Operation and Maintenance
Safety
Example Analysis of Security Risks of SolarWinds Supply Chain APT Attack Incident
Example Analysis of Security Risks of SolarWinds Supply Chain APT Attack Incident
Background
On December 13, FireEye, the top security company in the United States (Chinese name: Fire Eye) Released a report stating that it had discovered a global intrusion activity and named the organization UNC2452. The APT organization invaded SolarWinds, implanted malicious code in the SolarWinds Orion commercial software update package, and distributed it. FireEye called it SUNBURST malware. The backdoor contains the ability to transfer files, execute files, analyze the system, reboot the machine, and disable system services, allowing for lateral movement and data theft.
SolarWinds Orion Platform is a powerful, scalable infrastructure monitoring and management platform designed to simplify IT management of on-premises, hybrid and software-as-a-service (SaaS) environments with a single interface. The platform provides real-time monitoring and analysis of network equipment, and supports customized web pages, various user feedback, and map browsing of the entire network.
Event Overview
On December 13, FireEye disclosed that it would commercialize SolarWinds Orion In a software update Trojanized supply chain attack, the SolarWinds digital signature component of the Orion software framework, SolarWinds.Orion.Core.BusinessLayer.dll, is inserted into a backdoor that communicates with a third-party server via HTTP. FireEye said this type of attack may have first appeared in the spring of 2020 and is still ongoing. From March to May 2020, the attacker digitally signed multiple Trojan updates and published them to the SolarWinds update website, including hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/ 2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp. FireEye has released the characteristics and detection rules of the backdoor on GitHub. The GitHub address is as follows:
https://github.com/fireeye/sunburst_countermeasures
File with Trojan implanted For the SolarWinds.Orion.Core.BusinessLayer.dll component, a standard Windows installer patch file. Once the update package is installed, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on system configuration) program.
SolarWinds.Orion.Core.BusinessLayer.dll (b91ce2fa41029f6955bff20079468448) is a SolarWinds signature plug-in component of the Orion software framework. The SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer class implements communication with third-party servers through HTTP. , a backdoor that transfers and executes files, analyzes the system, and disables system services. The backdoor’s network transfer protocol is disguised as legitimate SolarWinds activity to evade detection by security tools. 
SolarWinds.Orion.Core.BusinessLayer.dll is signed by solarwind with serial number 0f:e9:73:75:20:22:a6:06:ad:f2:a3:6e: Certificate of 34:5d:c0:ed. The document was signed on March 24, 2020. 
Scope of Impact
Solution
The above is the detailed content of Example Analysis of Security Risks of SolarWinds Supply Chain APT Attack Incident. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1386
52
Example analysis of using ZoomEye to find APT attacks
May 27, 2023 pm 07:19 PM
The data online on ZoomEye is in overwrite and update mode, which means that if the data is not scanned in the second scan, the updated data will not be overwritten. The data on ZoomEye will retain the banner data obtained in the first scan. This mechanism is here In fact, there is a good scene fit in the traceability of this kind of malicious attack: the download servers used by malicious attacks such as Botnet, APT and other attacks are usually directly deactivated and discarded after being discovered. Of course, some are hacked targets, and they are also very violent. Go offline directly! Therefore, many attack sites are likely to be cached online by ZoomEye. Of course, with the data provided in the ZoomEye history api, you can query the number of banners obtained by each scan regardless of whether you cover it or not.
What is the difference between Linux package management tools yum and apt?
