Mandiant researchers identify a range of victims affected in attacks targeting newly reported Microsoft Exchange Server vulnerabilities.

Attackers targeting four critical Microsoft Exchange Server zero-days patched this week hit a range of organizations across retail, government, and higher education, report the Mandiant researchers who today published their observations of the exploit activity.

Microsoft, which issued fixes for the vulnerabilities on March 2, says they have been used in “limited and targeted” attacks against law firms, infectious disease researchers, defense contractors, policy think tanks, and other victims. It attributes the exploits with high confidence to a group it calls Hafnium, which it believes is state-sponsored and operates out of China.

Mandiant began to see instances of abuse of Microsoft Exchange Server in at least one client environment starting in January, researchers write in their report. Their observations included creation of Web shells for persistent access, remote code execution, and reconnaissance for endpoint security tools. In response, they built threat-hunting campaigns to detect attacker activity on Exchange Server.

“While the use of web shells is common amongst threat actors, the parent processes, timing, and victim(s) of these files clearly indicate activity that commenced with the abuse of Microsoft Exchange,” they explain in the blog post.

Researchers are now tracking this activity in three clusters — UNC2639, UNC2640, and UNC2643 — and it predicts the number of clusters will grow as it detects more attacks. So far, the team has detected a range of victims including US-based retailers, local governments, a university, and an engineering firm; the writeup notes potential victims may also include a Southeast Asian government and a Central Asian telecom company.

Businesses are urged to patch the vulnerabilities immediately.

Read Mandiant’s full blog post for more details on its observations.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Rob Lefferts, corporate vice president for Microsoft 365 Security in Security and Compliance, explains the company’s approach to keeping its customers and the industry apprised and updated on its findings from the now-infamous attack.

In the wake of a widespread cyberattack, enterprise IT providers can play a key role in how businesses learn about and mitigate the security threat. That role has evolved as attacks grow more complex – and it presents a tricky challenge when a provider must keep businesses informed of an attack that has infiltrated its own walls and affected tens of thousands of its customers, as Microsoft experienced during the recent SolarWinds incident.

“A lot of the way it [the role] has changed is in the face of ever-increasing complexity and impact,” says Rob Lefferts, corporate vice president for Microsoft 365 Security in Security and Compliance.

Microsoft faced this precise challenge a few months ago, following the major supply chain attack that initially targeted SolarWinds and distributed a backdoor Trojan to some 18,000 organizations via infected software updates. Microsoft was one of thousands affected by the tainted updates; using their access, the attackers were able to view some of its source code.

The company took steps to remediate the internal accounts that were used to view source code “in a number of code repositories.” While security experts pointed out that this access could make some steps easier for attackers, Microsoft maintained that there was no increase in risk. The company has since reported there is no evidence that attackers gained extensive access to services or user data. 

Many across the industry refer to this incident as “the SolarWinds attack”; however, it’s worth noting many victims didn’t use SolarWinds at all. The same nation-state behind the malicious SolarWinds Orion updates infiltrated other organizations through their Microsoft 365 and Azure accounts. Malwarebytes also was a victim of this attack vector; Microsoft had alerted the security company to suspicious activity. 

“We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments,” officials said in a blog post on the attack.

It’s one of many attacks to take advantage of Microsoft applications: criminals have begun to target Microsoft 365 accounts as quickly as businesses adopt the platform. And as security pros point out, many of tactics could be avoided by simply turning on features built into Office 365 Enterprise plans – the problem is, attackers seem to know the suite better than defenders do. Some are abusing features that IT admins don’t know exist.

As Microsoft investigated the extent of this attack on its own internal systems, researchers had the added responsibility of sharing intelligence that could be helpful to other organizations who may have also been infected. This took the form of more than a dozen blog posts in which internal Microsoft analysts published information about the SolarWinds attack as they learned it.

“We had a … pretty aggressive all-hands-on-deck approach of, ‘We’re going to take all the information that we get and make it digestible and publish it on our blog and share that,” Lefferts says. 

The company last week released a free tool businesses can use to check their software for signs of the SolarWinds attack – the same queries Microsoft used to discover the malware in its own code. Prior to that, it released information it discovered on how attackers activated a second stage payload. Its latest blog post, published this week, details three new types of malware being used in late-stage activity by the threat it now refers to as “Nobelium.”

