Prodaft cautions that "security analysts should not fully-automize their threat intelligence protocols as acting strictly upon IoC intelligence from third-party resources may be one of the main reasons that prevent researchers from realizing the actual scope of large-scale APT attacks."
SilverFish infrastructure has also revealed links to multiple IoCs previously attributed to TrickBot, EvilCorp, WastedLocker, and DarkHydrus. However, the team expects other spying and data theft-related attacks to continue throughout 2021. SilverFish-SolarWinds attacks began at the end of August 2020 and were conducted in three waves that only ended with the seizure and sinkhole of a key domain. Prodaft says that after obtaining entry to the management C2 control panel, the company was able to verify links to existing SolarWinds security incidents and known victims by way of IP, username, command execution, country, and timestamp records.Ī 'test run' of the SolarWinds Orion compromise was conducted in 2019, whereas Sunburst malware was deployed to clients between March and June 2020. In December, following the disclosure of the SolarWinds breach, Prodaft received an analysis request from a client and created a fingerprint based on public Indicators of Compromise ( IoCs) released by FireEye.Īfter running IPv4 scans, the team found new detections within 12 hours and then began combing the web for command-and-control servers (C2s) used in the operation while refining fingerprint records. SilverFish been connected to the recent SolarWinds breach as "one of many" threat groups taking advantage of the situation, in which malicious SolarWinds Orion updates were pushed to customers, leading to the compromise of thousands of corporate networks. Attacks are geared toward US and European entities and there is a specific focus on critical infrastructure and targets with a market value of over $100 million.
0 kommentar(er)