May 30, 2023 am 09:53 AM
Generally speaking, famous Linux systems are basically divided into two categories: RedHat series: Redhat, Centos, Fedora, etc.; Debian series: Debian, Ubuntu, etc. yum (YellowdogUpdater, Modified) is a Shell front-end package manager in Fedora, RedHat and SUSE. apt (AdvancedPackagingTool) is a shell front-end package manager in Debian and Ubuntu. Overview Generally speaking, the famous Linux systems are basically divided into two categories: RedHat series: Redhat, Cento
How to analyze APT Trojans based on the threat intelligence cycle model
May 14, 2023 pm 10:01 PM
About the Threat Intelligence Processing Cycle Model The term "Threat Intelligence Processing Cycle" (F3EAD) originates from the military. It is a method for organizing resources and deploying troops designed by the US Army's commanders at all levels of the main combat arms. The Network Emergency Response Center draws on this method and processes threat intelligence information in the following six stages: Threat Intelligence Processing Cycle Application of the F3EAD Threat Intelligence Processing Cycle Model Step 1: Find a date on a certain month and deploy it on the partner's public cloud server The "Onion" system alarm found a suspected Trojan horse program, so the emergency response team quickly started the emergency response process: stakeholders and others gathered the group with one click and called in. The victim system is isolated for investigation. The security system and audit logs are exported for traceability analysis. Preparation of business system architecture and code-related information to analyze intrusion breaches and victims
How to change Ubuntu's apt-get update source?
Jan 05, 2024 pm 03:40 PM
Manually modify Ubuntu's apt-get source 1. Use the ssh tool to connect to Ubuntu (I use xshell) 2. Type cd/etc/apt/3 on the command line and back up the source.list file in this directory (you must have sudo permissions) ), then there is a source.list.bak file. 4. Clear the source.list file content (note: it cannot be restored after clearing, so you need to perform the previous step to back up the file in advance). At this time, use sudo to prompt that the permissions are insufficient. Switch directly to the root user and execute this command. 5. Use vim to open source.list, press the i key to enter the editing mode, paste the source address to be modified, and then press
Tutorial on installing php8 on deepin system.
Feb 19, 2024 am 10:50 AM
To install PHP8 on Deepin system, you can follow the steps below: Update the system: Open a terminal and execute the following command to update the system packages: sudoaptupdatesudoaptupgrade Add Ondřej SurýPPA source: PHP8 can be installed through Ondřej SurýPPA source. Execute the following command to add the source: sudoaptinstallsoftware-properties-commonsudoadd-apt-repositoryppa:ondrej/php Update the package list: Execute the following command to update the package list to get PHP in the PPA source
Tutorial on compiling and installing Docker on Ubuntu 18.04 system.
Feb 19, 2024 pm 02:03 PM
The following is a tutorial for compiling and installing Docker on Ubuntu18.04 system: Uninstall the old version of Docker (if installed): sudoaptremovedockerdocker-enginedocker.iocontainerdrunc Update system packages: sudoaptupdatesudoaptupgrade Install Docker dependencies: sudoaptinstallapt-transport-httpsca-certificatescurlsoftware-properties-commonAdd Docker Official GPG key: curl-
Tutorial on compiling and installing MySQL5.7 on Ubuntu 20.04 system.
Feb 19, 2024 pm 04:57 PM
MySQL 5.7 can be installed by using the official MySQL APT repository. The following are the steps to install MySQL5.7 through the official APT repository on Ubuntu20.04 system: Add the MySQLAPT repository: wgethttps://dev.mysql.com/get/mysql-apt-config_0.8.17-1_all.debsudodpkg-imysql -apt-config_0.8.17-1_all.deb During the installation process, you will see a configuration interface. Select the MySQLServer version as 5.7, and then complete the configuration. Update package list: sud
Can't find yum and installation method in Ubuntu system!
Mar 02, 2024 pm 01:07 PM
yum is the package manager in the RedHat series distributions (such as RHEL and CentOS), while Ubuntu uses another package manager called apt (AdvancedPackageTool). In Ubuntu systems, you can use the apt command to manage software packages. Following are the basic steps to install packages in Ubuntu system: Update package index Before performing any installation operation, first execute the following command to update the package index: sudoaptupdate Installing a package Use the following command to install a specific package: sudoaptinstallpackage_name will "package_name̶