Threat intelligence-sharing following an attack isn’t new for Microsoft or other large IT providers, but this attack marked “a difference in scale” for its response, Lefferts points out. The size and complexity of the SolarWinds incident meant analysts had to take a deep dive into threat data, learn what was happening, make it accessible, and share it with other organizations.

“The reason that SolarWinds might’ve felt a little different was because of the amount of information and the gravity and significance of it for the industry,” he explains, adding that “we went all the way from overview material to ‘here’s the query, go hunt for this in your environment,’ and [businesses] were really able to take advantage of that.” 

In addition to amplifying the amount of information Microsoft shared, this incident amplified businesses’ concerns and questions around security posture. Lefferts says he has had more conversations about identity, and security assertion markup language (SAML), in particular, after the attack. Many are also understandably worried about how to detect and respond to this type of attack; however, oftentimes they’re more worried about one than the other.

“Sometimes the way these events happen causes people to get excited about ‘I just need better detection after the fact,'” he explains, and they don’t think enough about preventing successful attacks in the first place. Some are preoccupied with detection but fail to think about response.

On a broader level, Lefferts says a component of enterprise education is building tools that can help information security teams do their jobs as security threats grow in size and complexity.

“There’s this scale problem that’s sort of endemic to technology – but thinking about security in particular, there’s this real need to make sure that we directly help people because it is hard to hire and train the expertise that they need,” he adds.

As an example, Lefferts describes Microsoft 365 Defender Threat Analytics, released this week in public preview. The tool is a set of reports meant to give security teams multiple perspectives on what’s going on in their environment, as well as steps they should take to address incidents that arise. 

“Security is the number one concern IT leaders and CIOs have when they move to the cloud,” says Sid Nag, vice president in Gartner’s Technology and Service Provider Group, referencing a Gartner study. Many organizations have “full faith” in their cloud providers to address security, putting pressure on providers like Microsoft to strengthen their focus on it.

The pressure increases as more organizations move toward multi-cloud environments, he continues. As more businesses use multiple clouds at the same time, it calls into questioin how their security model is transposed across different cloud estates. Nag says the onus is on cloud providers, not business customers, to determine the right approach and offer solutions that companies need.

“The reality is that cloud is … a journey for most organizations,” Nag explains. “There’s plenty of workloads and applications that are still sitting on prem that have not been moved to the cloud. As these workloads, especially the complex ones, move to the cloud, the challenges arise.” 

Cross-Industry Collaboration Can Drive Education

A key lesson learned in the aftermath of SolarWinds was the importance of the security industry working together to share information on threats in a broader effort to educate businesses and the public – a point Microsoft president Brad Smith emphasized in his written testimony for last week’s Senate hearing on the SolarWinds incident.

“Today, too many cyberattack victims keep information to themselves,” Smith wrote. “We will not solve this problem through silence. It’s imperative for the nation that we encourage and sometimes even require better information-sharing about cyberattacks.”

Smith pointed out how the reason organizations know of this attack is because FireEye, which first detected the activity, was open about what it found in its systems. Without this level of transparency, he said, “we would likely still be unaware of this campaign.” In his testimony, Smith called for a national strategy to improve how threat intelligence is shared across the security community, as well as the need for clear disclosure requirements in the private sector.

“There’s some places I do feel that it’s important for the security industry to take a step back and think about how this [attack] impacts the work that we do,” Lefferts says. “Most of the conclusions we have drawn have been to accelerate things that we were already working on”

One of these projects was the implementation of zero trust, especially in a work-from-home environment, as well as new technologies like extended detection and response (XDR), which provides businesses with visibility across their endpoints, network, and cloud environments, he adds.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

More Insights

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database CVE-2021-26814
PUBLISHED: 2021-03-06

Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc…

PUBLISHED: 2021-03-05

The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.

PUBLISHED: 2021-03-05

Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.

PUBLISHED: 2021-03-05

ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.

PUBLISHED: 2021-03-05

The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.

Patch management and testing are different, exactly the same, and completely out of hand. Here are tips from the experts on how to wrangle patches in a time of malicious software updates.

(image by Barbara Helgason, via Adobe Stock)

(image by Barbara Helgason, via Adobe Stock)

“If you didn’t already know that patching introduces risk, well…now you know,” says Brad Causey, CEO of security consulting and penetration testing firm Zero Day Consulting.

