6:16 PM 12/23/2020 Edited this as I wrote Suntrust and it was supposed to be sunburst in one of the paragraphs.
In part 1 of this article, we talked about several articles that make this story very interesting as the company behind it had its own breach to contend with and found something very interesting. We continue with the rest of the stuff we’ve found, including what SunBurst is, according to Trend Micro.
This Week in Security News, news ending December 18, 2020 covers quite a number of varying things that may be of interest, including other issues. The biggest thing hear is dealing with critical infrostructure, which Solar Wind hasn’t gotten in to according to all of the reports to date. It wouldn’t be out of the ordinary that Pawn Storm, a remote access trojan or Rat, wouldn’t be out of the ordinary for whoever is behind solar winds anyway, but could be of interest too. In the news for the week, an article entitled Overview of Recent Sunburst Targeted Attacks which we’ll get in to in a bit. The news does also cover Solar Winds recommending a hot patch, so there is definitely things in this week’s news that might be of interest to you.
Let us define what Sun burst is.
The long of the short of this, sunburst is mainly a backdoor that can access anything on the system including rebooting, registry processes, file operations, stopping services and more that may not be listed. Since we know that Orion is a network monitoring tool, a malware version was distributed at some point either last year or this year, and it set it to motion. Sunburst may not be the only way the actors can control these systems, but one that is greatly talked about now.
Please read the trend Micro article on sunburst for more detail if this is of interest to you.
Attribution is quite hard in this field, but one of the things that I am reading is that this could be the work of a persistent working group like APT 29 otherwise known in the circles as “Cozy Bear.” They’re not so cozy, according to the article I’ll be linking to next, with Fire Eye’s Kevin Mandian mentioning in the video that he wants to be 100 percent sure who did it so we can properly take the appropriate steps, unless it gets worse too. The President has repeatedly said that it was China, according to reports and the video I linked to in part 1 of this article.
According to one of the paragraphs, this is a well designed, patient and well focused. They have the resources to take their time. In the interview linked to in part 1, the reporter asked about who did it, and it is mentioned that it looks like someone we’ve delbt with before who will take their time on things. I urge everyone to watch the video linked there, because it may be some insite on what is going on.
According to this article, nobody has formerly been blamed, and that is the most important thing we can take out of this picture. Again, Nobody Has Been Blamed at all for this breach as of yet.
One of the things mentioned in the interview, is that this could’ve been an ongoing attack since last year, but it stops there. According to who Cozy Bear is, the article says:
Cozy Bear is thought to be made up of several different networks of hackers, which can also make attribution difficult, said Matthieu Faou, a malware researcher
at Slovakia-based ESET, which has not linked the group to the SolarWinds breach.
Just because one group takes responsibility, doesn’t necessarily mean that we know they did it, or it points to them. They could do it just to get us to stop investigating the matter, although I don’t know that to be factual.
There is a lot more information including information about who Cozy Bear attacked in the heading called “doubling down.” Here is some more taken from several paragraphs from this article.
“Everybody’s talking about SUNBURST … but SUNBURST is just the initial show, it’s just the stage one,” said Kyle Hanslovan, the co-founder and CEO of Huntress
Labs and a former National Security Agency employee. “We’re hardly talking about TEARDROP or the use of Cobalt Strike within the network, which is designed
to be a sophisticated, unattributable nation-state level capability. … That’s where I think this real story is going to happen.”Huntress Labs has not blamed Cozy Bear for the SolarWinds breach.
System administrators should prepare for the hackers to have moved laterally, says Chris Kubic, the former chief information security officer at the NSA
and senior security architect for the Intelligence Community Information Environment.“I fully expect for any network that they were interested in that they used SolarWinds to gain initial access [to], they certainly would have laid down
persistent accesses within those networks,” said Kubic, now CISO at Fidelis Cybersecurity. “It’s expensive to get access to one of those networks, so once
they do, they’re going to take advantage of it, so I fully expect that they tried where the could to move laterally and compromise other systems.”Fidelis also has not linked Cozy Bear with the SolarWinds operation.
APT29’s stubbornness doesn’t just stand out once it’s inside a network — it is dogged from the outset, said Jamil Jaffer, a former House Intelligence Committee
and White House aide.“An attacker like Cozy Bear will spend the time and energy to get in where they want to get in, they will take as long as they need to, and use the resources
they can,” said Jaffer, senior vice president at IronNet Cybersecurity and founder and executive director of the National Security Institute at George
Mason University. “If it’s a high-enough value target, they will wait until they’re in.”
There is a heading called “twists and turns” which makes this more complicated.The final paragraph illustrates this. It says:
That unpredictability, and the diversity of Cozy Bear’s tactics through the years, may make it harder to know right now whether the suspected SolarWinds
hackers have other tricks up their sleeve or whether they will retreat from their apparent espionage operation. “They don’t give up easily,” Faou noted.
“But when they give up, they totally disappear.”
What should you be reading from this section of the article? Easy! How the Russian hacking group Cozy Bear, suspected in the SolarWinds breach, plays the long game and let us know what you think.
We’ll need a part 3, there’s still more that I want to write, be on the look out for this as the series continues.