Microsoft Tells How Hackers Who Attacked SolarWinds Evaded Detection

Information security specialists from Microsoft have shared details of how the hackers who attacked SolarWinds' supply chain managed to go unnoticed and hide their malicious activity inside the networks of the compromised companies.

The information was provided by security experts from the Microsoft 365 Defender Research Teams, Microsoft Threat Intelligence Center (MSTIC), and Microsoft Cyber ​​Defense Operations Center (CDOC).

Experts found that the hackers who attacked SolarWinds demonstrated a range of tactics, operational security and sophisticated behavior that dramatically reduced the ability of compromised organizations to detect a breach. Some examples of evasion tactics include:

Methodically eliminate common indicators for each compromised system by deploying custom Cobalt Strike DLL implants on each computer;

Masking and mixing with the environment by renaming tools and binaries to match the files and programs on the jailbroken device;

  • Disable event logging with AUDITPOL before practicing with the keyboard and enable it back after;

  • Creation of firewall rules in order to minimize outgoing packets for certain protocols before starting "noisy" actions to enumerate networks (deleted after completion of operations);

  • Thorough planning of actions regarding movement across the network, having previously disabled security services on target devices;

  • The criminals believed that the criminals used a technique of changing the timestamp of artifacts, as well as used procedures and cleaning tools to prevent the detection of malicious DLL implants in vulnerable environments.

Previous Post Next Post