US Cyber Agency releases equipment to help SolarWind Orion defenders
US Cyber Agency releases equipment to help SolarWind Orion defenders
The US Cybersecurity and Infrastructure Security Agency has released a new forensic tool to help find suspect tracks from actors at risk of vulnerabilities arising from the 2020 SolarWinds Orion hack.
CISA Hunt and Incident Response Program Tool - or CHRIP - detects indicators of compromising in the Windows environment related to the installation of backstalls by hacking Orion's security updates and potentially compromised accounts and applications in Microsoft's Azure and Office 365 environments is.
CHIRP is available for free at CISA's Github repository.
The agency states that organizations should use CHIRP:
- Check the Windows event log for artifacts associated with these attacks.
- Check the Windows registry for intrusion evidence.
- Query Windows Network Artifacts.
- Apply the YARA rule to detect malware, backdoor, or implants (YARA is a tool that helps malware researchers identify and classify malware samples).
Network defenders should review and confirm any post-compromise threat activity detected by the tool, CISA advises. This provided a confidence score for each IOC and YARA rule, including the release of CHIRP. For confirmed positive hits, the CISA recommends collecting a forensic image of the respective system and performing a forensic analysis on the system.
The agency added, "Confirmation of the positive hit requires the removal of an opposition from a compromised network."
CHIRP is a command-line executable for searching for signs of compromise with a dynamic plugin and indicator system. CHIRP has YARA rules for searching through event logs and registry keys and scanning for indications of APT strategy, techniques, and procedures. CHIRP also has a YAML file containing a list of IOCs that are detailed in CISA alerts AA20-352A and AA21-008A along with CISA malware and APT activity.
Currently, this tool looks like:
- The presence of malware identified by security researchers as TEARDROP and RAINDROP.
- Credential dumping draws certificates.
- Some persistence mechanisms associated with this campaign were identified.
- System, network and M365 enumeration.
- Known indicators of lateral movement.
- Silverfish danger
- Meanwhile, a Swiss-based cyber security company, called Prodft, has said that there is a danger that she mixes Silverfish with links to the Solar Winds attack.
A report released on Thursday said it found "evidence of a global cyber espionage campaign with strong ties to the SolarWinds attack," and a group called EvilCorp modified the trickbot malware infrastructure for the attacks.
Of the 4,700 victims of silverfish work, the report noted, "Samsung has a significant overlap with the companies affected during the attacks." Hit organizations include government institutions, global IT providers, the aviation industry and defense companies in Canada, the U.S., Italy and other countries.
"We believe that Silver Fish is the first group to target EU states using vulnerabilities associated with the Solar Winds incident," the report said.
No comments