Security Alerts

Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Stored Cross-Site Scripting Vulnerabilities

Cisco Security Advisories - Wed, 2021-01-13 16:00

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.

The vulnerabilities are due to insufficient input validation by the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on the affected device.

There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-stored-xss-LPTQ3EQC


Security Impact Rating: Medium
CVE: CVE-2021-1151,CVE-2021-1152,CVE-2021-1153,CVE-2021-1154,CVE-2021-1155,CVE-2021-1156,CVE-2021-1157,CVE-2021-1158
Categories: Security Alerts

Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Remote Command Execution and Denial of Service Vulnerabilities

Cisco Security Advisories - Wed, 2021-01-13 16:00

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. 

The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial of service (DoS) condition. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on the affected device.

Cisco has not released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-WUnUgv4U


Security Impact Rating: High
CVE: CVE-2021-1159,CVE-2021-1160,CVE-2021-1161,CVE-2021-1162,CVE-2021-1163,CVE-2021-1164,CVE-2021-1165,CVE-2021-1166,CVE-2021-1167,CVE-2021-1168,CVE-2021-1169,CVE-2021-1170,CVE-2021-1171,CVE-2021-1172,CVE-2021-1173,CVE-2021-1174,CVE-2021-1175,CVE-2021-1176,CVE-2021-1177,CVE-2021-1178,CVE-2021-1179,CVE-2021-1180,CVE-2021-1181,CVE-2021-1182,CVE-2021-1183,CVE-2021-1184,CVE-2021-1185,CVE-2021-1186,CVE-2021-1187,CVE-2021-1188,CVE-2021-1189,CVE-2021-1190,CVE-2021-1191,CVE-2021-1192,CVE-2021-1193,CVE-2021-1194,CVE-2021-1195,CVE-2021-1196,CVE-2021-1197,CVE-2021-1198,CVE-2021-1199,CVE-2021-1200,CVE-2021-1201,CVE-2021-1202,CVE-2021-1203,CVE-2021-1204,CVE-2021-1205,CVE-2021-1206,CVE-2021-1207,CVE-2021-1208,CVE-2021-1209,CVE-2021-1210,CVE-2021-1211,CVE-2021-1212,CVE-2021-1213,CVE-2021-1214,CVE-2021-1215,CVE-2021-1216,CVE-2021-1217,CVE-2021-1307,CVE-2021-1360
Categories: Security Alerts

Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Command Injection Vulnerabilities

Cisco Security Advisories - Wed, 2021-01-13 16:00

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device.

Cisco has not released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-command-inject-LBdQ2KRN


Security Impact Rating: High
CVE: CVE-2021-1146,CVE-2021-1147,CVE-2021-1148,CVE-2021-1149,CVE-2021-1150
Categories: Security Alerts

Cisco Proximity Desktop for Windows DLL Hijacking Vulnerability

Cisco Security Advisories - Wed, 2021-01-13 16:00

A vulnerability in the loading process of specific DLLs in Cisco Proximity Desktop for Windows could allow an authenticated, local attacker to load a malicious library. To exploit this vulnerability, the attacker must have valid credentials on the Windows system.

This vulnerability is due to incorrect handling of directory paths at run time. An attacker could exploit this vulnerability by placing a malicious DLL file in a specific location on the targeted system. This file will execute when the vulnerable application launches. A successful exploit could allow the attacker to execute arbitrary code on the targeted system with the privileges of another user’s account.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-proximity-dll-UvW4VHPM


Security Impact Rating: Medium
CVE: CVE-2021-1240
Categories: Security Alerts

Cisco Enterprise NFV Infrastructure Software Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2021-01-13 16:00

A vulnerability in the web-based management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface.

The vulnerability is due to improper input validation of log file content stored on the affected device. An attacker could exploit this vulnerability by modifying a log file with malicious code and getting a user to view the modified log file. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or to access sensitive, browser-based information.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-xss-smsz5Vhb


Security Impact Rating: Medium
CVE: CVE-2021-1127
Categories: Security Alerts

Cisco Finesse OpenSocial Gadget Editor Vulnerabilities

Cisco Security Advisories - Wed, 2021-01-13 16:00

Multiple vulnerabilities in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack and obtain potentially confidential information by leveraging a flaw in the authentication mechanism.

For more information about these vulnerabilities, see the Details section of this advisory.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-multi-vuln-finesse-qp6gbUO2


Security Impact Rating: Medium
CVE: CVE-2021-1245,CVE-2021-1246
Categories: Security Alerts

Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2021-01-13 16:00

A vulnerability in the Cisco Discovery Protocol implementation for Cisco Video Surveillance 8000 Series IP Cameras could allow an unauthenticated, adjacent attacker to cause an affected IP camera to reload.

The vulnerability is due to missing checks when Cisco Discovery Protocol messages are processed. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected IP camera. A successful exploit could allow the attacker to cause the affected IP camera to reload unexpectedly, resulting in a denial of service (DoS) condition.

Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent).

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipcameras-dos-9zdZcUfq


Security Impact Rating: Medium
CVE: CVE-2021-1131
Categories: Security Alerts

Cisco Firepower Management Center XML Entity Expansion Vulnerability

Cisco Security Advisories - Wed, 2021-01-13 16:00

A vulnerability in the dashboard widget of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to improper restrictions on XML entities. An attacker could exploit this vulnerability by crafting an XML-based widget on an affected server. A successful exploit could cause increased memory and CPU utilization, which could result in a DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xee-DFzARDcs


Security Impact Rating: Medium
CVE: CVE-2021-1267
Categories: Security Alerts

Cisco Firepower Management Center Stored Cross-Site Scripting Vulnerabilities

Cisco Security Advisories - Wed, 2021-01-13 16:00

Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected system.

The vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-stored-xss-djKfCzf2


Security Impact Rating: Medium
CVE: CVE-2021-1238,CVE-2021-1239
Categories: Security Alerts

Cisco Firepower Management Center Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2021-01-13 16:00

A vulnerability in the storage of proxy server credentials of Cisco Firepower Management Center (FMC) could allow an authenticated, local attacker to view credentials for a configured proxy server.

The vulnerability is due to clear-text storage and weak permissions of related configuration files. An attacker could exploit this vulnerability by accessing the CLI of the affected software and viewing the contents of the affected files. A successful exploit could allow the attacker to view the credentials that are used to access the proxy server.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-infodisc-RJdktM6f


Security Impact Rating: Medium
CVE: CVE-2021-1126
Categories: Security Alerts

Cisco DNA Center Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2021-01-13 16:00

A vulnerability in the web-based management interface of Cisco DNA Center software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device.

The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker would need to have administrative credentials on the affected device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-xss-HfV73cS3


Security Impact Rating: Medium
CVE: CVE-2021-1130
Categories: Security Alerts

Cisco Unified Communications Products Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2021-01-13 16:00

A vulnerability in the audit logging component of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, Cisco Unity Connection, Cisco Emergency Responder, and Cisco Prime License Manager could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system.

The vulnerability is due to the storage of certain unencrypted credentials. An attacker could exploit this vulnerability by accessing the audit logs on an affected system and obtaining credentials that they may not normally have access to. A successful exploit could allow the attacker to use those credentials to discover and manage network devices.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-logging-6QSWKRYz


Security Impact Rating: Medium
CVE: CVE-2021-1226
Categories: Security Alerts

Cisco Connected Mobile Experiences Privilege Escalation Vulnerability

Cisco Security Advisories - Wed, 2021-01-13 16:00

A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system.

The vulnerability is due to incorrect handling of authorization checks for changing a password. An authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device. A successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxpe-75Asy9k


Security Impact Rating: High
CVE: CVE-2021-1144
Categories: Security Alerts

Cisco Connected Mobile Experiences User Enumeration Vulnerability

Cisco Security Advisories - Wed, 2021-01-13 16:00

A vulnerability in Cisco Connected Mobile Experiences (CMX) API authorizations could allow an authenticated, remote attacker to enumerate what users exist on the system.

The vulnerability is due to a lack of authorization checks for certain API GET requests. An attacker could exploit this vulnerability by sending specific API GET requests to an affected device. A successful exploit could allow the attacker to enumerate users of the CMX system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxapi-KsKwCmfp


Security Impact Rating: Medium
CVE: CVE-2021-1143
Categories: Security Alerts

Cisco AnyConnect Secure Mobility Client Arbitrary File Read Vulnerability

Cisco Security Advisories - Wed, 2021-01-13 16:00

A vulnerability in the upgrade component of Cisco AnyConnect Secure Mobility Client could allow an authenticated, local attacker with low privileges to read arbitrary files on the underlying operating system (OS) of an affected device.

The vulnerability is due to insufficient file permission restrictions. An attacker could exploit this vulnerability by sending a crafted command from the local CLI to the application. A successful exploit could allow the attacker to read arbitrary files on the underlying OS of the affected device. The attacker would need to have valid user credentials to exploit this vulnerability.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-fileread-PbHbgHMj


Security Impact Rating: Medium
CVE: CVE-2021-1258
Categories: Security Alerts

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code Execution Vulnerability

Cisco Security Advisories - Mon, 2021-01-11 19:14

A vulnerability in the implementation of the Lua interpreter integrated in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code with root privileges on the underlying Linux operating system of an affected device. 

The vulnerability is due to insufficient restrictions on the allowed Lua function calls within the context of user-supplied Lua scripts. A successful exploit could allow the attacker to trigger a heap overflow condition and execute arbitrary code with root privileges on the underlying Linux operating system of an affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191112-asa-ftd-lua-rce


Security Impact Rating: High
CVE: CVE-2019-15992
Categories: Security Alerts

AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments

US-CERT - Fri, 2021-01-08 08:36
Original release date: January 8, 2021
Summary

This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.

This Alert is a companion alert to AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. AA20-352A primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products as an initial access vector into networks of U.S. Government agencies, critical infrastructure entities, and private network organizations. As noted in AA20-352A, the Cybersecurity and Infrastructure Security Agency (CISA) has evidence of initial access vectors in addition to the compromised SolarWinds Orion products.

This Alert also addresses activity—irrespective of the initial access vector leveraged—that CISA attributes to an APT actor. Specifically, CISA has seen an APT actor using compromised applications in a victim’s Microsoft 365 (M365)/Azure environment. CISA has also seen this APT actor utilizing additional credentials and Application Programming Interface (API) access to cloud resources of private and public sector organizations. These tactics, techniques, and procedures (TTPs) feature three key components:

  • Compromising or bypassing federated identity solutions;
  • Using forged authentication tokens to move laterally to Microsoft cloud environments; and
  • Using privileged access to a victim’s cloud environment to establish difficult-to-detect persistence mechanisms for Application Programming Interface (API)-based access.

This Alert describes these TTPs and offers an overview of, and guidance on, available open-source tools—including a CISA-developed tool, Sparrow—for network defenders to analyze their Microsoft Azure Active Directory (AD), Office 365 (O365), and M365 environments to detect potentially malicious activity.

Note: this Alert describes artifacts—presented by these attacks—from which CISA has identified detectable evidence of the threat actor’s initial objectives. CISA continues to analyze the threat actor’s follow-on objectives.

Technical Details

Frequently, CISA has observed the APT actor gaining Initial Access [TA0001] to victims’ enterprise networks via compromised SolarWinds Orion products (e.g., Solorigate, Supernova).[1] However, CISA is investigating instances in which the threat actor may have obtained initial access by Password Guessing [T1110.001], Password Spraying [T1110.003], and/or exploiting inappropriately secured administrative or service credentials (Unsecured Credentials [T1552]) instead of utilizing the compromised SolarWinds Orion products.

CISA observed this threat actor moving from user context to administrator rights for Privilege Escalation [TA0004] within a compromised network and using native Windows tools and techniques, such as Windows Management Instrumentation (WMI), to enumerate the Microsoft Active Directory Federated Services (ADFS) certificate-signing capability. This enumeration allows threat actors to forge authentication tokens (OAuth) to issue claims to service providers—without having those claims checked against the identity provider—and then to move laterally to Microsoft Cloud environments (Lateral Movement [TA0008]).

The threat actor has also used on-premises access to manipulate and bypass identity controls and multi-factor authentication. This activity demonstrates how sophisticated adversaries can use credentials from one portion of an organization to move laterally (Lateral Movement [TA0008]) through trust boundaries, evade defenses and detection (Defense Evasion [TA0005]), and steal sensitive data (Collection [TA0009]).

This level of compromise is challenging to remediate and requires a rigorous multi-disciplinary effort to regain administrative control before recovering.

MitigationsDetection

Guidance on identifying affected SolarWinds software is well documented.[2] However—once an organization identifies a compromise via SolarWinds Orion products or other threat actor TTPs—identifying follow-on activity for on-premises networks requires fine-tuned network and host-based forensics.

The nature of cloud forensics is unique due to the growing and rapidly evolving technology footprints of major vendors. Microsoft's O365 and M365 environments have built-in capabilities for detecting unusual activity. Microsoft also provides premium services (Advanced Threat Protection [ATP] and Azure Sentinel), which enable network defenders to investigate TTPs specific to the Solorigate activity.[3]

Detection Tools

CISA is providing examples of detection tools for informational purposes only. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services does not constitute or imply their endorsement, recommendation, or favoring by CISA.

There are a number of open-source tools available to investigate adversary activity in Microsoft cloud environments and to detect unusual activity, service principals, and application activity.[4] Publicly available PowerShell tools that network defenders can use to investigate M365 and Microsoft Azure include:

  • CISA's Sparrow,
  • Open-source utility Hawk, and
  • CrowdStrike's Azure Reporting Tool (CRT).

Additionally, Microsoft's Office 365 Management API and Graph API provide an open interface for ingesting telemetry and evaluating service configurations for signs of anomalous activity and intrusion.

Note: these open-source tools are highlighted and explained to assist with on-site investigation and remediation in cloud environments but are not all-encompassing. Open source tools can be complemented by services such as Azure Sentinel, a Microsoft premium service that provides comprehensive analysis tools, including custom detections for the activity indicated.

General Guidance on Using Detection Tools
  1. Audit the creation and use of service principal credentials. Look for unusual application usage, such as use of dormant applications.
  2. Audit the assignment of credentials to applications that allow non-interactive sign-in by the application. Look for unexpected trust relationships added to the Azure Active Directory.
  3. Download the interactive sign-ins from the Azure admin portal or use the Microsoft Sentinel product. Review new token validation time periods with high values and investigate whether it was a legitimate change or an attempt to gain persistence by a threat actor.
Sparrow

CISA created Sparrow to help network defenders detect possible compromised accounts and applications in the Azure/M365 environment. The tool focuses on the narrow scope of user and application activity endemic to identity- and authentication-based attacks seen recently in multiple sectors. It is neither comprehensive nor exhaustive of available data. It is intended to narrow a larger set of available investigation modules and telemetry to those specific to recent attacks on federated identity sources and applications.

CISA advises Sparrow users to take the following actions.

  1. Use Sparrow to detect any recent domain authentication or federation modifications.
    1. Domain and federation modification operations are uncommon and should be investigated.
  2. Examine logs for new and modified credentials applied to applications and service principals; delineate for the credential type. Sparrow can be used to detect the modification of service principals and application credentials.
    1. Create a timeline for all credential changes, focusing on recent wholesale changes.
    2. Review the “top actors” for activity in the environment and the number of credential modifications performed.
    3. Monitor changes in application and service principal credentials.
    4. Investigate any instances of excessive permissions being granted, including, but not limited to, Exchange Online, Microsoft Graph, and Azure AD Graph.
  3. Use Sparrow to detect privilege escalation, such as adding a service principal, user, or group to a privileged role.
  4. Use Sparrow to detect OAuth consent and users’ consent to applications, which is useful for interpreting changes in adversary TTPs.
  5. Use Sparrow to identify anomalous Security Assertion Markup Language (SAML) token sign-ins by pivoting on the unified audit log UserAuthenticationValue of 16457, which is an indicator of how a SAML token was built and is a potential indicator for forged SAML tokens.
    1. Note that this TTP has not been the subject of significant published security research but may indicate an unusual usage of a token, such as guest access for external partners to M365 resources.
  6. Review the PowerShell logs that Sparrow exports.
    1. Review PowerShell mailbox sign-ins and validate that the logins are legitimate actions.
    2. Review PowerShell usage for users with PowerShell in the environment.
  7. Use Sparrow to check the Graph API application permissions of all service principals and applications in M365/Azure AD.
    1. Investigate unusual activity regarding Microsoft Graph API permissions (using either the legacy https://graph.windows.net/ or https://graph.microsoft.com). Graph is used frequently as part of these TTPs, often to access and manipulate mailbox resources.
  8. Review Sparrow’s listed tenant’s Azure AD domains, to see if the domains have been modified.
  9. For customers with G5 or E5 licensing levels, review MailItemsAccessed for insight into what application identification (ID) was used for accessing users’ mailboxes. Use Sparrow to query for a specific application ID using the app id investigation capability, which will check to see if it is accessing mail or file items.
    1. The MailItemsAccessed event provides audibility for mailbox data accessed via mail protocols or clients.
    2. By analyzing the MailItemsAccessed action, incident responders can determine which user mailbox items have been accessed and potentially exfiltrated by a threat actor. This event will be recorded even in some situations where the message was not necessarily read interactively (e.g., bind or sync).[5]
    3. The resulting suspicious application ID can provide incident responders with a pivot to detect other suspicious applications that require additional analysis.
    4. Check for changes to applications with regards to the accessing of resources such as mail or file items.
Hawk

Hawk is an open-source, PowerShell-driven, community-developed tool network defenders can use to quickly and easily gather data from O365 and Azure for security investigations. Incident responders and network defenders can investigate specific user principals or the entire tenant. Data it provides include IP addresses and sign-in data. Additionally, Hawk can track IP usage for concurrent login situations.

Hawk users should review login details for administrator accounts and take the following steps.

  1.  Investigate high-value administrative accounts to detect anomalous or unusual activity (Global Admins).
  2. Enable PowerShell logging, and evaluate PowerShell activity in the environment not used for traditional or expected purposes.
    1. PowerShell logging does not reveal the exact cmdlet that was run on the tenant.
  3. Look for users with unusual sign-in locations, dates, and times.
  4. Check permissions of service principals and applications in M365/Azure AD.
  5. Detect the frequency of resource access from unusual places. Use the tool to pivot to a trusted application and see if it is accessing mail or file items.
  6. Review mailbox rules and recent mailbox rule changes.
CrowdStrike Azure Reporting Tool

CrowdStrike's Azure Reporting Tool (CRT) can help network defenders analyze their Microsoft Azure AD and M365 environment to help organizations analyze permissions in their AzureAD tenant and service configuration. This tool has minor overlap with Sparrow; it shows unique items, but it does not cover the same areas. CISA is highlighting this tool because it is one of the only free, open-source tools available to investigate this activity and could be used to complement Sparrow.

Detection Tool Distinctions
  • Sparrow differs from CRT by looking for specific indicators of compromise associated with the recent attacks.
  • CRT focuses on the tenant’s Azure AD permissions and Exchange Online configuration settings instead of the unified audit log, which gives it a different output from Sparrow or Hawk.
  • CRT returns the same broad scope of application/delegated permissions for service principals and applications as Hawk.
  • As part of its investigation, Sparrow homes in on a narrow set of application permissions given to the Graph API, which is common to the recent attacks.
  • CRT looks at Exchange Online federation configuration and federation trust, while Sparrow focuses on listing Azure AD domains.
  • Among the items network defenders can use CRT to review are delegated permissions and application permissions, federation configurations, federation trusts, mail forwarding rules, service principals, and objects with KeyCredentials.
Detection Methods

Microsoft breaks the threat actor’s recent activity into four primary stages, which are described below along with associated detection methods. Microsoft describes these stages as beginning with all activity after the compromise of the on-premises identity solution, such as ADFS.[6]

Note: this step provides an entry vector to cloud technology environments, and is unnecessary when the threat actor has compromised an identity solution or credential that allows the APT direct access to the cloud(e.g., without leveraging the SolarWinds Orion vulnerability).

Stage 1: Forging a trusted authentication token used to access resources that trust the on-premises identity provider

These attacks (often referred to as “Golden Security Assertion Markup Language” attacks) can be analyzed using a combination of cloud-based and standard on-premises techniques.[7] For example, network defenders can use OAuth claims for specific principals made at the Azure AD level and compare them to the on-premises identity.

Export sign-in logs from the Azure AD portal and look at the Authentication Method field.

Note: at portal.azure.com, click on a user and review the authentication details (e.g., date, method, result). Without Sentinel, this is the only way to get these logs, which are critical for this effort.

Detection Method 1: Correlating service provider login events with corresponding authentication events in Active Directory Federation Services (ADFS) and Domain Controllers

Using SAML single sign-on, search for any logins to service providers that do not have corresponding event IDs 4769, 1200, and 1202 in the domain.

Detection Method 2: Identifying certificate export events in ADFS

Look for:

  1. The IP address and Activity_ID in EventCode 410 and the Activity_ID and Instance_ID in EventCode 500.
  2. Export-PfxCertificate or certutil-exportPFX in Event IDs 4103 and 4104, which may include detection of a certificate extraction technique.
  3. Deleted certificate extraction with ADFSdump performed using Sysmon Event ID 18 with the pipe name \microsoft##wid\tsql\query (exclude processes regularly making this pipe connection on the machine).
  4. Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event ID 510 with the same instance ID for change details (Event ID 510 with the same Instance ID could be more than one event per single Event ID 307 event).

Detection Method 3: Customizing SAML response to identify irregular access

This method serves as prevention for the future (and would only detect future, not past, activity), as it helps identify irregularities from the point of the change forward. Organizations can modify SAML responses to include custom elements for each service provider to monitor and detect any anomalous requests.[8]

Detection Method 4: Detecting malicious ADFS trust modification

A threat actor who gains administrative access to ADFS can add a new, trusted ADFS rather than extracting the certificate and private key as part of a standard Golden SAML attack.[9]
Network defenders should look for:

  1. Event ID 307 (The Federation Service configuration was changed), which can be correlated to relevant Event ID 510 with the same Instance ID for change details. (Event ID 510 with the same Instance ID could be more than one event per single Event ID 307 event.)
    1. Review events, particularly searching for Configuration: Type: IssuanceAuthority where Property Value references an unfamiliar domain.
  2. Possible activity of an interrogating ADFS host by using ADFS PowerShell plugins. Look for changes in the federation trust environment that would indicate new ADFS sources.

Stage 2: Using the forged authentication token to create configuration changes in the Service Provider, such as AzureAD (establishing a foothold)

After the threat actor has compromised the on-premises identity provider, they identify their next series of objectives by reviewing activity in the Microsoft Cloud activity space (Microsoft Azure and M365 tenants).

The threat actor uses the ability to forge authentication tokens to establish a presence in the cloud environment. The actor adds additional credentials to an existing service principal. Once the threat actor has impersonated a privileged AzureAD account, they are likely to further manipulate the Azure/M365 environment (action on objectives in the cloud).

Network defenders should take the following steps.

  1. Audit the creation and use of service principal and application credentials. Sparrow will detect modifications to these credentials.
    1. Look for unusual application usage, such as dormant or forgotten applications being used again.
    2. Audit the assignment of credentials to applications that allow non-interactive sign-in by the application.
  2. Look for unexpected trust relationships that have been added to AzureAD. (Download the last 30 days of non-interactive sign-ins from the Azure portal or use Azure Sentinel.).[10]
  3. Use Hawk (and any sub-modules available) to run an investigation on a specific user. Hawk will provide IP addresses, sign-in data, and other data. Hawk can also track IP usage in concurrent login situations.
  4. Review login details for administrator accounts (e.g., high-value administrative accounts, such as Global Admins). Look for unusual sign-in locations, dates, and times.
  5. Review new token validation time periods with high values and investigate whether the changes are legitimate or a threat actor’s attempts to gain persistence.

Stage 3: Acquiring an OAuth access token for the application using the forged credentials added to an existing application or service principal and calling APIs with the permissions assigned to that application

In some cases, the threat actor has been observed adding permissions to existing applications or service principals. Additionally the actor has been seen establishing new applications or service principals briefly and using them to add permissions to the existing applications or service principals, possibly to add a layer of indirection (e.g., using it to add a credential to another service principal, and then deleting it).[11]

Network defenders should use Sparrow to:

  1. Examine highly privileged accounts; specifically using sign-in logs, look for unusual sign-in locations, dates, and times.
  2. Create a timeline for all credential changes.
  3. Monitor changes in application credentials (the script will export into csv named AppUpdate_Operations_Export).
  4. Detect service principal credentials change and service principal change (e.g., if an actor adds new permissions or expands existing permissions).
    1. Export and view this activity via the ServicePrincipal_Operations_Export.
  5. Record OAuth consent and consent to applications
    1. Export and view this record via the Consent_Operations_Export file.
  6. Investigate instances of excessive high permissions, including, but not limited to Exchange Online, Microsoft Graph, and Azure AD Graph.
    1. Review Microsoft Graph API permissions granted to service principals.
    2. Export and view this activity via the ApplicationGraphPermissions csv file.
      1. Note: Hawk can also return the full list of service principal permissions for further investigation.
    3. Review top actors and the amount of credential modifications performed.
    4. Monitor changes in application credentials.
  7. Identify manipulation of custom or third-party applications.
    1. Network defenders should review the catalog of custom or third-party vendors with applications in the Microsoft tenant and perform the above interrogation principles on those applications and trusts.
  8. Review modifications to federation trust settings.
    1. Review new token validation time periods with high values and investigate whether this was a legitimate change or an attempt to gain persistence by the threat actor.
      1. The script detects the escalation of privileges, including the addition of Service Principals (SP) to privileged roles. Export this data into csv called AppRoleAssignment_Operations_Export.

Stage 4: Once access has been established, the threat actor Uses Microsoft Graph API to conduct action on objectives from an external RESTful API (queries impersonating existing applications).

Network defenders should:

  1. In MailItemsAccessed  operations, found within the Unified Audit Log (UAL), review the application ID used (requires G5 or E5 license for this specific detail).
  2. Query the specific application ID, using the Sparrow script’s app ID investigation capability to interrogate mail and file items accessed for that applicationID (Use the application ID utility for any other suspicious apps that require additional analysis.).
  3. Check the permissions of an application in M365/AzureAD using Sparrow.
    1. Hawk will return Azure_Application_Audit, and Sparrow will return ApplicationGraphPermissions.
    2. Network defenders will see the IP address that Graph API uses.
    3. Note: the Microsoft IP address may not show up as a virtual private server/anonymized endpoint.
  4. Investigate a specific service principal, if it is a user-specific user account, in Hawk. This activity is challenging to see without Azure Sentinel or manually downloading and reviewing logs from the sign-in portal.
Microsoft Telemetry Nuances

The existing tools and techniques used to evaluate cloud-based telemetry sources present challenges not represented in traditional forensic techniques. Primarily, the amount of telemetry retention is far less than the traditional logging facilities of on-premises data sources. Threat actor activity that is more than 90 days old is unlikely to have been saved by traditional sources or be visible with the Microsoft M365 Management API or in the UAL.

Service principal logging is available using the Azure Portal via the "Service Principal Sign-ins" feature. Enable settings in the Azure Portal (see “Diagnostic Setting”) to ingest logs into Sentinel or a third-party security information and event management (SIEM) tool. An Azure Premium P1 or Premium P2 license is necessary to access this setting as well as other features, such as a log analytics workspace, storage account, or event hub.[12] These logs must be downloaded manually if not ingested by one of the methods listed in the Detection Methods section.

Global Administrator rights are often required by tools other than Hawk and Sparrow to evaluate M365 cloud security posture. Logging capability and visibility of data varies by licensing models and subscription to premium services, such as Microsoft Defender for O365 and Azure Sentinel. According to CrowdStrike, "There was an inability to audit via API, and there is the requirement for global admin rights to view important information which we found to be excessive. Key information should be easily accessible."[13]

Documentation for specific event codes, such as UserAuthenticationMethod 16457, which may indicate a suspicious SAML token forgery, is no longer available in the M365 Unified Access Log. Auditing narratives on some events no longer exist as part of core Microsoft documentation sources.

The use of industry-standard SIEMs for log detection is crucial for providing historical context for threat hunting in Microsoft cloud environments. Standard G3/E3 licenses only provide 90 days of auditing; with the advanced auditing license that is provided with a G5/E5 license, audit logs can be extended to retain information for a year. CISA notes that this license change is proactive, rather than reactive: it allows enhanced visibility and features for telemetry from the moment of integration but does not provide retroactive visibility on previous events or historical context.

A properly configured SIEM can provide:

  1. Longer term storage of log data.
  2. Cross correlation of log data with endpoint data and network data (such as those produced by ADFS servers), endpoint detection and response data, and identity provider information.
  3. Ability to query use of application connectors in Azure.

Built-in tools, such as Microsoft Cloud Services and M365 applications, provide much of the same visibility available from custom tools and are mapped to the MITRE ATT&CK framework and easy-to-understand dashboards.[14] However, these tools often do not have the ability to pull historical data older than seven days. Therefore, storage solutions that appropriately meet governance standards and usability metrics for analysts for the SIEM must be carefully planned and arranged.

Contact Information

CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at

  • 1-888-282-0870 (From outside the United States: +1-703-235-8832)
  • central@cisa.dhs.gov (UNCLASS)
  • us-cert@dhs.sgov.gov (SIPRNET)
  • us-cert@dhs.ic.gov (JWICS)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at http://www.us-cert.cisa.gov/.

Resources

Azure Active Directory Workbook to Assess Solorigate Risk: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718

Volexity - Dark Halo Leverages SolarWinds Compromise to Breach Organizations: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

How to Find Activity with Sentinel: https://www.verboon.info/2020/10/monitoring-service-principal-sign-ins-with-azuread-and-azure-sentinel/

Third-Party Walkthrough of the Attack: https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/

National Security Agency Advisory on Detecting Abuse of Authentication Mechanisms: https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF

Microsoft 365 App for Splunk: https://splunkbase.splunk.com/app/3786/

CISA Remediation Guidance: https://us-cert.cisa.gov/ncas/alerts/aa20-352a

Feedback

CISA strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.cisa.gov/forms/feedback.

References Revisions
  • Initial version: January 8, 2021

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

US-CERT - Thu, 2020-12-17 07:00
Original release date: December 17, 2020<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><em>This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) version 8 framework. See the <a href="https://attack.mitre.org/versions/v8/">ATT&amp;CK for Enterprise version 8</a> for all referenced threat actor tactics and techniques.</em></p> <p>The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.</p> <p>One of the initial access vectors for this activity is a supply chain compromise of the following SolarWinds Orion products (see Appendix A).</p> <ul> <li>Orion Platform 2019.4 HF5, version 2019.4.5200.9083</li> <li>Orion Platform 2020.2 RC1, version 2020.2.100.12219</li> <li>Orion Platform 2020.2 RC2, version 2020.2.5200.12394</li> <li>Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432</li> </ul> <p><strong>Note:</strong> CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available.</p> <p>On December 13, 2020, CISA released <a href="https://cyber.dhs.gov/ed/21-01/">Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise</a>, ordering federal civilian executive branch departments and agencies to disconnect affected devices. <strong>Note:</strong> this Activity Alert does not supersede the requirements of Emergency Directive 21-01 (ED-21-01) and does not represent formal guidance to federal agencies under ED 21-01.</p> <p>CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations. CISA advises stakeholders to read this Alert and review the enclosed indicators (see Appendix B).</p> <h4>Key Takeaways</h4> <ul> <li>This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.</li> <li>The SolarWinds Orion supply chain compromise is <strong><u>not</u></strong> the only initial infection vector this APT actor leveraged.</li> <li>Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.</li> <li>Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.<em>&nbsp;</em></li> </ul> <p><a href="https://us-cert.cisa.gov/sites/default/files/publications/AA20-352A-APT_Compromise_of_Government_Agencies%2C_Critical%20Infrastructure%2C_and_Private_Sector_Organizations.pdf">Click here</a> for a PDF version of this report.</p> <h3>Technical Details</h3><h4>Overview</h4> <p>CISA is aware of compromises, which began at least as early as March 2020, at U.S. government agencies, critical infrastructure entities, and private sector organizations by an APT actor. This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered. CISA will continue to update this Alert and the corresponding indicators of compromise (IOCs) as new information becomes available.</p> <h4>Initial Infection Vectors [<a href="https://attack.mitre.org/versions/v8/tactics/TA0001/">TA0001</a>]</h4> <p>CISA is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed. Volexity has also reported publicly that they observed an intrusion into a think tank using, as an initial intrusion vector, a Duo multi-factor authentication bypass in Outlook Web App (OWA) to steal the secret key.[<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">1</a>] Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two. This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known.</p> <h4>SolarWinds Orion Supply Chain Compromise</h4> <p>SolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring and network configuration management along with several different types of analyzing tools. SolarWinds Orion is used to monitor and manage on-premise and hosted infrastructures. To provide SolarWinds Orion with the necessary visibility into this diverse set of technologies, it is common for network administrators to configure SolarWinds Orion with pervasive privileges, making it a valuable target for adversary activity.</p> <p>The threat actor has been observed leveraging a software supply chain compromise of SolarWinds Orion products[<a href="https://www.solarwinds.com/securityadvisory">2</a>] (see Appendix A). The adversary added a malicious version of the binary <code>solarwinds.orion.core.businesslayer.dll</code> into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This binary, once installed, calls out to a victim-specific <code>avsvmcloud[.]com</code> domain using a protocol designed to mimic legitimate SolarWinds protocol traffic. After the initial check-in, the adversary can use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for interactive command and control (C2) traffic. Consequently, entities that observe traffic from their SolarWinds Orion devices to <code>avsvmcloud[.]com</code> should not immediately conclude that the adversary leveraged the SolarWinds Orion backdoor. Instead, additional investigation is needed into whether the SolarWinds Orion device engaged in further unexplained communications. If additional Canonical Name record (CNAME) resolutions associated with the <code>avsvmcloud[.]com</code> domain are observed, possible additional adversary action leveraging the back door has occurred.</p> <p>Based on coordinated actions by multiple private sector partners, as of December 15, 2020, <code>avsvmcloud[.]com</code> resolves to <code>20.140.0[.]1</code>, which is an IP address on the Microsoft blocklist. This negates any future use of the implants and would have caused communications with this domain to cease. In the case of infections where the attacker has already moved C2 past the initial beacon, infection will likely continue notwithstanding this action.</p> <p>SolarWinds Orion typically leverages a significant number of highly privileged accounts and access to perform normal business functions. Successful compromise of one of these systems can therefore enable further action and privileges in any environment where these accounts are trusted.</p> <h4>Anti-Forensic Techniques</h4> <p>The adversary is making extensive use of obfuscation to hide their C2 communications. The adversary is using virtual private servers (VPSs), often with IP addresses in the home country of the victim, for most communications to hide their activity among legitimate user traffic. The attackers also frequently rotate their “last mile” IP addresses to different endpoints to obscure their activity and avoid detection.</p> <p>FireEye has reported that the adversary is using steganography (<em>Obfuscated Files or Information: Steganography </em>[<a href="https://attack.mitre.org/versions/v8/techniques/T1027/003/">T1027.003</a>]) to obscure C2 communications.[<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html">3</a>] This technique negates many common defensive capabilities in detecting the activity. <strong>Note:</strong> CISA has not yet been able to independently confirm the adversary’s use of this technique.</p> <p>According to FireEye, the malware also checks for a list of hard-coded IPv4 and IPv6 addresses—including RFC-reserved IPv4 and IPv6 IP—in an attempt to detect if the malware is executed in an analysis environment (e.g., a malware analysis sandbox); if so, the malware will stop further execution. Additionally, FireEye analysis identified that the backdoor implemented time threshold checks to ensure that there are unpredictable delays between C2 communication attempts, further frustrating traditional network-based analysis.</p> <p>While not a full anti-forensic technique, the adversary is heavily leveraging compromised or spoofed tokens for accounts for lateral movement. This will frustrate commonly used detection techniques in many environments. Since valid, but unauthorized, security tokens and accounts are utilized, detecting this activity will require the maturity to identify actions that are outside of a user’s normal duties. For example, it is unlikely that an account associated with the HR department would need to access the cyber threat intelligence database.</p> <p>Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence.</p> <h4>Privilege Escalation and Persistence [<a href="https://attack.mitre.org/versions/v8/tactics/TA0004">TA0004</a>, <a href="https://attack.mitre.org/versions/v8/tactics/TA0003/">TA0003</a>]</h4> <p>The adversary has been observed using multiple persistence mechanisms across a variety of intrusions. CISA has observed the threat actor adding authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism. In many instances, the tokens enable access to both on-premise and hosted resources. Microsoft has released a query that can help detect this activity.[<a href="https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml">4</a>]</p> <p>Microsoft reported that the actor has added new federation trusts to existing infrastructure, a technique that CISA believes was utilized by a threat actor in an incident to which CISA has responded. Where this technique is used, it is possible that authentication can occur outside of an organization’s known infrastructure and may not be visible to the legitimate system owner. Microsoft has released a query to help identify this activity.[<a href="https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml ">5</a>]</p> <h4>User Impersonation</h4> <p>The adversary’s initial objectives, as understood today, appear to be to collect information from victim environments. One of the principal ways the adversary is accomplishing this objective is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs).</p> <p>CISA has observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel.</p> <p>These are some key functions and systems that commonly use SAML.</p> <ul> <li>Hosted email services</li> <li>Hosted business intelligence applications</li> <li>Travel systems</li> <li>Timecard systems</li> <li>File storage services (such as SharePoint)</li> </ul> <h4>Detection: Impossible Logins</h4> <p>The adversary is using a complex network of IP addresses to obscure their activity, which can result in a detection opportunity referred to as “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins). <strong>Note:</strong> implementing this detection opportunity can result in false positives if legitimate users apply virtual private network (VPN) solutions before connecting into networks.</p> <h4>Detection: Impossible Tokens</h4> <p>The following conditions may indicate adversary activity.</p> <ul> <li>Most organizations have SAML tokens with 1-hour validity periods. Long SAML token validity durations, such as 24 hours, could be unusual.</li> <li>The SAML token contains different timestamps, including the time it was issued and the last time it was used. A token having the same timestamp for when it was issued and when it was used is not indicative of normal user behavior as users tend to use the token within a few seconds but not at the exact same time of issuance.</li> <li>A token that does not have an associated login with its user account within an hour of the token being generated also warrants investigation.</li> </ul> <h4>Operational Security</h4> <p>Due to the nature of this pattern of adversary activity—and the targeting of key personnel, incident response staff, and IT email accounts—discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures. An operational security plan needs to be developed and socialized, via out-of-band communications, to ensure all staff are aware of the applicable handling caveats.</p> <p>Operational security plans should include:</p> <ul> <li>Out-of-band communications guidance for staff and leadership;</li> <li>An outline of what “normal business” is acceptable to be conducted on the suspect network;</li> <li>A call tree for critical contacts and decision making; and</li> <li>Considerations for external communications to stakeholders and media.</li> </ul> <h4>MITRE ATT&amp;CK® Techniques</h4> <p>CISA assesses that the threat actor engaged in the activities described in this Alert uses the below-listed ATT&amp;CK techniques.</p> <ul> <li><em>Query Registry</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1012/">T1012</a>]</li> <li><em>Obfuscated Files or Information</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1027/">T1027</a>]</li> <li><em>Obfuscated Files or Information: Steganography</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1027/003">T1027.003</a>]</li> <li><em>Process Discovery</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1057/">T1057</a>]</li> <li><em>Indicator Removal on Host: File Deletio</em>n [<a href="https://attack.mitre.org/versions/v8/techniques/T1070/004">T1070.004</a>]</li> <li><em>Application Layer Protocol: Web Protocols</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1071/001">T1071.001</a>]</li> <li><em>Application Layer Protocol: DNS</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1071/004">T1071.004</a>]</li> <li><em>File and Directory Discovery</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1083/">T1083</a>]</li> <li><em>Ingress Tool Transfer</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1105/">T1105</a>]</li> <li><em>Data Encoding: Standard Encoding</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1132/001">T1132.001</a>]</li> <li><em>Supply Chain Compromise: Compromise Software Dependencies and Development Tools</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1195/001">T1195.001</a>]</li> <li><em>Supply Chain Compromise: Compromise Software Supply Chain</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1195/002">T1195.002</a>]</li> <li><em>Software Discovery </em>[<a href="https://attack.mitre.org/versions/v8/techniques/T1518/">T1518</a>]</li> <li><em>Software Discovery: Security Software </em>[<a href="https://attack.mitre.org/versions/v8/techniques/T1518/001">T1518.001</a>]</li> <li><em>Create or Modify System Process: Windows Service</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1543/003">T1543.003</a>]</li> <li><em>Subvert Trust Controls: Code Signing</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1553/002">T1553.002</a>]</li> <li><em>Dynamic Resolution: Domain Generation Algorithms</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1568/002">T1568.002</a>]</li> <li><em>System Services: Service Execution</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1569/002">T1569.002</a>]</li> <li><em>Compromise Infrastructure</em> [<a href="https://attack.mitre.org/versions/v8/techniques/T1584/">T1584</a>]</li> </ul> <h3>Mitigations</h3><h4>SolarWinds Orion Owners</h4> <p>Owners of vulnerable SolarWinds Orion products will generally fall into one of three categories.</p> <ul> <li>Category 1 includes those who do not have the identified malicious binary. These owners can patch their systems and resume use as determined by and consistent with their internal risk evaluations.</li> <li>Category 2 includes those who have identified the presence of the malicious binary—with or without beaconing to <code>avsvmcloud[.]com</code>. Owners with malicious binary whose vulnerable appliances only unexplained external communications are with <code>avsvmcloud[.]com</code>—a fact that can be verified by comprehensive network monitoring for the device—can harden the device, re-install the updated software from a verified software supply chain, and resume use as determined by and consistent with a thorough risk evaluation.</li> <li>Category 3 includes those with the binary beaconing to <code>avsvmcloud[.]com</code> and secondary C2 activity to a separate domain or IP address. If you observed communications with <code>avsvmcloud[.]com</code> that appear to suddenly cease prior to December 14, 2020— not due to an action taken by your network defenders—you fall into this category. Assume the environment has been compromised, and initiate incident response procedures immediately.</li> </ul> <h4>Compromise Mitigations</h4> <p>If the adversary has compromised administrative level credentials in an environment—or if organizations identify SAML abuse in the environment, simply mitigating individual issues, systems, servers, or specific user accounts will likely not lead to the adversary’s removal from the network. In such cases, organizations should consider the entire identity trust store as compromised. In the event of a total identity compromise, a full reconstitution of identity and trust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the most capable, and in many cases, a full rebuild of the environment is the safest action.</p> <h4>SolarWinds Orion Specific Mitigations</h4> <p>The following mitigations apply to networks using the SolarWinds Orion product. This includes any information system that is used by an entity or operated on its behalf.</p> <p>Organizations that have the <a href="https://cyber.dhs.gov/ed/21-01/#what-does-the-directive-mean-by-expertise">expertise</a> to take the actions in Step 1 immediately should do so before proceeding to Step 2. Organizations without this capability should proceed to Step 2. Federal civilian executive branch agencies should ignore the below and refer instead to <a href="https://cyber.dhs.gov/ed/21-01/">Emergency Directive 21-01</a> (and forthcoming associated guidance) for mitigation steps.</p> <ul> <li><strong>Step 1</strong> <ul> <li><strong>Forensically image system memory and/or host operating systems hosting all instances of affected versions of SolarWinds Orion.</strong> Analyze for new user or service accounts, privileged or otherwise.</li> <li>Analyze stored network traffic for <a href="https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software">indications of compromise</a>, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections.</li> </ul> </li> <li><strong>Step 2</strong> <ul> <li>Affected organizations should immediately <strong>disconnect or power down affected all instances of affected versions of SolarWinds Orion from their network</strong>.</li> <li>Additionally: <ul> <li><strong>Block all traffic</strong> to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.</li> <li><strong>Identify and remove </strong>all threat actor-controlled accounts and identified persistence mechanisms. &nbsp;</li> </ul> </li> </ul> </li> <li><strong>Step 3 &nbsp;</strong> <ul> <li><strong>Only after all known threat actor-controlled accounts and persistence mechanisms have been removed:</strong> <ul> <li>Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that the threat actor has deployed further persistence mechanisms.</li> <li>Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.</li> <li>Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.</li> <li>Take actions to remediate kerberoasting, including—as necessary or appropriate—engaging with a third party with experience eradicating APTs from enterprise networks. For Windows environments, refer to the following Microsoft’s documentation on kerberoasting: <a href="https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448">https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448</a>.</li> <li>Require use of multi-factor authentication. If not possible, use long and complex passwords (greater than 25 characters) for service principal accounts, and implement a good rotation policy for these passwords.</li> <li>Replace the user account by group Managed Service Account (gMSA), and implement Group Managed Service Accounts: <a href="https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview">https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview</a>.</li> <li>Set account options for service accounts to support <code>AES256_CTS_HMAC_SHA1_96</code> and not support <code>DES</code>, <code>RC4</code>, or <code>AES128</code> bit encryption.</li> <li>Define the Security Policy setting for Network Security: Configure Encryption types allowed for Kerberos. Set the allowable encryption types to <code>AES256_HMAC_SHA1</code> and Future encryption types: <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos">https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos</a>.</li> <li>See Microsoft’s documentation on how to reset the Kerberos Ticket Granting Ticket password twice: <a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password">https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password</a>.</li> </ul> </li> </ul> </li> </ul> <p>See Joint Alert on <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-245a">Technical Approaches to Uncovering and Remediating Malicious Activity</a> for more information on incident investigation and mitigation steps based on best practices.</p> <p>CISA will update this Alert, as information becomes available and will continue to provide technical assistance, upon request, to affected entities as they work to identify and mitigate potential compromises.</p> <h3>Contact Information</h3><p>CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at</p> <ul> <li>1-888-282-0870 (From outside the United States: +1-703-235-8832)</li> <li><a href="https://us-cert.cisa.govmailto:Central@cisa.dhs.gov">central@cisa.dhs.gov </a>(UNCLASS)</li> <li>us-cert@dhs.sgov.gov (SIPRNET)</li> <li>us-cert@dhs.ic.gov (JWICS)</li> </ul> <p>CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at <a href="http://www.us-cert.cisa.gov/">http://www.us-cert.cisa.gov/</a>.</p> <h3>Appendix A: Affected SolarWinds Orion Products</h3> <p>Table 1 identifies recent versions of SolarWinds Orion Platforms and indicates whether they have been identified as having the Sunburst backdoor present.</p> <p class="text-align-center"><em>Table 1: Affected SolarWinds Orion Products</em></p> <table border="1" cellpadding="1" cellspacing="1" class="general-table" style="width: 980.233px; height: 312px; margin-left: auto; margin-right: auto;"> <thead> <tr> <th scope="col" style="width: 108px;"><strong>Orion Platform Version</strong></th> <th scope="col" style="width: 138px;"><strong>Sunburst Backdoor Code Present</strong></th> <th scope="col" style="width: 170px;"><strong>File Version</strong></th> <th scope="col" style="width: 573px;"><strong>SHA-256</strong></th> </tr> </thead> <tbody> <tr> <td scope="col" style="text-align: left; width: 108px;">2019.4</td> <td scope="col" style="text-align: left; width: 138px;">Tampered but not backdoored</td> <td scope="col" style="text-align: left; width: 170px;">2019.4.5200.8890</td> <td scope="col" style="text-align: left; width: 573px;">a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc</td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2019.4 HF1</td> <td scope="col" style="text-align: left; width: 138px;">No</td> <td scope="col" style="text-align: left; width: 170px;">2019.4.5200.8950</td> <td scope="col" style="text-align: left; width: 573px;"> <p>9bee4af53a8cdd7ecabe5d0c77b6011abe887ac516a5a22ad51a058830403690</p> <p>&nbsp;</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2019.4 HF2</td> <td scope="col" style="text-align: left; width: 138px;">No</td> <td scope="col" style="text-align: left; width: 170px;"> <p>2019.4.5200.8996</p> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 573px;">bb86f66d11592e3312cd03423b754f7337aeebba9204f54b745ed3821de6252d</td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2019.4 HF3</td> <td scope="col" style="text-align: left; width: 138px;">No</td> <td scope="col" style="text-align: left; width: 170px;">2019.4.5200.9001</td> <td scope="col" style="text-align: left; width: 573px;">ae6694fd12679891d95b427444466f186bcdcc79bc0627b590e0cb40de1928ad</td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2019.4 HF4</td> <td scope="col" style="text-align: left; width: 138px;">No</td> <td scope="col" style="text-align: left; width: 170px;">2019.4.5200.9045</td> <td scope="col" style="text-align: left; width: 573px;"> <p>9d6285db647e7eeabdb85b409fad61467de1655098fec2e25aeb7770299e9fee</p> <p>&nbsp;</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2020.2 RC1</td> <td scope="col" style="text-align: left; width: 138px;">Yes</td> <td scope="col" style="text-align: left; width: 170px;"> <p>2020.2.100.12219</p> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 573px;"> <p>dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b</p> <p>&nbsp;</p> </td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2019.4 HF5</td> <td scope="col" style="text-align: left; width: 138px;">Yes</td> <td scope="col" style="text-align: left; width: 170px;">2019.4.5200.9083</td> <td scope="col" style="text-align: left; width: 573px;">32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77</td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2020.2 RC2</td> <td scope="col" style="text-align: left; width: 138px;">Yes</td> <td scope="col" style="text-align: left; width: 170px;"> <p>2020.2.5200.12394</p> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 573px;">019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134</td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;"> <p>2020.2</p> <p>2020.2 HF1</p> </td> <td scope="col" style="text-align: left; width: 138px;">Yes</td> <td scope="col" style="text-align: left; width: 170px;"> <p>2020.2.5300.12432</p> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 573px;">ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6</td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2019.4 HF6</td> <td scope="col" style="text-align: left; width: 138px;">No</td> <td scope="col" style="text-align: left; width: 170px;">2019.4.5200.9106</td> <td scope="col" style="text-align: left; width: 573px;">8dfe613b00d495fb8905bdf6e1317d3e3ac1f63a626032fa2bdad4750887ee8a</td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;"> <p>2020.2.1</p> <p><br /> 2020.2.1 HF1</p> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 138px;">No</td> <td scope="col" style="text-align: left; width: 170px;"> <p>&nbsp;&nbsp;&nbsp; 2020.2.15300.12766</p> <p>&nbsp;</p> </td> <td scope="col" style="text-align: left; width: 573px;">143632672dcb6ef324343739636b984f5c52ece0e078cfee7c6cac4a3545403a</td> </tr> <tr> <td scope="col" style="text-align: left; width: 108px;">2020.2.1 HF2</td> <td scope="col" style="text-align: left; width: 138px;">No</td> <td scope="col" style="text-align: left; width: 170px;">2020.2.15300.12901</td> <td scope="col" style="text-align: left; width: 573px;"> <p>cc870c07eeb672ab33b6c2be51b173ad5564af5d98bfc02da02367a9e349a76f</p> <p>&nbsp;</p> </td> </tr> </tbody> </table> <p>&nbsp;</p> <h3>Appendix B: Indicators of Compromise</h3> <p>Due to the operational security posture of the adversary, most observable IOCs are of limited utility; however, they can be useful for quick triage. Below is a compilation of IOCs from a variety of public sources provided for convenience. CISA will be updating this list with CISA developed IOCs as our investigations evolve.</p> <p class="text-align-center"><em>Table 2: Indicators of Compromise</em></p> <table border="1" cellpadding="10" cellspacing="1" class="general-table" style="width: 881.46px; height: 312px; margin-right: auto; margin-left: auto;"> <thead> <tr> <th scope="col" style="width: 546px;"> <p><strong>&nbsp;IOC&nbsp;</strong></p> </th> <th scope="col" style="width: 52px;">&nbsp;Type&nbsp;</th> <th scope="col" style="width: 114px;">&nbsp;Notes&nbsp;</th> <th scope="col" style="width: 400px;">&nbsp;References&nbsp;</th> <th scope="col" style="width: 757px;">&nbsp;Source&nbsp;</th> </tr> </thead> <tbody> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77&nbsp;</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash&nbsp;</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;Backdoor.Sunburst&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"> <p><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/&nbsp;</a></p> </td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"> <p><strong>&nbsp;a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc</strong></p> </td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;Backdoor.Sunburst</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-&nbsp;&nbsp; attacks/ </a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;">&nbsp;<strong>d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;Backdoor.Sunburst</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;">&nbsp;<strong>13.59.205[.]66</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;DEFTSECURITY[.]com</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;deftsecurity[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">Domain malicious on VT, registered with&nbsp; Amazon, hosted on US IP address 13.59.205.66, malware repository, spyware and malware</td> <td scope="col" style="width: 400px; text-align: left;"> <p><a href="https://www.virustotal.com/gui/domain/deftsecurity.com/details">https://www.virustotal.com/gui/domain/deftsecurity.com/details</a></p> <p><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></p> </td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;54.193.127[.]66</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">FREESCANONLINE[.]com</td> <td scope="col" style="width: 400px; text-align: left;">&nbsp;<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">No info available</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">No info available</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">No info available</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">No info available</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;65.153.203[.]68</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">Not seen as malicious on VT, Registered in USCenturyLink Communications, LLC</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.hybrid-analysis.com/sample/12e76c16bbf64e83b79d8dac921c9cccabbe40d28ad480c636f94a5737b77c9a?environmentId=100">https://www.hybrid-analysis.com/sample/12e76c16bbf64e83b79d8dac921c9cccabbe40d28ad480c636f94a5737b77c9a?environmentId=100</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;avsvmcloud[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">Reported by FireEye/ The malicious DLL calls out to a remote network infrastructure using the domains avsvmcloud.com. to prepare possible second-stage payloads, move laterally in the organization, and compromise or exfiltrate data. Malicious on VT. Hosted on IP address 20.140.0.1, which is registered with Microsoft.&nbsp; malware callhome, command and control</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;"> <p><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/</a></p> <p>FireEye Report Talos</p> <p>Volexity</p> </td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;3.87.182[.]149</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">Resolves to KUBECLOUD[.]com, IP registered to Amazon. Tracked by Insikt/RF as tied to SUNBURST intrusion activity.</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;3.16.81[.]254</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">Resolves to SEOBUNDLEKIT[.]com, registered to Amazon. Tracked by Insikt/RF as tied SUNBURST intrusion activity.</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;12.227.230[.]4</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">Seen as malicious on VT, Registered in US, AT&amp;T Services, Inc</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.hybrid-analysis.com/sample/8d34b366f4561ca1389ce2403f918e952584a56ea55876311cfb5d2aad875439">https://www.hybrid-analysis.com/sample/8d34b366f4561ca1389ce2403f918e952584a56ea55876311cfb5d2aad875439</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;54.215.192[.]52</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">THEDOCCLOUD[.]com</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">Trojan.MSIL.SunBurst</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">ttps://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">Trojan.MSIL.SunBurst</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://us-cert.cisa.gov https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ ">https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]11</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]12</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]9</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]20</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]40</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]44</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]62</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]130</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]135</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]136</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]149</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]156</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]158</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]165</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]170</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]180</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.144[.]188</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]3</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]21</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]33</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]36</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]131</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]134</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]136</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]139</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]150</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]157</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;8.18.145[.]181</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;13.27.184[.]217</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;">&nbsp;<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;18.217.225[.]111</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;">&nbsp;<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;18.220.219[.]143</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;20.141.48[.]154</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;34.219.234[.]134</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.1[.]3</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.21[.]54</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.48[.]22</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.101[.]22</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.113[.]55</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.145[.]34</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.209[.]33</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.212[.]52</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.224[.]3</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.229[.]1</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.240[.]3</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;184.72.245[.]1</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;196.203.11[.]89</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;IPv4</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;digitalcollege[.]org</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;freescanonline[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;globalnetworkissues[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;kubecloud[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;lcomputers[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;seobundlekit[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;solartrackingsystem[.]net</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;thedoccloud[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;virtualwebdata[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;">&nbsp;<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;webcodez[.]com</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;domain</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;Volexity</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public">https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> <tr> <td scope="col" style="width: 546px; text-align: left;"><strong>&nbsp;c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71</strong></td> <td scope="col" style="width: 52px; text-align: left;">&nbsp;hash</td> <td scope="col" style="width: 114px; text-align: left;">&nbsp;</td> <td scope="col" style="width: 400px; text-align: left;"><a href="https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public">https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public</a></td> <td scope="col" style="width: 757px; text-align: left;">&nbsp;</td> </tr> </tbody> </table> <h3>References</h3> <ul> <li><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">[1] Volexity: Dark Halo Leverages SolarWinds Compromise to Breach Organizations</a></li> <li><a href="https://www.solarwinds.com/securityadvisory">[2] SolarWinds Security Advisory</a></li> <li><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html">[3] FireEye: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor</a></li> <li><a href="https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml">[4] GitHub: Azure / Azure-Sentinel - AzureAADPowerShellAnomaly.yaml</a></li> <li><a href="https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml">[5] GitHub: Azure / Azure-Sentinel - ADFSDomainTrustMods.yaml</a></li> </ul> <h3>Revisions</h3> <ul> <li>Initial Version: December 17, 2020</li> </ul> <hr /> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>
Categories: Security Alerts

SolarWinds Orion Platform Supply Chain Attack

Cisco Security Advisories - Mon, 2020-12-14 22:00

Due to the recent announcement by SolarWinds regarding compromises in their supply chain, SolarWinds has released a security advisory providing guidance on assessing and remediating this issue: https://www.solarwinds.com/securityadvisory

Cisco recommends that customers assess if they have used an affected version of SolarWinds Orion Platform and, if so, take the following actions:

  1. Follow the guidance provided in the SolarWinds Security Advisory.
  2. Determine the need to change credentials on all devices being managed by the affected SolarWinds platform software. This includes:
    • User credentials
    • Simple Network Management Protocol (SNMP) version 2c community strings
    • SNMP version 3 user credentials
    • Internet Key Exchange (IKE) preshared keys
    • Shared secrets for TACACS, TACACS+, and RADIUS
    • Secrets for Border Gateway Protocol (BGP), OSPF, Exterior Gateway Routing Protocol (EIGRP), or other routing protocols
    • Exportable RSA keys and certificates for Secure Shell (SSH) or other protocols

While there are no vulnerabilities in Cisco products related to this issue, if a customer was using an affected version of SolarWinds Orion Platform and would like to investigate potential impact to Cisco devices, Cisco has published a number of documents that can help the investigation. Please consult https://tools.cisco.com/security/center/resources/ir_escalation_guidance.

Cisco TALOS has also published guidance regarding this issue that can be viewed here: https://blog.talosintelligence.com/2020/12/fireeye-breach-guidance.html

Customers that need assistance with Incident Response activities can contact Cisco TALOS here: https://talosintelligence.com/incident_response

Cisco will update this advisory as needed, if additional information becomes available.


Security Impact Rating: Informational
Categories: Security Alerts

Cisco Jabber Desktop and Mobile Client Software Vulnerabilities

Cisco Security Advisories - Thu, 2020-12-10 16:00
Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information.   For more information about these vulnerabilities, see the Details section of this advisory.   Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.   This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-ZktzjpgO


Security Impact Rating: Critical
CVE: CVE-2020-26085,CVE-2020-27127,CVE-2020-27132,CVE-2020-27133,CVE-2020-27134
Categories: Security Alerts

Pages

Subscribe to Willing Minds aggregator - Security Alerts