Update Advisory for APT Attacks on the SolarWinds Products
  • Advisory
  • January 4, 2021

SUPERNOVA Malware

SUPERNOVA is not malicious code embedded within the builds of the Orion® Platform as a supply chain attack. It is malware that is separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product. The SUPERNOVA malware consisted of two components. The first was a malicious, unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896.dll” specifically written to be used on the SolarWinds Orion Platform. The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code. This vulnerability in the Orion Platform has been resolved in the latest updates.

SUNBURST Malware

SolarWinds was the victim of a cyberattack to systems that inserted a vulnerability (SUNBURST) within the Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run. This attack was a very sophisticated supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with a goal of being able to attack subsequent users of the software. In this case, it appears that the code was intended to be used in a targeted way as its exploitation requires manual intervention.

Security Advisory on Phishing Attacks
  • Advisory
  • December 15, 2020

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card information. This occurs when an attacker pretends to be a trusted entity to dupe a victim into clicking a malicious link that can lead to the installation of malware, freezing of the system as part of a ransomware attack, or revealing of sensitive information. Phishing is still one of the most widespread and damaging cyberattacks. Phishing attacks can lead to financial loss, data loss and reputational damage.

How to Detect Phishing Attacks

Be suspicious of all requests. Ask, "Is this real?" Use the following checklist to check for common signs of phishing messages:

  1. Message indicates urgent action is needed
  2. Message indicates negative consequences will occur if action is not taken
  3. Message is not expected
  4. Message sender is not known
  5. Message cannot be read without opening an attachment
  6. Message requests sensitive information be sent
  7. Message directs users to "click here"
  8. Message uses poor grammar and/or spelling
  9. Sender from: name does not match message signature
  10. Sender email address does not match organization name
  11. Sender email address is not exactly the same as real address
  12. Web site address (URL) of linked site does not match organization.

Types of Phishing Techniques

Five key phishing techniques that are commonly employed:

1) Link manipulation: Link manipulation is done by directing a user fraudulently to click a link to a fake website. This involves, use of sub-domains, Hidden URLs, Misspelled URLs, IDN homograph attacks.

2) Smishing: Smishing is a form of phishing where someone tries to trick a victim into giving their private information via a text message.

3) Vishing: Vishing is the telephone version of phishing, or a voice scam. Similar to email phishing and smishing, vishing is designed to trick victims into sharing personal information, such as PIN numbers, credit card security codes, passwords and other personal data. Vishing calls often appear to be coming from an official source such as a bank or a government organization.

4) Website forgery: Website forgery works by making a malicious website impersonate an authentic one, so as to make the visitors give up their sensitive information such as account details, passwords, and credit card numbers. Web forgery is mainly carried out in two ways: cross-site scripting and website spoofing.

5) Pop-ups: Pop-up messages, other than being intrusive, are one of the easiest techniques to conduct phishing scams. They allow hackers to steal login details by sending users pop-up messages and eventually leading them to forged websites.

Security Advisory on Apple Chips Malware
  • Advisory
  • February 23, 2021

Pirrit is a persistent Mac adware family notorious for pushing intrusive and deceptive advertisements to users that, when clicked, downloads and installs unwanted apps that come with information gathering features. Pirrit is one of the oldest and most active Mac adware families, and has been known to constantly change in an attempt to evade detection, so it is unsurprising that it has already begun adapting for the ‌M1.

Furthermore, the GoSearch22 adware presents itself as a legitimate Safari browser extension, but collects user data and serves a large number of ads such as banners and popups, including some that link to malicious websites to proliferate more malware. The adware was signed with an Apple Developer ID in November 2020 to further conceal its malicious content, but it has since been revoked.

Advisory on Windows Vulnerabilities
  • Advisory
  • February 25, 2021

Windows Operating System (OS) is the most popular operating system used by more than 75% of desktop users and it has also become among the top products being targeted by cyberattacks. Windows has been a direct target of attacks by malware, more than 80% of malware detected are from windows according to latest discovery. Two updated versions of LodaRAT malware were discovered targeting Windows users. The attack vector used in these attacks was spam email with links to malicious applications or documents. Also, TrickBot malware which was reported earlier on came back with a newer version. This version was using a mechanism of Windows Task Scheduler as the way to reload the malware. Meanwhile, the cybersecurity experts have warned about using Windows 7, which reached end-of-life on January 14, 2020 to minimize the impact of the several attacks on windows products. Microsoft advised updating systems to address the critical Zerologon flaw (tracked as CVE-2020-1472). This vulnerability allows an attack against Microsoft Active Directory domain controllers.