Causey is referring of course to the recent attack on SolarWinds that shook the industry. Software updates for SolarWinds’ Orion network management software were used to distribute the Sunburst/Solarigate backdoor Trojan to some 18,000 organizations worldwide. (Note: SolarWinds is, itself, also a provider of third-party patch management services. However, those services do not appear to have been affected by the recent attacks.) 

“We’re introducing risk by trying to reduce risk,” Causey says.

This isn’t a new thing though, he says, and testing patches before deployment is standard best practice. Yet, patch testing is generally done to avoid operational snafus, not security threats. It’s meant to spot a code library change that prevents three other applications from running; not to spot a backdoor Trojan.  

With the Sunburst/Solarigate attacks fresh in mind, though, is it time to revamp patch testing procedures? How can enterprise infosec teams tackle patch management securely? Here’s advice from security experts on what to do now.

Be Realistic.

Causey and others say that a supply chain attack on the scale and sophistication of SolarWinds is harrowing, but it doesn’t mean that enterprises need to completely reinvent patch management. Rather, IT teams just need to do some of the best practices they should have been doing all along. After all, the National Institution of Standards and Technology (NIST) lays out highly detailed guidelines on patch management in SP 800-40. 

The trouble is, SP 800-40 was last updated eight years ago, and by NIST’s own reckoning, the number of vulnerabilities per year has tripled since then

“We patch all the time. We’re always patching,” says John Pironti, president of cybersecurity and risk consultancy IP Architects LLC.

Security hygiene, including patching, is an essential part of defense, says Pironti. Nevertheless, he says, “We’re fooling ourselves if we think we can defend ourselves against a nation-state attack [like the SolarWinds incident] while continuing to release code at the speed we do.”

Curtis Franklin, senior analyst of enterprise security management at Omdia, says companies must have patch management technology to help automate the process now, “because it’s gotten really beyond human-scale at this point.” 

Keep Trusting Patches. But… 

Despite the recent high-profile example of a malicious software update, Pironti says companies should not shy away from deploying updates.

“I think we would be doing ourselves a disservice if we started distrusting patches,” he says. “I’d rather trust my vendors than question them when there’s an exploit in the wild.”

He does, however, say it’s fair to ask for better security hygiene in the software development lifecycle. 

…Ask Software to Be More Trustworthy

“We’ve been trained as a society to accept flawed code,” says Pironti. While regulations mandate that some industries’ products meet certain safety and quality standards, enterprise software is largely unregulated. Pironti thinks that at some point this may change. “You can’t let [software companies] be the barometers of what’s acceptable and unacceptable risk,” he says.

In the meantime, he suggests companies ask software vendors and service providers one question before any purchase: What are you doing to ensure the integrity of your third-party code?

Create a Testing Environment That’s a Reasonable Representation of Reality.

In an ideal world, your testing environment would be a perfect mirror image of your production environment. It would represent every device, running every version of every operating system version, and every application, in every complex configuration that might be running in your environment at the time.

“And you’d have to invest in all that equipment nobody’s using, and pay someone to maintain it, right?” points out Causey.

More realistic and affordable, though, he says, is to create a testing environment that accurately represents the systems that are the most critical — those that are used by the widest number of users, or most critical to daily operations, or that touch the most sensitive data.  

Omdia’s Franklin says that many companies succeed in creating a test environment that represents the lion’s share of their endpoints. “The trouble is with their edge cases,” he says.

Those edge cases might not be a problem. Until they are.

Franklin lays out an example:

It might be the system that prints out the bills of lading for the trucks leaving your manufacturing facility. And it runs a dot-matrix printer that has been cranking along since 1997. And Charlie at the freight yard knows how to hit the buttons on his Windows 98 computer to make it print all these bills of lading to keep things flowing out. And you’ve decided that it’s simply impossible to retrain Charlie down in shipping. So you’re not going to. 

And it was fine when Charlie was getting hand-written notes and typing them in. But sometime a few years ago your SAP rep said ‘ya know we can put a connector that goes from SAP to Charlie’s desktop.’ So now Charlie’s Windows 98 desktop has a link back — probably through the Internet — to your SAP instance.

