Cybersecurity experts have revealed a growing list of SolarWinds 2nd stage attack victims based on malware analysis.
The Truesec Threat Intelligence team analyzed the SolarWinds Sunburst backdoor as well as historical network data to identify patterns revealing possible victims.
The SUNBURST backdoor, also known as Solarigate malware, consists of a compromised SolarWinds Orion Platform DLL and key component of SolarWinds software.
Experts previously discovered the SolarWinds supply chain attack against the SolarWinds Orion Platform software earlier this week. It was later surmised that the SolarWinds compromise likely led to the breach of thousands of SolarWinds customers within the federal and private sectors.
Phase 2 attacks
Fabio Viggiani of Truesec published the analysis and list of “internal names of organizations that not only had the SUNBURST backdoor installed, but were also specifically targeted by the threat actor for the second stage of the attack, where further internal compromise might have taken place.”
The Truesec report highlights some of the domains targeted as part of phase 2 attacks, which are used to conduct additional internal compromise against its victims.
Moreover, Truesec reversed the backdoor to identify a set of IP address ranges used to receive DNS responses and determine backdoor code actions. The company also reverse engineered the DomainName Generation Algorithm used in DNS requests and historical records of DNS requests to identify internal domain names of compromised organizations.
Some of the targeted domains in the list include those from Cisco GGSG, Deloitte, NSW Ministry of Health in Australia, and banccentral.com, just to name just a few.
In all, nearly 260 internal names were decoded.
Finally, Truesec warned of a massive impact of the SolarWinds attack:
“It is highly likely that a massive amount of highly confidential information belonging to government organizations, medical institutions, Cybersecurity, the financial industry, etc. has been leaked. It is also highly likely that software and systems have been compromised and that the modus operandi of the Solarwinds breach can be repeated in future campaigns.
Other customer attacks
In a recent SEC filing, SolarWinds stated that out of a customer base of 300,000 customers, “the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000.”
Late last week, Microsoft also notified more than 40 customers “that the attackers targeted more precisely and compromised through additional and sophisticated measures.”
Additional SolarWinds customer victims included the Energy Department and National Nuclear Security Administration (NNSA) and Equifax, among many others.
Readers can check out previous posts on the threat actors behind SolarWinds attack, Solorigate malware and Sunburst backdoor.
- CISA: Threat actors behind SolarWinds hack pose ‘grave risk’ (updated)
- Solorigate malware behind the SolarWinds attack
- Global active exploits against SolarWinds via Sunburst backdoor
- Threat actors targeting COVID-19 vaccine cold chain
- Cyberattacks against machine learning systems and the new Adversarial ML Threat Matrix
- Operation ShadowHammer hijacks ASUS Live Update to install backdoor
- CCleaner application backdoor
- Sodin ransomware spreads through MSPs