Request a Demo
Rewterz
Rewterz Threat Alert – PgMiner Botnet Targets PostgreSQL Database on Linux Server
December 14, 2020
Rewterz
Rewterz Threat Alert – New Malware Abusing Google and Facebook Services
December 14, 2020

Rewterz Threat Alert – SolarWinds Breach Used to Infiltrate Customer Networks – IoCs

Severity

High

Analysis Summary

A widespread campaign has been uncovered, tracked as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. FireEye is tracking this as a global intrusion campaign.

The attack began as a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware called SUNBURST. The attacker’s post compromise activity leverages multiple techniques to evade detection. The campaign is widespread, affecting public and private organizations around the world. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.

Impact

  • Unauthorized Access
  • Data Theft
  • Detection Evasion
  • Global Intrusion 

Indicators of Compromise

Domain Name

  • avsvmcloud[.]com
  • zupertech[.]com
  • websitetheme[.]com
  • thedoccloud[.]com
  • panhardware[.]com
  • incomeupdate[.]com
  • highdatabase[.]com
  • freescanonline[.]com
  • deftsecurity[.]com
  • databasegalore[.]com

Hostname

  • mhdosoksaccf9sni9icp[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com
  • k5kcubuassl3alrf7gm3[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com
  • gq1h856599gqh538acqn[.]appsync-api[.]us-west-2[.]avsvmcloud[.]com
  • 7sbvaemscs0mc925tb99[.]appsync-api[.]us-west-2[.]avsvmcloud[.]com
  • 6a57jk2ba1d9keg15cbg[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com
  • appsync-api[.]us-west-2[.]avsvmcloud[.]com

MD5

  • 846e27a652a5e1bfbd0ddd38a16dc865
  • b91ce2fa41029f6955bff20079468448
  • 2c4a910a1299cdae2a4e55988a2f102e
  • 56ceb6d0011d87b6e4d7023d7ef85676
  • 2c4a910a1299cdae2a4e55988a2f102e
  • 02af7cec58b9a5da1c542b5a32151ba1

SHA-256

  • ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
  • 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
  • 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
  • c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
  • 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
  • d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600

SHA1

  • d130bd75645c2433f88ac03e73395fba172ef676
  • 76640508b1e7759e548771a5359eaed353bf1eec
  • 2f1a5a7411d015d01aaee4535835400191645023
  • 75af292f34789a1c782ea36c7127bf6106f595e8
  • 2f1a5a7411d015d01aaee4535835400191645023
  • 1b476f58ca366b54f34d714ffce3fd73cc30db1a

Source IP

  • 51[.]89[.]125[.]18
  • 5[.]252[.]177[.]25
  • 5[.]252[.]177[.]21
  • 204[.]188[.]205[.]176
  • 139[.]99[.]115[.]204

Remediation

  • Block the threat indicators at their respective controls.
  • Check below link for more countermeasures.
  • https://github.com/fireeye/sunburst_countermeasures/tree/main