Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • VERT Alert: SolarWinds Supply Chain Attack
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

VERT Alert: SolarWinds Supply Chain Attack

5 years ago Tyler Reguly
VERT Alert: SolarWinds Supply Chain Attack

Vulnerability Description

The United States Cybersecurity & Infrastructure Security Agency (CISA) has advised that an advanced persistent threat (APT) actor was able to insert sophisticated malware into officially signed and released updates to the SolarWinds network management software [1]. The attacks have been ongoing since at least March 2020 and CISA has warned that many high-value targets within government, critical infrastructure, and the private sector have been compromised. Private security firm FireEye has also disclosed that the attackers were able to steal their private collection of hacking tools and techniques used for security audits [2].

Exposure and Impact

Successful compromise through the SolarWinds Orion backdoor could lead to complete compromise of a targeted network. Compromised network management software (NMS) provides deep access for an attacker to move laterally through a network and obtain credentials. Although not all organizations installing the backdoored version of the SolarWinds Orion software were necessarily compromised, all such organizations must assume that their network may be fully compromised.

Remediation & Mitigation

Tripwire VERT recommends that all organizations review their systems for indicators of compromise related to the malicious SolarWinds updates as well as the FireEye Red Team Tools. Detected compromises should be handled through a security incident response process.

Detection

ASPL-920 includes the following Windows DRT checks related to the SolarWinds backdoor and associated exploitation:

  • SolarWinds netsetupsvc.dll Library Installed (ID: 467518)
  • SolarWinds SolarWinds.Orion.Core.BusinessLayer.dll Library Backdoor (ID: 467516)

ASPL-920 also includes the following checks for all vulnerabilities exploited by the FireEye hacking tools:

  • CVE-2019-11510
    • Title: SA44101 – 2019-04: Pulse Connect Secure CVE-2019-11510 Arbitrary File Reading Vulnerability
    • ID: 432095 (non-DRT)
  • CVE-2020-1472
    • Title: MS-2020-Aug: Netlogon Elevation of Privilege Vulnerability
    • ID: 451635 (Windows DRT)
    • SSH-DRT IDs: 459913, 459873, 459499, 459474, 459423, 459367, 459366, 459365, 459318, 459212, 459211, 459179
  • CVE-2018-13379
    • Title: FortiOS CVE-2018-13379 Path Traversal Vulnerability
    • ID: 466495 (SSH-DRT & Non-DRT)
  • CVE-2018-15961
    • Title: APSB18-33: Adobe ColdFusion Unrestricted File Upload Arbitrary Code Execution Vulnerability
    • ID: 447353 (Windows DRT), 447352 (SSH-DRT), 447310 (WebApp)
  • CVE-2019-0604
    • Title: MS-2019-Feb: Microsoft SharePoint Remote Code Execution Vulnerability I
    • ID: 416822 (Windows DRT)
  • CVE-2019-0708
    • Title: MS-2019-May: Remote Desktop Services Remote Code Execution Vulnerability
    • ID: 422448 (Windows DRT & Non-DRT)
  • CVE-2019-11580
    • Title: Atlassian Crowd CVE-2019-11580 pdkinstall Vulnerability
    • ID: 35222 (Non-DRT & WebApp)
  • CVE-2019-19781
    • Title: Citrix ADC Application Arbitrary Code Execution CVE-2019-19781 Vulnerability
    • ID: 437315 (Non-DRT)
  • CVE-2020-10189
    • Title: Zoho ManageEngine CVE-2020-10189 Cewolfservlet RCE Vulnerability
    • ID: 467510 (Non-DRT)
  • CVE-2020-10189
    • Title: Zoho ManageEngine CVE-2020-10189 Cewolfservlet Deserialization Vulnerability
    • ID: 467515 (Non-DRT)
  • CVE-2014-1812
    • Title: MS14-025: Group Policy Preferences Elevation of Privilege Vulnerability
    • ID: 94146 (Windows DRT)
  • CVE-2019-3398
    • Title: Atlassian Confluence Security Advisory 2019-04-17: Downloadallattachments Resource Path Traversal Vulnerability
    • ID: 422182 (WebApp)
  • CVE-2020-0688
    • Title: MS-2020-Feb: Microsoft Exchange Memory Corruption Vulnerability
    • ID: 440153 (Windows DRT & Non-DRT)
  • CVE-2016-0167
    • Title: MS16-039: Win32k Elevation of Privilege Vulnerability
    • ID: 226259 (Windows DRT)
  • CVE-2017-11774
    • Title: MS-2017-Oct: Microsoft Outlook Security Feature Bypass Vulnerability
    • ID: 313178 (Windows DRT)
  • CVE-2018-8581
    • Title: MS-2018-Nov: Microsoft Exchange Server Elevation of Privilege Vulnerability
    • ID: 412491 (Windows DRT)
  • CVE-2019-8394
    • Title: Zoho ManageEngine Service Desk Plus CVE-2019-8394 File Upload Vulnerability
    • ID: 467517 (Windows DRT & Non-DRT)
References
[1] https://us-cert.cisa.gov/ncas/alerts/aa20-352a
[2] https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html

The post ” VERT Alert: SolarWinds Supply Chain Attack” appeared first on TripWire

Source:TripWire – Tyler Reguly

Tags: APT, CERT, Critical Severity, Goverment, High Severity, Microsoft, TripWire

Continue Reading

Previous Cloud is King: 9 Software Security Trends to Watch in 2021
Next The 10 Most Common Website Security Attacks (and How to Protect Yourself)

More Stories

  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link

3 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

3 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

7 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach

Securing the Mid-Market Across the Complete Threat Lifecycle

7 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users

10 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware

13 hours ago [email protected] (The Hacker News)

Recent Posts

  • OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
  • Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos
  • ⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats
  • Securing the Mid-Market Across the Complete Threat Lifecycle
  • Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT