At a glance.
- Updates on SolarWinds supply chain breach.
- Cryptomining botnet makes use of controversial PostgreSQL feature.
- Mongolian government entities targeted.
- Facebook accuses Vietnamese IT firm of working for OceanLotus.
Updates on SolarWinds supply chain breach.
FireEye has published an analysis of the SolarWinds supply chain attack that compromised numerous US government agencies and private companies, including FireEye itself. The security firm says a sophisticated nation-state actor exhibiting "significant operational security" compromised SolarWinds's Orion network monitoring and management software in order to deliver malware via Orion's software updates. FireEye calls the Trojanized Orion plugin "Sunburst." Once the threat actor gains access to the environment, FireEye says the "actor prefers to maintain a light malware footprint, instead preferring legitimate credentials and remote access for access into a victim’s environment."
FireEye's researchers believe the initial compromise occurred sometime in the Spring of 2020:
"SolarWinds.Orion.Core.BusinessLayer.dll (b91ce2fa41029f6955bff20079468448) is a SolarWinds-signed plugin component of the Orion software framework that contains an obfuscated backdoor which communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, it retrieves and executes commands, called 'Jobs', that include the ability to transfer and execute files, profile the system, and disable system services. The backdoor’s behavior and network protocol blend in with legitimate SolarWinds activity, such as by masquerading as the Orion Improvement Program (OIP) protocol and storing reconnaissance results within plugin configuration files. The backdoor uses multiple blocklists to identify forensic and anti-virus tools via processes, services, and drivers."
Microsoft, which assisted FireEye in the investigation, released its own findings, stating, "While updating the SolarWinds application, the embedded backdoor code loads before the legitimate code executes. Organizations are misled into believing that no malicious activity has occurred and that the program or application dependent on the libraries is behaving as expected. The attackers have compromised signed libraries that used the target companies’ own digital certificates, attempting to evade application control technologies. Microsoft already removed these certificates from its trusted list."
The Washington Post, citing anonymous sources, says APT29 (Cozy Bear), a threat actor attributed to Russia's SVR, is believed to be responsible for the hack. The US government targets known to be affected so far include the Department of Homeland Security, the State Department, the Treasury Department, the Commerce Department, and the National Institutes of Health. FireEye says additional victims include "government, consulting, technology, telecom, and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals." In an SEC filing, SolarWinds said that 33,000 of its 300,000 customers were using its Orion product, ZDNet reports. The company believes fewer than 18,000 of these users installed the Trojanized update, though the incident is still under investigation.
Cryptomining botnet makes use of controversial PostgreSQL feature.
Palo Alto Networks' Unit 42 describes a Linux-based cryptomining botnet dubbed "PGMiner" that makes use of a disputed CVE involving PostgreSQL's "copy from program" feature, which allows a database superuser to execute code on the underlying operating system. PostgreSQL contends that this isn't a vulnerability, but rather a feature that can be abused if database privileges aren't securely configured. Unit 42 explains the controversy surrounding the feature:
"The 'copy from program' feature has been controversial since its debut in PostgreSQL 9.3. The feature allows the local or remote superuser to run shell script directly on the server, which has raised wide security concerns. In 2019, a CVE-2019-9193 was assigned to this feature, naming it as a 'vulnerability.' However, the PostgreSQL community challenged this assignment, and the CVE has been labeled as 'disputed.' The main argument against defining the feature as a vulnerability is that the feature itself does not impose a risk as long as the superuser privilege is not granted to remote or untrusted users and the access control and authentication system works well. On the other side, security researchers worry that this feature indeed makes PostgreSQL a stepping stone for remote exploit and code execution directly on the server’s OS beyond the PostgreSQL software, if the attacker manages to own the superuser privilege by brute-forcing password or SQL injection."
Regardless of whether the feature should be classified as a vulnerability, Unit 42 says the attackers in this case have used it "to stay under the detection radar by making the attack payload fileless." The attackers scan for Internet-exposed PostgreSQL ports, then launch brute-force attacks against the default "postgres" user account. Once they gain access, they use "copy from program" to download and execute cryptomining malware. The researchers conclude that the malware is "rapidly evolving," and could be ported to Windows and MacOS in the future.
Mongolian government entities targeted.
Researchers at ESET and Avast have identified a state-sponsored operation targeting government entities in Mongolia, ZDNet reports. Avast attributes the campaign to the Chinese-speaking APT "LuckyMouse" with moderate confidence. According to ESET, the threat actor compromised the update mechanism of the chat application Able Desktop, which is widely used in Mongolia. The actor initially used Trojanized Able installers beginning in 2018, before compromising Able's update system directly in June 2020. The malware variants delivered included HyperBro backdoor, the PlugX Trojan, and another Trojan dubbed "Tmanger."
Avast states, "The APT group planted backdoors and keyloggers to gain long-term access to government networks and then uploaded a variety of tools that they used to perform additional activities on the compromised network such as scanning of the local network and dumping credentials. We presume that the main aim of cyber-espionage was the exfiltration of sensitive data from potentially interesting government agencies."
Facebook accuses Vietnamese IT firm of working for OceanLotus.
In a rare public attribution, Facebook has accused CyberOne Group, a Vietnamese IT company, of working for APT32 (also known as "OceanLotus"), a threat actor believed to be operating on behalf of Vietnam's government. According to Reuters, Facebook's head of cybersecurity policy Nathaniel Gleicher said the evidence included "online infrastructure, malicious code, and other hacking tools and techniques." Gleicher said Facebook isn't revealing the exact details because doing so would hamper the company's efforts to track the group's future operations. CyberOne's now-suspended Facebook page told Reuters, "We are NOT Ocean Lotus. It's a mistake."
Facebook says APT32's recent activity involved crafting fake personas across multiple social media sites posing as activists, business entities, or romantic interests. Some of the group's Facebook pages "were designed to lure particular followers for later phishing and malware targeting." The threat actor also used malicious apps in the Google Play Store and watering-hole sites to deliver malware. Facebook describes the campaign as "a well-resourced and persistent operation focusing on many targets at once, while obfuscating their origin."