fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

SolarWinds Hackers Used 7-Zip Code To Hide Raindrop Cobalt Strike Loader

SolarWinds Hackers Used 7-Zip Code To Hide Raindrop Cobalt Strike Loader

The ongoing analysis of the SolarWinds supply-chain attack uncovered a fourth malicious tool that researchers call Raindrop and was used for distribution across computers on the victim network.

The hackers used Raindrop to deliver a Cobalt Strike beacon to select victims that were of interest and which had already been compromised through the trojanized SolarWinds Orion update.

There are currently four pieces of malware identified in the SolarWinds cyberattack, believed to be the work of a Russian threat actor:

  • Sunspot, the initial malware used to inject backdoors into the Orion platform builds
  • Sunburst (Solorigate), the malware planted in Orion updates distributed to thousands of SolarWinds customers
  •  Teardrop post-exploitation tool delivered by Sunburst on select victims deploy customized Cobalt Strike beacons
  • Raindrop, the newly uncovered malware that is similar to Teardrop

Disguised as 7-Zip file to load Cobalt Strike

Symantec researchers found the new Raindrop malware on machines compromised through the SolarWinds cyberattack. They noticed that it fulfills the same function as Teardrop but it is different as far as the deployment mechanism is concerned, as well as at the code level.

Also Read: What Legislation Exists in Singapore Regarding Data Protection and Security?

To hide the malicious functionality, the hackers used a modified version of the 7-Zip source code to compile Raindrop as a DLL file. The 7-Zip code only acts as a cover as it is not used in any way.

In one victim that installed the trojanized Orion platform in early July 2020, Symantec found that teardrop came the very next day via Sunburst. Raindrop appeared 11 days later on another host in the organization where malicious activity had not been observed, the researchers say.

How Raindrop ended up on a victim network is a mystery for now. Symantec saw no evidence of Sunburst delivering Raindrop directly, yet it was present “elsewhere on networks where at least one computer has already been compromised by Sunburst.”

On another victim network, Raindrop landed in May 2020. A few days later, PowerShell commands were executed in an attempt to spread the malware on other systems. Cybersecurity company Volexity investigating SolarWinds cyberattacks also reported that the hackers used PowerShell for lateral movement activity by creating new tasks on remote machines.

Symantec has seen four samples of the new malware, all delivering a Cobalt Strike beacon. In three cases, the payload was configured to communicate HTTPS. In the last instance, the communication occurred over an SMB Named Pipe, likely because the computer did not have internet access and another computer on the network was used for command and control.

Also Read: Letter of Consent MOM: Getting the Details Right

Symantec finding Raindrop adds another piece to the SolarWinds supply-chain attack puzzle. It reveals another aspect of the operation, giving defenders and investigators new avenues to explore in their effort to clean impacted networks.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us