SolarWinds backdoor and connected with it a recent supply-chain attack are one of the biggest cyber incidents we have witnessed in years. The compromised software channel was used to push out malicious updates onto 18,000 of their Orion platform customers. There is a new development in this case. Security specialists turned a malicious domain name used to control potentially thousands of computer systems into a kill switch. How it was done exactly? Well… check the newest episode of Xopero Security Center to find out more.
FireEye, Microsoft and GoDaddy create kill switch for SolarWinds backdoor
Microsoft, FireEye, and GoDaddy have collaborated to create a kill switch for the SolarWinds Sunburst backdoor that forces the malware to terminate itself.
Last week was all about The SolarWinds hack. A short reminder – it was revealed that Russian state-sponsored hackers breached SolarWinds and added malicious code to a Windows DLL file used by their Orion IT monitoring platform.
This malicious DLL is a backdoor tracked as Solarigate – by Microsoft – or Sunburst – by FireEye – and was distributed via SolarWinds’ auto-update mechanism to approximately 18,000 customers. The vast majority of these victims are US government agencies, such as:
- The US Treasury Department
- The US Department of Commerce’s National Telecommunications and Information Administration (NTIA)
- The Department of Health’s National Institutes of Health (NIH)
- The Cybersecurity and Infrastructure Agency (CISA)
- The Department of Homeland Security (DHS)
- The US Department of State
- The National Nuclear Security Administration (NNSA) (also disclosed today)
- The US Department of Energy (DOE) (also disclosed today)
- Three US states (also disclosed today)
- City of Austin (also disclosed today)
How the backdoor works
The Sunburst backdoor would connect to a command and control (C2) server at a subdomain of avsvmcloud[.]com to receive ‘jobs’, or commands to execute. If the C2 server resolved to an IP address in one of the following ranges, the malware would terminate and update a setting, so the malware never executes again.
fc00:: – fe00::
fec0:: – ffc0::
ff00:: – ff00::
Last week, the command and control server domain, avsvmcloud[.]com, was seized and now resolves to the IP address 18.104.22.168, which belongs to Microsoft. This domain takeover allows Microsoft and its partners to sinkhole the malicious traffic and analyzes it to identify further victims.
The kill switch
FireEye collaborated with GoDaddy and Microsoft to deactivate Sunburst infections. Researchers used the avsvmcloud[.]com takeover to create a kill switch that unloads the malware on infected machines. As was mentioned before, depending on the IP address returned when the malware resolves avsvmcloud[.]com, it could / would terminate itself and prevent further execution.
As part of this collaboration, GoDaddy has created a wildcard DNS resolution so that any subdomain of avsvmcloud[.]com resolves to 22.214.171.124. When an infected machine tries to connect to its command and control server under the avsvmcloud[.]com domain, the subdomain will always resolve to the 126.96.36.199 IP address. As this IP address is part of the 188.8.131.52/15 range that is on the malware block list, it will cause the malware to terminate and prevent itself from executing again.
This killswitch will affect new and previous Sunburst infections by disabling Sunburst deployments that are still beaconing to avsvmcloud[.]com. Organizations that were already breached by the threat actors likely have different methods to access the victim’s network.
AIR-FI attack allows exfiltrating data from Air-Gapped computers via Wi-Fi signals…
The attack doesn’t require a Wi-Fi hardware.
Air-gapped computers – machines with no network interfaces – are considered a necessity in environments where sensitive data is involved in an attempt to reduce the risk of data leakage. Thus in order to carry out attacks against such systems, it is often essential that the transmitting and receiving machines be located in close physical proximity to one another and that they are infected with the appropriate malware to establish the communication link.
AIR-FI is a novel technique that leverages Wi-Fi signals as a covert channel-surprisingly, without requiring the presence of Wi-Fi hardware on the targeted systems. The attack hinges on deploying a specially designed malware in a compromised system that exploits DDR SDRAM buses to generate electromagnetic emissions in the 2.4 GHz Wi-Fi bands and transmitting information atop these frequencies that can then be intercepted and decoded by nearby Wi-Fi capable devices such as smartphones, laptops, and IoT devices before sending the data to remote servers controlled by an attacker.
Novel and unique technique
AIR-FI is unique in that the method neither relies on a Wi-Fi transmitter to generate signals nor requires kernel drivers, special privileges such as root, or access to hardware resources to transmit the data. What’s more, the covert channel works even from within an isolated virtual machine and has an endless list of Wi-Fi enabled devices that can be hacked by an attacker to act as a potential receiver.