Now, all of a sudden, Charlie’s Windows 98 machine is a vulnerability. … My guess is you don’t have a Windows 98 machine in your [testing] lab. So even if [Microsoft] released an out-of-band patch for Windows 98, you couldn’t test it.

You’re going to have some cases like that. And they get far more numerous and bizarre in healthcare.

Franklin says most companies widely use sandboxing. “But if they’re honest with themselves, they know that they can’t sandbox everything. If they’re doing it right, though they know what they can’t sandbox.” 

Use the Right Tool for the Job.

Identifying those fringe cases requires help. There are many types of technologies that will allow enterprises to locate and organize those IT assets and a wide variety of tools that help make patch management smoother. For example:

{Continued on Next Page}

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio


1 of 2


Recommended Reading:

More Insights

Cybersecurity researchers on Thursday disclosed two distinct design and implementation flaws in Apple’s crowdsourced Bluetooth location tracking system that can lead to a location correlation attack and unauthorized access to the location history of the past seven days, thereby by deanonymizing users.

The findings are a consequence of an exhaustive review undertaken by the Open Wireless Link (OWL) project, a team of researchers from the Secure Mobile Networking Lab at the Technical University of Darmstadt, Germany, who have historically taken apart Apple’s wireless ecosystem with the goal of identifying security and privacy issues.

In response to the disclosures on July 2, 2020, Apple is said to have partially addressed the issues, stated the researchers, who used their own data for the study citing privacy implications of the analysis.

How Find My Works?

Apple devices come with a feature called Find My that makes it easy for users to locate other Apple devices, including iPhone, iPad, iPod touch, Apple Watch, Mac, or AirPods. With the upcoming iOS 14.5, the company is expected to add support for Bluetooth tracking devices — called AirTags — that can be attached to items like keys and wallets, which in turn can be used for tracking purposes right from within the Find My app.

What’s more interesting is the technology that undergirds Find My. Called offline finding and introduced in 2019, the location tracking feature broadcasts Bluetooth Low Energy (BLE) signals from Apple devices, allowing other Apple devices in close proximity to relay their location to Apple’s servers.

Put differently, offline loading turns every mobile device into a broadcast beacon designed explicitly to shadow its movements by leveraging a crowdsourced location tracking mechanism that’s both end-to-end encrypted and anonymous, so much so that no third-party, including Apple, can decrypt those locations and build a history of every user’s whereabouts.

This is achieved via a rotating key scheme, specifically a pair of public-private keys that are generated by each device, which emits the Bluetooth signals by encoding the public key along with it. This key information is subsequently synchronized via iCloud with all other Apple devices linked to the same user (i.e., Apple ID).

A nearby iPhone or iPad (with no connection to the original offline device) that picks up this message checks its own location, then encrypts the information using the aforementioned public key before sending it to the cloud along with a hash of the public key.

In the final step, Apple sends this encrypted location of the lost device to a second Apple device signed in with the same Apple ID, from where the owner can use the Find My app to decrypt the reports using the corresponding private key and retrieve the last known location, with the companion device uploading the same hash of the public key to find a match in Apple’s servers.

Issues with Correlation and Tracking

Since the approach follows a public key encryption (PKE) setup, even Apple cannot decrypt the location as it’s not in possession of the private key. While the company has not explicitly revealed how often the key rotates, the rolling key pair architecture makes it difficult for malicious parties to exploit the Bluetooth beacons to track users’ movements.

But OWL researchers said the design allows Apple — in lieu of being the service provider — to correlate different owners’ locations if their locations are reported by the same finder devices, effectively allowing Apple to construct what they call a social graph.

“Law enforcement agencies could exploit this issue to deanonymize participants of (political) demonstrations even when participants put their phones in flight mode,” the researchers said, adding “malicious macOS applications can retrieve and decrypt the [offline finding] location reports of the last seven days for all its users and for all of their devices as cached rolling advertisement keys are stored on the file system in cleartext.”

In other words, the macOS Catalina vulnerability (CVE-2020-9986) could allow an attacker to access the decryption keys, using them to download and decrypt location reports submitted by the Find My network, and ultimately locate and identify their victims with high accuracy. The weakness was patched by Apple in November 2020 (version macOS 10.15.7) with “improved access restrictions.”

A second outcome of the investigation is an app that’s designed to let any user create an “AirTag.” Called OpenHaystack, the framework allows for tracking personal Bluetooth devices via Apple’s massive Find My network, enabling users to create their own tracking tags that can be appended to physical objects or integrated into other Bluetooth-capable devices.

