Security News > 2021 > April > Researchers Find Additional Infrastructure Used By SolarWinds Hackers

The sprawling SolarWinds cyberattack which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure, so much so that Microsoft went on to call the threat actor behind the campaign "Skillful and methodic operators who follow operations security best practices to minimize traces, stay under the radar, and avoid detection."

By analyzing telemetry data associated with previously published indicators of compromise, RiskIQ said it identified an additional set of 18 servers with high confidence that likely communicated with the targeted, secondary Cobalt Strike payloads delivered via the TEARDROP and RAINDROP malware, representing a 56% jump in the attacker's known command-and-control footprint.

The attacks are being tracked by the cybersecurity community under various monikers, including UNC2452, Nobelium, SolarStorm, StellarParticle, and Dark Halo, citing differences in the tactics, techniques, and procedures employed by the adversary with that of known attacker profiles, counting APT29.

Hosting the first-stage attack infrastructure entirely in the U.S., the second-stage primarily within the U.S., and the third-stage mainly in foreign countries.

Designing attack code such that no two pieces of malware deployed during successive stages of the infection chain looked alike, and.

"Identifying a threat actor's attack infrastructure footprint typically involves correlating IPs and domains with known campaigns to detect patterns," Livelli said.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/ZACTdO9INHs/researchers-find-additional.html