Hackers who stole Windows source code and free countermeasure tools will be released

In December 2020, it was discovered that the hacker group 'UNC2452'

launched a large-scale cyber attack on a large number of government agencies . In addition, the source code of Windows, which is said to have been stolen by this cyber attack, has been put up for sale, which has a great impact on society. FireEye, a major security company, explains the detailed method of this UNC2452 attack and releases a countermeasure tool for free.

Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 | FireEye Inc

GitHub --fireeye / Mandiant-Azure-AD-Investigator

The cyberattack by UNC2452 was carried out by tampering with a software update for the Orion Platform distributed by SolarWinds . The software update has been distributed to more than 18,000 companies and government agencies, and has affected ministries such as the US Treasury, State Department, and National Institutes of Health, as well as companies such as Microsoft and Cisco Systems. It has been reported. In addition, Windows source code allegedly stolen by the attack has been found to be on sale for 62 million yen, Microsoft president Brad Smith said, 'the most I've seen in the last decade. We take the situation seriously as 'one of the serious cyber attacks.'

It was discovered that the Windows source code was for sale for 62 million yen --GIGAZINE

FireEye, who was investigating the UNC2452 cyberattack, also found that the Orion Platform software update included a

Trojan horse called 'SUNBURST.' In addition, the tampered software update contains a legitimate digital signature by SolarWinds, and UNC2452 cyberattacks continued unnoticed for approximately nine months after the tampering took place in March 2020. Was done.

Hacker group 'UCN2452' that intercepted confidential information of government agencies and companies around the world revealed the method --GIGAZINE

The latest research report published by FireEye reveals that UCN2452 uses malware that infects attackers to steal

Active Directory token signing certificates and forge any user's token. .. With this token, UCN2452 does not require multi-factor authentication for applications such as Microsoft 365, and can log in to the application as any user. In addition, UCN2452 adds an IdP that UCN2452 can control by adding a trusted domain to Azure Active Directory .

This allows the UCN2452 to perform various operations such as sending / receiving e-mails and transferring / executing files as any user. Also, the attacker is recognized as an authorized user, making it very difficult to detect.

As mentioned above, it is difficult to determine whether an attack by UCN2452 is under attack because it is difficult to determine whether it is a legitimate user's behavior or an attacker's behavior. Therefore, FireEye has developed an application that detects UCN2452 attacks by verifying some behavior patterns used in UCN2452, and has released it for free on GitHub.

GitHub --fireeye / Mandiant-Azure-AD-Investigator

in Software,   Security, Posted by log1o_hf