Sunburst is the malware used to target widely used Orion Software
As per the recent reports, researchers have discovered Sunspot, a piece of malware used by the SolarWinds attackers to insert the Sunburst malware in the widely used Software Orion affecting Middle Eastern companies on a large scale.
Researchers at Kaspersky lab found several similarities between the Sunburst malware and known versions of Kazuar a backdoor that has been linked to the Turla APT group (widely believed to be sponsored by the Russian state).
The overlapping features between Sunburst and Kazuar include the victim UID generation algorithm, the sleeping algorithm and the extensive usage of the FNV-1a hash. According to the experts, these code fragments are not 100% identical, suggesting Kazuar and Sunburst may be related, though the nature of this relation is still not entirely clear.
As per Microsoft, victims of the SolarWinds breach include organizations in the UAE and Israel in addition to entities in North America and Europe.
More than 40 Microsoft customers that use the SolarWinds’ Orion network and applications monitoring platform have been compromised, according to a blog post by Microsoft President Brad Smith. Microsoft detected the breach based on telemetry from its Defender security software, among customers that use that product as well as the Orion platform, Smith said.
While 80% percent of those customers are in the US, others are located in Canada, Mexico, Belgium, Spain, the UK, in addition to the UAE and Israel, according to Smith.
Solar Wind’s new CEO Sudhakar Ramakrishna said on Monday that company is working with cybersecurity company CrowdStrike, advisory firm KPMG, and other industry experts to perform their root cause analysis of the attack.
He shared an attacked timeline which revealed source of Sunburst code injection into source of Orion’s platform.
Ramakrishna also confirmed that the attackers did a test run in late 2019 to make sure SolarWinds would not detect their future malicious efforts, and revealed that they identified two previous customer support incidents during the attack timeline that may be related to Sunburst.
“We investigated the first in conjunction with our customer and two third-party security companies. At that time, we did not determine the root cause of the suspicious activity or identify the presence of the Sunburst malicious code within our Orion Platform software. The second incident occurred in November, and similarly, we did not identify the presence of the Sunburst malicious code. We are still investigating these incidents and are sharing information related to them with law enforcement to support investigation efforts,” he concluded.
This is not the first time Middle East with other major regions has got affected on a large scale due to a software hack; such incidents have seen a surge in last five years. Though, the motive have been different it suggests that there is crucial need to upgrade security features in near future to combat such hacks.