Security News > 2021 > January > Microsoft SolarWinds analysis: Attackers hid inside Windows systems by wearing the skins of legit processes

Specifically, the compromised DLL file was quietly deployed onto targeted systems by mimicking legitimate file names - and the attackers worked between 8am and 5pm to increase the odds of not being spotted.

Much of the infosec commentary around the SolarWinds supply chain attack has reused the tired old clichés of stating the attackers were sophisticated, advanced, cunning, soft, strong, thoroughly absorbent, and so on.

"The combination of a complex attack chain and a protracted operation means that defensive solutions need to have comprehensive cross-domain visibility into attacker activity and provide months of historical data with powerful hunting tools to investigate as far back as necessary," Microsoft sighed.

The analysis includes indicators of compromise and techniques used by the attackers to skate around SolarWinds's networks but, unusually for infosec research, expresses them in plain English that any averagely skilled IT pro can follow.

It's well worth a read. The attackers also used the mildly unusual reflective DLL loading attack technique.

Relatedly, custom Cobalt Strike loaders developed by the hackers strongly resembled "Legitimate Windows file and directory names, once again demonstrating how the attackers attempted to blend in the environment and hide in plain sight," said MS. The autopsies of the biggest supply chain attack for years will doubtless continue, but one thing's for sure: whichever nation state was behind it, they really knew what they were doing and really didn't want to be caught in the act.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/01/21/microsoft_solarwinds_deep_dive/