This is not the first time researchers from Open Wireless Link (OWL) have uncovered flaws in Apple’s closed-source protocols by means of reverse engineering.

In May 2019, the researchers disclosed vulnerabilities in Apple’s Wireless Direct Link (AWDL) proprietary mesh networking protocol that permitted attackers to track users, crash devices, and even intercept files transferred between devices via man-in-the-middle (MitM) attacks.

This was later adapted by Google Project Zero researcher Ian Beer to uncover a critical “wormable” iOS bug last year that could have made it possible for a remote adversary to gain complete control of any Apple device in the vicinity over Wi-Fi.

As cloud computing continues to grow, Google Cloud is quickly becoming one of the most popular solutions.

However, relatively few engineers know this platform well.

This leaves the door open for aspiring IT professionals who take the official exams.

The Google Cloud Certifications Practice Tests + Courses Bundle helps you get certified faster, with 43 hours of video content and over 1,000 practice questions.

It covers seven Google exams, providing all the prep you could possibly need.

You would normally expect to pay $639 for this training, but ‘The Hacker News’ has put together an eye-catching deal with Whizlabs Learning Center.

Special OfferFor a limited time, you can pick up all the content mentioned above for just $29.99 with this bundle. That means you save over $600 on the full price!

As the demand for cloud computing experts grows, salaries are increasing.

According to Glassdoor, engineers earn $117,785 a year on average.

This bundle helps you join the gold rush, with seven courses working towards Google Certified Professional exams: Cloud Architect, Cloud Security Engineer, Data Engineer, Cloud Network Engineer, and Cloud Developer.

The courses cover everything you need to know to pass the test, along with plenty of practical knowledge. Just as importantly, you get practice exams to hone your skills.

The training comes from Whizlabs Learning Center, which has helped over 3 million students in the past 17 years.

Want to get started? Grab the training today to save 95% on lifetime access!


In what’s a case of hackers getting hacked, a prominent underground online criminal forum by the name of Maza has been compromised by unknown attackers, making it the fourth forum to have been breached since the start of the year.

The intrusion is said to have occurred on March 3, with information about the forum members — including usernames, email addresses, and hashed passwords — publicly disclosed on a breach notification page put up by the attackers, stating “Your data has been leaked” and “This forum has been hacked.”

“The announcement was accompanied by a PDF file allegedly containing a portion of forum user data. The file comprised more than 3,000 rows, containing usernames, partially obfuscated password hashes, email addresses and other contact details,” cybersecurity firm Intel 471 said.

Originally called Mazafaka, Maza is an elite, invite-only Russian-language cybercrime forum known to be operational as early as 2003, acting as an exclusive online space for exploit actors to trade ransomware-as-a-service tools and conduct other forms of illicit cyber operations.

The development comes close on the heels of successful breaches of other forums, including that of Verified, Crdclub, and Exploit.

Verified is said to have been breached on January 20, 2021, with the actor behind the attack claiming access to the entire database on another popular forum called Raid Forums, besides transferring $150,000 worth of cryptocurrency from Verified’s bitcoin wallet to their own. The forum, however, staged a return last month on February 18 with a change in ownership, according to Flashpoint.

Then again, in February, a cybercrime forum by the name of Crdclub disclosed an attack that resulted in the compromise of an administrator account with the goal of defrauding its members. No other personal information appears to have been plundered.

“By doing so, the actor behind the attack was able to lure forum customers to use a money transfer service that was allegedly vouched for by the forum’s admins,” Intel 471 said. “That was a lie, and resulted in an unknown amount of money being diverted from the forum.”

Lastly, earlier this week, the Exploit cybercrime forum sustained an attack that involved an apparent compromise of a proxy server used for safeguarding the forum from distributed denial-of-service (DDoS) attacks.

Details are fuzzy as to the perpetrators of the attacks, with forum members speculating that it could be the work of a government intelligence agency, while also distressing over the possibility that their real-world identities could be exposed in the wake of the leaks.

Flashpoint researchers noted that the Russian sentences on the Maza forum’s notification page were possibly translated using an online translator, but added it’s unclear if this implies the involvement of a non-Russian speaking actor or if it was deliberately used to mislead attribution.

