CHIRP tool scans for signs of APT compromise associated with SolarWinds and Azure/M365 cyberattacks

CHIRP tool scans for signs of APT compromise associated with SolarWinds and Azure/M365 cyberattacks

The DHS CISA cybersecurity team just released a new tool dubbed CHIRP, a forensics collection tool designed to help network defenders scan for indicators of compromise (IOCs) associated with the SolarWinds Orion and Active Directory/M365 compromise and cyberattacks.

Cybersecurity and Infrastructure Security Agency (CISA) developed the CISA Hunt and Incident Response Program (CHIRP) tool to scan for APT compromises in recent cyberattacks that spilled into on-premises environments .

CHIRP was specifically developed to scan for APT activity detailed in the following two alerts:

  • Alert (AA20-352A): APT compromise of SolarWinds Orion products and impacted organizations.
  • Alert (AA21-008A): APT compromise of accounts and applications in Microsoft 365 (M365)/Azure environments.

The CHIRP command line tool is also free and available for download on Github and was “created to dynamically query Indicators of Compromise (IoCs) on hosts with a single package, outputting data in a JSON format for further analysis in a SIEM or other tool” and does not modify any system data.

Moreover, CHIRP requires Python 3.6 or greater to run with Python and looks for:

  • Presence of Teardrop and Raindrop malware.
  • Credential dumping certificate pulls.
  • Certain persistence mechanisms identified as associated with this campaign.
  • System, network and M365 enumeration.
  • Known observable indicators of lateral movement.

CHIRP is also similar to another CISA tool called Sparrow, used to help detect possible compromised accounts and applications in the Azure/M365 environments. Readers can also check out the full assortment of CISA tools on Github.

SolarWinds Orion cyberattacks

Back in December, CISA issued a warning about the SolarWinds compromise that posed a ‘grave risk’ to critical infrastructure, government and private sector organizations.

The alert was published shortly after a major supply chain attack on SolarWinds Orion Platform software. It was later surmised that the SolarWinds compromise may have led to the breach of thousands of SolarWinds customers within the federal and private sectors.

Azure/M365 cyberattacks

In early January, CISA first published an alert related to an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment. These same bad actors were also spotted using additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations

CISA first observed APT actors gained access to their victims’ enterprise networks via compromised SolarWinds Orion products.

However, the security experts further learned hackers also used other threat vectors to gain access to on-premise systems, such as: password guessing, password spraying and privilege escalation (where an attacker moves from user context to administrator rights). As a result, the actors could then move laterally to move laterally to Microsoft Cloud environments.

Related Articles