The recent attack on the supply chain that affected multinational supplier SolarWinds – and an unknown number of its customers – is still going to give a lot of cloth to mangos. As investigations continue, it becomes increasingly clear that malicious actors (supposedly elite hackers funded by the Russian government) elaborated a complex maneuver to invade several American and European companies.
The newest company to join the list of victims of the operation is Mimecast, based in London and maintaining a cloud-based security platform for Microsoft 365 (formerly known as Office 365). The brand confirmed that attackers have compromised one of its certificates used to allow some of its customers to authenticate their email accounts with BEC scam protection solutions.
“Approximately 10% of our customers use this connection. Of those who do, there are indications that a low, single digit number of our customers’ M365 tenants were targeted. We have already contacted these customers to correct the problem, ”explained Mimecast, implying that the final number of affected people was less than ten. The company stopped using the SolarWinds platform after the attack.
“As a precaution, we are asking this subset of Mimecast customers who use this certificate-based connection to immediately delete the existing connection on their Microsoft 365 and establish a new certificate-based connection using the new certificate we have made available. This action does not affect the flow of incoming or outgoing messages or the associated security check ”, he concludes.
One more piece in the puzzle
In the meantime, researchers have detected another variant of malware that may have been used to compromise the compilation and distribution system for SolarWinds’ Orion platform. Called Sunspot, the malicious code would have been used to break into the multinational’s infrastructure long before we thought – the first maneuvers took place around September 2019.
“This highly sophisticated and innovative code was designed to deploy malicious Sunburst code on the SolarWinds Orion Platform, without raising suspicion in our software development teams,” explained Sudhakar Ramakrishna, new CEO of SolarWinds. The discovery of Sunspot was only possible thanks to a collaboration with the team of experts from CrowdStrike.
Once you have infected the target machine, malware gives itself server debugging privileges, hijacks the build workflow, and swaps legitimate code for malicious code, which establishes the Sunburst backdoor on the Orion platform. “Sunspot monitors the running processes of those involved in compiling Orion and replaces one of the source files to include the Sunburst backdoor code,” explains the team.
This means that Sunspot was designed solely for this purpose and was tested in late 2019 just so that malicious agents could test their ability to infiltrate SolarWinds customers through the backdoor.
US Government Announces Investments
One of the main affected by the maneuver, the US government appears to have been traumatized enough by the incident to the point that announce new investments in cybersecurity in the public sphere. On the verge of being sworn in as the country’s new president, Democrat Joe Biden promised, during an announcement last week, to make cybersecurity a priority in his administration.
This includes a $ 10 billion budget for spending in the area, within which a $ 690 million grant for the Infrastructure Security and Cybersecurity Agency (CISA) to optimize its ability to identify and respond to incidents.
“I am grateful to see the President-elect pushing for major cyber security investments after the SolarWinds invasion, which highlighted the need to act now to protect Americans and our interests in cyberspace,” celebrated Congressman Jim Langevin.
Source: CSO Online, CISO Advisor, Dark Reading
See the original post at: https://thehack.com.br/novo-malware-novas-vitimas-novos-investimentos-atualizacoes-do-caso-solarwinds/?rand=48873
