FireEye releases a free tool that audits networks to determine whether certain techniques, known to be employed by SolarWinds hackers, were used
Focusing on UNC2452 TTPs Lily Hay Newman / Wired : The SolarWinds Hackers Used Tactics Other Groups Will Copy Zeljka Zorz / Help Net Security : Malwarebytes was breached by the SolarWinds attackers Alex Scroxton / ComputerWeekly.com : Malwarebytes also hit by SolarWinds attackers Ravie Lakshmanan / The Hacker News : SolarWinds Hackers Also Breached Malwarebytes Cybersecurity Firm Bradley Barth / SC Media : SolarWinds attack opened up 4 separate paths to a Microsoft 365 cloud breach Kieren McCarthy / The Register : FireEye publishes details of SolarWinds hacking techniques, gives out free tool to detect signs of intrusion Associated Press : Russia's SolarWinds hack has no easy fix, cybersecurity company says Eduard Kovacs / SecurityWeek : FireEye Releases New Open Source Tool in Response to SolarWinds Hack Wire / WRAL TechWire : Security firm releases guidance to fight massive hack with Triangle connection Tweets: Selena / @selenalarson : The “SolarWinds actor” has been busy. And we've likely only seen a small fraction of its activities. Interesting similarities in using/exploiting MSFT cloud services for reconnaissance activities. Mimecast: https://www.reuters.com/... Malwarebytes:https://blog.malwarebytes. com/ ... Runa Sandvik / @runasand : Remember the SolarWinds breach? Here's @mkleczynski confirming “the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.” https://blog.malwarebytes.com/ ... Lance Ulanoff / @lanceulanoff : Answering that age-old question, “Have I been hacked?” https://www.zdnet.com/... @fireeye : As we continue to help organizations detect, protect against, and respond to the group behind the SUNBURST malware, #UNC2452, @Mandiant has released a new white paper and investigative tool. Learn more: https://www.fireeye.com/... https://twitter.com/... @mandiant : Today we've released a white paper and investigative tool to help orgs detect, protect against, and respond to #UNC2452, the group behind the SUNBURST malware and supply chain attack. Check out the white paper: https://www.fireeye.com/... https://twitter.com/... Eric Geller / @ericgeller : If you use Microsoft cloud tools, FireEye has some advice for stopping hackers from compromising your org's authentication services, something that the SolarWinds hackers have been doing after they initially breach a network. https://www.fireeye.com/... Nick Carr / @itsreallynick : 🪙 On #GoldenSAML remediation: • Rotate the token-signing AD FS certificate in rapid succession twice 👉If only rotated once, a copy of the previous [compromised?] certificate will still be resident in Azure AD, and can still be used to forge SAML tokens https://www.fireeye.com/... https://twitter.com/... Doug Bienstock / @doughsec : We've summarized 4 primary techniques we've seen #UNC2452 and other TAs use while moving laterally to the M365 cloud. Technical details, detect, prevent, and recovery advice: https://www.fireeye.com/... shouts to co-authors Matthew McWhirt, Nick Bennet, and @mburns7 Catalin Cimpanu / @campuscodi : NEW: FireEye releases tool for auditing networks for techniques used by SolarWinds hackers https://www.zdnet.com/... Tool is called Azure AD Investigator, and you can get it from here: https://github.com/... https://twitter.com/...