"SolarWinds Hack Investigation Reveals New Sunspot Malware"
Crowdstrike researchers have revealed a new strain of malware called Sunspot. This new malware is said to have been used by SolarWinds attackers to inject the Sunburst malicious code into SolarWinds' Orion IT software. Further investigation of the SolarWinds hack has also revealed a new timeline for the event as well as customer support incidents that are believed to be related to the Sunburst malware being used on customer infrastructure. Researchers have found similarities between Sunburst malware and a backdoor linked to the Russian Advanced Persistent Threat (APT) group Turla. According to Crowdstrike researchers, Sunspot was used to monitor running processes in SolarWinds' build environment. The researchers also released details about the tactics, techniques, and procedures (TTPs) used by the attackers to maintain the malware's persistence, ensure that code tampering does not cause build errors, and to prevent SolarWinds' detection of their operations. Sudhakar Ramakrishna, SolarWinds' new CEO, confirmed that the attackers conducted a test run in late 2019 to ensure that the company would not detect their future actions. An analysis of the Sunburst malware revealed that its code is similar to that of Kazuar, a .NET backdoor linked to the Turla APT group. The two malware strains both use the same algorithm to calculate the amount of time that the malware is inactive until it makes a new command-and-control (C&C) server connection. They also use the same algorithms for string obfuscation and the generation of unique victim identifiers. This article continues to discuss the new Sunspot malware, similarities between Kazuar and Sunburst, and other new findings surrounding the SolarWinds hack.
Help Net Security reports "SolarWinds Hack Investigation Reveals New Sunspot Malware"