Almost a year ago, security researchers unveiled one of the worst data violations in modern history, and the Kremlin -backed piracy campaign had penetrated the Solar Winds network servers, and from there it was chosen networks that included senior customers of this company, including9 American federal agencies.
Microsoft named "Nobelium" on intruders who were finally expelled from the company's networks, but the group has never surrendered, and it can be said that it has become more bold and skilled in penetrating large numbers of goals with a single blow..
Recently, the Mandiant Security Company, which was published on Monday, warned a research that explains in detail many Nobeium tricks - and some of its mistakes - as it continued to penetrate high -value networks.
Use of confidence
One of the things that made the Nobeium a very tremendous harm is the creativity in TTPS techniques, which are in the language of the tactics, techniques and procedures used in piracy works.Instead of penetrating each goal one by one, the group penetrated the Solar Windows network that has senior customers and used the confidence it enjoys in front of customers in the company, to push a harmful update to nearly 18 thousand of its customers.
In this way, pirates can immediately sneak into all these entities.It will be similar to what a thief stormed the lock maker building and got a main key that opens the doors of each building in the neighborhood, which avoids it to open each lock separately.Not only was the Nobelbum method that can be developed and effective, but also made it easy to hide its effects due to customer confidence in Solar Windows.
The Mandainite report shows that the Nobelum ingenuity has not retreated.Since last year, the company researchers say that the two piracy groups associated with the penetration of Solar Windows - one called (UC3004) and the other (UNC2652) - continued to create new ways to penetrate large numbers of goals in an effective way.
Instead of spoiling the networks of Solar Windows, the groups have struck the networks of cloud solutions and operating service providers - such as operating servers, maintenance services and other technical services necessary for operation - or what is known as "CSPS", which are companies affiliated with regionsExternal on which many large companies depend on a wide range of information technology services.Then the infiltrators found smart ways to use these hacked suppliers to intrude on their customers.
"This infiltration activity reflects the capabilities of this group, which plans to a high level of security threat targeting technical operations.".
The advanced skill did not stop there. According to Mandiante, the tactics and other advanced lusters included the use of stolen credit data by other infiltrators with financial motives, who use harmful financial programs such as Cryptbot, a thief for information that collects the victim's accreditation data and browserThe web and the coded currency portfolios for its account.
These programs allowed the two piracy groups (UNC3004) and (UNC2652) to violate the goals even in the event that a hacker service provider is not used.
Once there are groups of infiltrators inside the network, the process of penetrating the random mail liquidation system for institutions or other programs, as these systems work to liquidate the mail for all the institution, and they have the ability to access e -mail or other types of data from any other account in the network.The penetration of this account led to providing the troubles of having to storm each account separately.
They also used smart ways to overcome safety restrictions, such as creating virtual devices to determine the internal structure of the routers of the networks they want to penetrate.
And also obtaining the right to be accessed to an active warehouse guide in the cloud Azure account that companies use, and the use of this comprehensive management tool to steal the encryption keys that create distinctive symbols that can go beyond the protection of the bilateral authentication of companies.
This technique gave intruders what is known as the golden saml (SAML), which resembles the main treasury key that opens every service that uses the coding language to confirm safety, which is the protocol that makes unilateral login, bilateral approval, and other safety mechanisms work.