The kill chain in itself consists of an air-gapped computer onto which the malware is deployed via social engineering lures, self-propagating worms such as Agent.BTZ, tampered USB flash drives, or even with the help of malicious insiders. It also requires infecting Wi-Fi capable devices co-located in the air-gapped network by compromising the firmware of the Wi-Fi chips to install malware capable of detecting and decoding the AIR-FI transmission and exfiltrating the data over the Internet.
To generate the Wi-Fi signals, the attack makes use of the data bus (or memory bus) to emit electromagnetic radiation at a frequency correlated to the DDR memory module and the memory read/write operations executed by processes currently running in the system.
Researchers propose zone protections to safeguard against electromagnetic attacks, enabling intrusion detection systems to monitor and inspect for processes that perform intensive memory transfer operations, jamming the signals, and using Faraday shields to block the covert channel.
Malicious Chrome, Edge extensions with 3M installs still in stores
Malicious Chrome and Edge browser extensions with over 3 million installs, most of them still available on the Chrome Web Store and the Microsoft Edge Add-ons portal, are capable of stealing users’ info and redirecting them to phishing sites.
The malware-laced extensions found by Avast researchers are designed to look like helper add-ons for Instagram, Facebook, Vimeo, and others. It looks like they have been used from December 2018.
Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before redirecting them to the actual website they wanted to visit.
The actors exfiltrate and collect the user’s birth dates, email addresses, and device information, including first sign-in time, last login time, name of the device, operating system, browser and its version, even IP addresses. The end goal is focused on monetizing the users’ traffic by automatically redirecting them to third-party domains, including sites filled with ads or phishing landing pages.
The extensions’ backdoors are well-hidden and start to exhibit malicious behaviour days after installation, which made it hard for any security software to discover. Among the tactics used to evade detection, the malware will monitor what the victims search and will not activate if they are looking for info on one of its domains.It will also avoid infecting web developers who have the knowledge to spot it and examine the extensions’ malicious background activity.
The lists of malicious extentions includes:
Direct Message for Instagram, Direct Message for Instagram, DM for Instagram, Invisible mode for Instagram Direct Message, Downloader for Instagram (1,000,000+ users), Instagram Download Video & Image, App Phone for Instagram, Stories for Instagram, Universal Video Downloader, Video Downloader for FaceBook, Vimeo™ Video Downloader (500,000+ users), Volume Controller, Zoomer for Instagram and FaceBook, Spotify Music Downloader, Pretty Kitty, The Cat Pet, Video Downloader for YouTube, SoundCloud Music Downloader, The New York Times News Instagram App with Direct Message DM.
The extensions were probably deliberately created with the malware built-in, the author waited for the extensions to become popular, and then pushed an update containing the malware or it was bought from the original author.
Both Microsoft and Google are currently looking into Avast’s findings but, until they are removed, users should disable or uninstal the extensions and then scan for any malware infections
Google, YouTube, Gmail service suffered major outage worldwide
If you have tried to log in to your Google services on Monday at around 11:56 GMT you have probably noticed that all of them went down abruptly. Like countless other users across the globe. The disrupted services include Google Search, Google Assistant, Gmail, Google Drive, and YouTube.
Downdetector, a web outage tracking service, identified more than 40,000 outage cases within just ten minutes after the outage started. YouTube and Gmail were the worst affected services.
“Something went wrong…”
The unexpected outage caused a huge uproar on Twitter as users were shocked and perplexed over the crashing of Google’s services across the globe. Within no time, the hashtag #YouTubeDOWN started trending on Twitter.
Error was due to lack of storage space in authentication tools causing the system to crash. The company’s internal tools failed to allocate enough storage space to the services that handle authentication. When that storage filled up, the system should have automatically made it more available. Instead, it seems it didn’t, which meant the system crashed..
Google acknowledged the issue, and the company quickly addressed it. The giant stated that the outage affected its personal and business services. The problem occurred at 6:55 a.m. ET, and it was fixed for most users at around 7:52 a.m. ET. Later, Google updated all the services’ status pages with the same message informing users that the problem has been resolved.
This situation proves that downtimes can happen to every company – even the biggest ones. Thus it is important to have a proven third-party backup solution to protect the most valuable data stored in SaaS services – like Microsoft 365 backup by Xopero. In case of any event of failure you can get back to work immediately.