flaw in Azure Active Directory, since it does not use SolarWinds software.
"We received information from the Microsoft Security Response Center on December 15 about suspicious activity from a third-party application in our Microsoft Office 365 tenant consistent with the tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks," the firm, best known for its anti-virus software, said in a blog, adding: "We would like to thank the security community, particularly FireEye, CrowdStrike, and Microsoft for sharing so many details regarding this attack."
Malwarebytes said its security software was not affected.
Underlining the sophistication of the attack, a fourth type of malware dubbed Raindrop was discovered by security vendor Symantec, adding to the list of known strains Sunspot, Sunburst and Teardrop.
Raindrop has been used in the later stages of a compromise in only a few known cases, as an alternative to the more commonly deployed Teardrop malware, Symantec said. It is similar to Teardrop, but with a few important differences, including how it is installed. While Teardrop is known to be installed through the Sunburst malware in tainted SolarWinds systems, the exact mechanism by which Raindrop is installed is unclear.
The purpose of the two late-stage malware strains appears to be seeking out vulnerabilities for further possible exploits.
"Raindrop is similar to Teardrop in that both pieces of malware act as a loader for Cobalt Strike Beacon [penetration testing software]. Raindrop uses a custom packer to pack Cobalt Strike . This packer is different to the one used by Teardrop," said Symantec.
The SolarWinds attackers are believed to have been active on the networks of their targets for many months, making it one of the most serious cyber breaches in recent years. The purpose is thought to be intelligence gathering. Unlike the outgoing Trump administration, which showed little interest other than seeking to pin the blame on China, incoming US president Biden has promised to make the SolarWinds attacks "a top priority from the moment we take office".