UNC2452
Associated Group Descriptions |
|
Name | Description |
---|---|
NOBELIUM | (Citation: MSTIC NOBELIUM Mar 2021) |
StellarParticle | (Citation: CrowdStrike SUNSPOT Implant January 2021) |
Dark Halo | (Citation: Volexity SolarWinds) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1098 | .001 | Account Manipulation: Additional Cloud Credentials |
UNC2452 added credentials to OAuth Applications and Service Principals.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) |
.002 | Account Manipulation: Additional Email Delegate Permissions |
UNC2452 added their own devices as allowed IDs for active sync using |
||
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
UNC2452 has acquired C2 domains through resellers.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
UNC2452 used HTTP for C2 and data exfiltration.(Citation: Volexity SolarWinds) |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
UNC2452 used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration.(Citation: Volexity SolarWinds)(Citation: Microsoft Deep Dive Solorigate January 2021) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
UNC2452 used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands.(Citation: Volexity SolarWinds)(Citation: Microsoft Analyzing Solorigate Dec 2020) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
UNC2452 used |
||
Enterprise | T1584 | .001 | Compromise Infrastructure: Domains |
UNC2452 has compromised domains to use for C2.(Citation: MSTIC NOBELIUM Mar 2021) |
Enterprise | T1074 | .002 | Data Staged: Remote Data Staging |
UNC2452 staged data and files in password-protected archives on a victim's OWA server.(Citation: Volexity SolarWinds) |
Enterprise | T1587 | .001 | Develop Capabilities: Malware |
UNC2452 developed SUNSPOT, SUNBURST, TEARDROP, and Raindrop; SUNSPOT and SUNBURST were tailored to be incorporated into SolarWind's Orion software library.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021) |
Enterprise | T1484 | .002 | Domain Policy Modification: Domain Trust Modification |
UNC2452 changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.(Citation: Microsoft 365 Defender Solorigate) |
Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
UNC2452 collected emails from specific individuals, such as executives and IT staff, using |
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
UNC2452 used WMI event subscriptions for persistence.(Citation: Microsoft 365 Defender Solorigate)(Citation: Microsoft Deep Dive Solorigate January 2021) |
Enterprise | T1048 | .002 | Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
UNC2452 exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers.(Citation: Volexity SolarWinds) |
Enterprise | T1606 | .001 | Forge Web Credentials: Web Cookies |
UNC2452 bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.(Citation: Volexity SolarWinds) |
.002 | Forge Web Credentials: SAML Tokens |
UNC2452 created tokens using compromised SAML signing certificates.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) |
||
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
UNC2452 used the service control manager on a remote system to disable services associated with security monitoring products.(Citation: Microsoft Deep Dive Solorigate January 2021) |
.002 | Impair Defenses: Disable Windows Event Logging |
UNC2452 used |
||
.004 | Impair Defenses: Disable or Modify System Firewall |
UNC2452 used |
||
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
UNC2452 routinely removed their tools, including custom backdoors, once remote access was achieved.(Citation: FireEye SUNBURST Backdoor December 2020) |
.006 | Indicator Removal: Timestomp |
UNC2452 modified timestamps of backdoors to match legitimate Windows files.(Citation: Microsoft Deep Dive Solorigate January 2021) |
||
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
UNC2452 named tasks |
.005 | Masquerading: Match Legitimate Name or Location |
UNC2452 renamed a version of AdFind to |
||
Enterprise | T1003 | .006 | OS Credential Dumping: DCSync |
UNC2452 leveraged privileged accounts to replicate directory service data with domain controllers.(Citation: Microsoft 365 Defender Solorigate)(Citation: Microsoft Deep Dive Solorigate January 2021) |
Enterprise | T1090 | .001 | Proxy: Internal Proxy |
UNC2452 configured at least one instance of Cobalt Strike to use a network pipe over SMB during the 2020 SolarWinds intrusion.(Citation: Symantec RAINDROP January 2021) |
Enterprise | T1021 | .006 | Remote Services: Windows Remote Management |
UNC2452 has used WinRM via PowerShell to execute command and payloads on remote hosts.(Citation: Symantec RAINDROP January 2021) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
UNC2452 used |
Enterprise | T1558 | .003 | Steal or Forge Kerberos Tickets: Kerberoasting |
UNC2452 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.(Citation: Microsoft Deep Dive Solorigate January 2021) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
UNC2452 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.(Citation: FireEye SUNBURST Backdoor December 2020) |
Enterprise | T1195 | .002 | Supply Chain Compromise: Compromise Software Supply Chain |
UNC2452 gained initial network access via a trojanized update of SolarWinds Orion software.(Citation: FireEye SUNBURST Backdoor December 2020) |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
UNC2452 used Rundll32 to execute payloads.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)(Citation: Microsoft Deep Dive Solorigate January 2021) |
Enterprise | T1016 | .001 | System Network Configuration Discovery: Internet Connection Discovery |
UNC2452 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.(Citation: MSTIC NOBELIUM Mar 2021) |
Enterprise | T1552 | .004 | Unsecured Credentials: Private Keys |
UNC2452 obtained the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.(Citation: Microsoft 365 Defender Solorigate) |
Enterprise | T1550 | .004 | Use Alternate Authentication Material: Web Session Cookie |
UNC2452 used a forged |
References
- MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
- MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
- Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
- FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
- Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
- CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
- Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
- Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.