During this period, cyber attackers used techniques such as password guessing and spraying, as well as targeting cybersecurity companies and federal agencies. These attacks often exploited improperly secured admin or service credentials for solarwinds officecimpanuzdnet, allowing the hackers to gain access to the systems of targeted organizations.
Attackers used password guessing and/or spraying for solarwinds officecimpanuzdnet
Table of Contents
Attempting to guess passwords is not new. However, the use of password spraying or the ability to guess a password is an example of a more sophisticated form of authentication.
Attackers used this method in the SolarWinds hack, which was used to distribute a malicious update to 18,000 organizations. The best known technique is the trojanized version of the Orion Platform updates.
Password spraying is not limited to Windows systems, as CISA has found cases where hackers used the tactic on systems not running the SolarWinds Orion software. The tactic works by sending out hundreds of passwords to users in the hope of one being accepted. It is also described as a brute force attack, as the attackers inundate usernames with rounds of passwords.
The CISA advisory points out the fact that weak passwords are a major security flaw. They allow an attacker to move unnoticed through victim networks. The agency is still determining the actual root cause of the attack. Among other things, CISA is looking into abuse of SAML tokens.
Attackers exploited inappropriately secured admin or service credentials
Approximately 18,000 SolarWinds customers downloaded a malicious update, which allowed hackers to gain access to their IT systems. The company is sharing information with law enforcement and is working with partners to help investigate the attack. Affected organizations should prepare for difficult remediation. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an updated alert containing new indicators of compromise. The new information includes information on how the attackers gained initial access to SolarWinds servers.
The updated CISA alert outlines how an attacker obtained credentials from an internal source. These credentials were then used to access a variety of systems. The attackers attempted to gain access to customer data, future product plans, and employee information. They also leveraged the credentials to bypass multi-factor authentication.
In addition, the alert explains how attackers leveraged vulnerabilities in the SolarWinds Orion API to perform commands with the same privileges as the SolarWinds appliance. This was a highly sophisticated cyber intrusion. APT actors likely used a SolarWinds Orion API authentication bypass vulnerability to conduct reconnaissance against a target’s network.
Attackers targeted cybersecurity companies and federal agencies
Various organizations, including cybersecurity companies and federal agencies, are targeted by attackers. In some cases, the attacks have geopolitical implications and may persist for long periods of time. Regardless of their motivations, these attacks should be taken seriously.
While there are several types of attacks, a state-sponsored attack has been deemed to be one of the most dangerous. These hackers are able to gain control over Internet devices and software. They may also conduct a forensic investigation of a company and determine the scope of unauthorized access. They may also attempt to steal personal information and sell it on the dark web.
A state-sponsored attack can change a routine incident response into a corporate cyber crisis. This is especially true in the case of critical infrastructure. These systems are interconnected to form an energy “grid.” It is possible for attackers to bring down the entire grid. This would affect air traffic, hospitals and the transportation industry.
A study by the Organization of American States found that cyber-attacks against the energy and manufacturing industries had been growing. A researcher from the organization explained that these attacks were more likely to be targeting operational technology than information technology.
Attackers added new products to their malware protection portfolio
Several months ago, Sophos and CyberArk released a study that found that the majority of security tools are vulnerable to exploits. The study found that products from the major security vendors were all exposed to vulnerabilities. Sophos has since added Endpoint Detection and Response (EDR) to its Intercept X endpoint protection portfolio, utilizing deep learning technology. Sophos’ deep learning neural network is trained on hundreds of millions of samples and compares DNA of suspicious files against malware samples already categorized in SophosLabs. It also provides expert analysis of potential attacks. The new product is available now through a global early access program.