FOCUS MODE
EXTRACT IOC
0Trash

🚨Cyber Attack Chronicles🚨

iocOne
🚨Cyber Attack Chronicles🚨
The SolarWinds hack, a significant supply chain attack discovered in December 2020, compromised numerous Fortune 500 companies and government agencies, resulting in extensive cybersecurity repercussions. Attackers embedded malicious code into SolarWinds’ Orion software updates, infiltrating thousands of networks and highlighting the vulnerabilities in vendor trust. Affected: Fortune 500 companies, US Government agencies, SolarWinds

Keypoints :

  • The hack was discovered in December 2020, but the infiltration began as early as March 2020.
  • It was a sophisticated supply chain attack targeting the Orion software updates of SolarWinds.
  • Attackers, believed to be APT29 (Cozy Bear), aimed for espionage against key sectors, including government and critical infrastructure.
  • Approximately 18,000 of 300,000 customers unknowingly downloaded the compromised software update.
  • High-profile victims included U.S. government departments and major tech companies.
  • Estimated damages exceeded 0 billion due to economic and reputational losses.
  • The attackers exploited a publicly exposed password on SolarWinds’ FTP server.
  • Multiple malware variants (Sunspot, Sunburst, Teardrop, Raindrop) were used during the attack.
  • Security practices like zero trust and comprehensive vendor assessments were reinforced post-incident.
  • The breach led to a significant drop in SolarWinds’ stock and catalyzed an increase in software supply chain attacks.

MITRE Techniques :

  • Supply Chain Compromise (T1195) – Attackers inserted malicious code into trusted software updates to gain access to victims’ systems.
  • Remote Access Trojan (T1219) – SUNBURST acted as a remote-access trojan, allowing attackers to control infected systems remotely.
  • Credential Dumping (T1003) – Attackers moved laterally across networks and stole credentials for further access.
  • Command and Control over the network (T1071) – Attackers used US-based command-and-control servers to manage their operations discreetly.
  • Obfuscated files or information (T1027) – Attackers disguised malware by modifying familiar files and using domain generation algorithms.

Indicator of Compromise :

  • [Password] solarwinds123
  • [Malware] SUNBURST
  • [Malware] Sunspot
  • [APTs] APT29 (Cozy Bear)
  • [Victim] FireEye

Full Story: https://medium.com/@kssokmen/cyber-attack-chronicles-d0ba688bf6d1?source=rss——cybersecurity-5

Tags: FIREWALL, SSO, CREDENTIAL, LATERAL MOVEMENT, IMPACT, HUNTING, RECONNAISSANCE, CRITICAL INFRASTRUCTURE