Illusive Networks Advisory – SolarWinds Supply Chain Attack

Since last week and continuing into this week, details of the attack first perpetrated on FireEye and subsequently on the US Government Departments of Treasury and Commerce continue to evolve. We now know that the attack’s origin was the SolarWinds Orion IT management software versions 2019.4 HF 5 and 2020.2 HF 1, containing a backdoor (Sunburst). According to the FireEye analysis, this campaign may have started as early as spring 2020. We recommend you follow the remediation guidelines from SolarWinds, and any other organizations directly involved in the attack.

It’s still early, and industry knowledge about the attack remains incomplete, nevertheless we have learned enough to start developing plans to assess and reduce risk for organizations running the affected versions of SolarWinds Orion software. In this attack, as with most other advanced attacks like APTs and the new forms of targeted (human-operated) ransomware, attackers establish an initial beachhead, surveil their surroundings and move laterally to harvest privileged credentials that give them access to valuable information – “crown jewels”.
Read More

Why Are Ransomware Attacks Still Happening?

Here we go again: this past Thursday, officials from three US federal agencies issued a statement warning about an “imminent cybercrime threat to US hospitals and healthcare providers.” The threat in question comes from a Russia-based cybercriminal gang preparing to disrupt information technology systems at hundreds of hospitals and medical care facilities all over the US with ransomware. The attackers will make devices on the hospital networks unusable unless a sizable payoff is made, and indeed, at least five US hospitals already seem to be under attack. With patient populations surging in the wake of another wave of coronavirus cases and a presidential election on the horizon, the imminent threat could prove catastrophic without the proper security measures to fight back.
Read More