“While Intel 471 isn’t aware of anyone claiming responsibility for the breaches, whomever is behind the actions has indirectly given researchers an advantage,” the company concluded. “Any information unearthed from the breaches aids in the fight against these criminals due to the added visibility it gives security teams who are tracking actors that populate these forums.”

FireEye and Microsoft on Thursday said they discovered three more malware strains in connection with the SolarWinds supply-chain attack, including a “sophisticated second-stage backdoor,” as the investigation into the sprawling espionage campaign continues to yield fresh clues about the threat actor’s tactics and techniques.

Dubbed GoldMax (aka SUNSHUTTLE), GoldFinder, and Sibot, the new set of malware adds to a growing list of malicious tools such as Sunspot, Sunburst (or Solorigate), Teardrop, and Raindrop that were stealthily delivered to enterprise networks by alleged Russian operatives.

“These tools are new pieces of malware that are unique to this actor,” Microsoft said. “They are tailor-made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials or the SolarWinds binary and after moving laterally with Teardrop and other hands-on-keyboard actions.”

Microsoft also took the opportunity to name the actor behind the attacks against SolarWinds as NOBELIUM, which is also being tracked under different monikers by the cybersecurity community, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), and Dark Halo (Volexity).

While Sunspot was deployed into the build environment to inject the Sunburst backdoor into SolarWinds’s Orion network monitoring platform, Teardrop and Raindrop have been primarily used as post-exploitation tools to laterally move across the network and deliver the Cobalt Strike Beacon.

Spotted between August to September 2020, SUNSHUTTLE is a Golang-based malware that acts as a command-and-control backdoor, establishing a secure connection with an attacker-controlled server to receive commands to download and execute files, upload files from the system to the server, and execute operating system commands on the compromised machine.

For its part, FireEye said it observed the malware at a victim compromised by UNC2452, but added it hasn’t been able to fully verify the backdoor’s connection to the threat actor. The company also stated it discovered SUNSHUTTLE in August 2020 after it was uploaded to a public malware repository by an unnamed U.S.-based entity.

One of the most notable features of GoldMax is the ability to cloak its malicious network traffic with seemingly benign traffic by pseudo-randomly selecting referrers from a list of popular website URLs (such as,,,, and for decoy HTTP GET requests pointing to C2 domains.

“The new SUNSHUTTLE backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques via its ‘blend-in’ traffic capabilities for C2 communications,” FireEye detailed. “SUNSHUTTLE would function as a second-stage backdoor in such a compromise for conducting network reconnaissance alongside other Sunburst-related tools.”

GoldFinder, also written in Go, is an HTTP tracer tool for logging the route a packet takes to reach a C2 server. In contrast, Sibot is a dual-purpose malware implemented in VBScript that’s designed to achieve persistence on infected machines before downloading and executing a payload from the C2 server. Microsoft said it observed three obfuscated variants of Sibot.

Even as the different pieces of SolarWinds attack puzzle fall into place, the development once again underscores the scope and sophistication in the range of methods used to penetrate, propagate, and persist in victim environments.

“These capabilities differ from previously known NOBELIUM tools and attack patterns, and reiterate the actor’s sophistication,” Microsoft said. “In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams.”

Business-related applications like those from Microsoft, Zoom, and DocuSign are most often impersonated in brand phishing attacks.

Criminals launching impersonation phishing attacks prefer to spoof business-related apps from Microsoft, Zoom, and DocuSign, researchers report in a new email security survey.

Enterprise applications are spoofed in 45% of impersonation phishing attacks, GreatHorn researchers say. Social media-related apps such as Facebook, LinkedIn, and Twitter are seen in 34% of these attacks, and consumer apps such as Amazon and PayPal are seen in 20%, they note.

Email security is the top priority for IT and security teams this year, they report, but only 9% of respondents are most worried about brand impersonation attacks. Most (22%) say their greatest concern is people impersonation attacks, in which fraudsters send emails pretending to come from executives, vendors, or human resources or finance teams. Other top concerns include payload attacks (21%) and wire transfer requests (14%). 

It’s worth noting that phishing campaigns rarely use one technique, researchers say. More common are multipronged attacks that may prompt an email recipient to click a link and/or download an attachment, all while pretending to be from a person or brand.

Access the full report here for more details.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights