Core
Regular
- Joined
- 21.09.20
- Messages
- 85
- Reaction score
- 249
- Points
- 33
The hackers turned out to be skilled and methodical operators who follow best practices to ensure the security of operations.
Information security specialists from Microsoft shared details about how hackers who attacked the SolarWinds supply chain managed to remain unnoticed and hide their malicious activities inside the networks of hacked companies.
The information was provided by security experts from the Microsoft 365 Defender, Microsoft Threat Intelligence Center (MSTIC), and Microsoft Cyber Defense Operations Center (CDOC) research teams.
As experts found out, the hackers who attacked SolarWinds demonstrated a number of tactics, operational security and sophisticated behavior that dramatically reduced the ability of hacked organizations to detect hacking. Some examples of evasion tactics include:
Methodically eliminating common indicators for each compromised system by deploying custom Cobalt Strike DLL implants on each computer;
Disguise and blend in with the environment by renaming tools and binaries to match the files and programs on the hacked device;
Disable event logging with AUDITPOL before performing keyboard actions and enable it again after;
Create firewall rules to minimize outgoing packets for certain protocols before launching "noisy" network enumeration actions (deleted after operations are completed);
Carefully plan your actions for moving around the network, first disabling security services on the target devices;
According to experts, the criminals used the technique of changing the timestamps of artifacts, and also used cleaning procedures and tools to prevent the detection of malicious DLL implants in vulnerable environments.
Information security specialists from Microsoft shared details about how hackers who attacked the SolarWinds supply chain managed to remain unnoticed and hide their malicious activities inside the networks of hacked companies.
The information was provided by security experts from the Microsoft 365 Defender, Microsoft Threat Intelligence Center (MSTIC), and Microsoft Cyber Defense Operations Center (CDOC) research teams.
As experts found out, the hackers who attacked SolarWinds demonstrated a number of tactics, operational security and sophisticated behavior that dramatically reduced the ability of hacked organizations to detect hacking. Some examples of evasion tactics include:
Methodically eliminating common indicators for each compromised system by deploying custom Cobalt Strike DLL implants on each computer;
Disguise and blend in with the environment by renaming tools and binaries to match the files and programs on the hacked device;
Disable event logging with AUDITPOL before performing keyboard actions and enable it again after;
Create firewall rules to minimize outgoing packets for certain protocols before launching "noisy" network enumeration actions (deleted after operations are completed);
Carefully plan your actions for moving around the network, first disabling security services on the target devices;
According to experts, the criminals used the technique of changing the timestamps of artifacts, and also used cleaning procedures and tools to prevent the detection of malicious DLL implants in vulnerable environments.