CHINESE HACKERS BEHIND JULY 2021 SOLARWINDS ZERO-DAY ATTACKS

Secureworks Secureworks: The second threat actor that targets SolarWind’s vulnerabilities via Orion bugs has characteristics that suggest that the organization is located within China (Catalin Cimpanu/The Record).

SolarWinds Servers Have been the target of attacks. Indirectly Related to Chinese Threat Actor

In the month of December 2020 just days following the huge SolarWinds supply chain incident, Microsoft warned that a second threat actor was focusing on SolarWinds Orion Server installations that were on-premises of customers.

The second group did not attempt to breach the SolarWinds application infrastructure. Instead, they exploited a CVE-2020-10148 security flaw within the SolarWinds Orion API, which enabled the installation of websites on Orion servers belonging to firms.

Also, read FTC AMAZON APPLE FACEBOOK 1M MCLAUGHLIN

Solarwinds orion china cimpanu the record

SUPERNOVA has been codenamed “web shell. This was a way for attackers to steal information from companies’ internal networks.

Reports from The Cybersecurity and Infrastructure Security Agency, as well as Palo Alto Networks at that time, did not associate this malware with the threat group that is behind SolarWind’s supply chain attack. In the past, however, the US government had officially connected Russia and described any use of the attack as taking place in tandem with the larger and more intrusive supply chain attack.

Secureworks resolves the SUPERNOVA mystery

Secureworks published a blog post today, in which it stated that it found connections between SUPERNOVA malware and attacks in August on Zoho’s ManageEngine servers. Secureworks is also an official non-zero-day source on Twitter.

Secureworks stated that it was pursuing this threat actor under Spiral, the codename Spiral. It further stated the following “characteristics suggest that the group is located in China.”

Also, read DESPITE A WAVE OF COMPLAINTS, PUSHBACK FROM TOP UNIVERSITIES

Secureworks announced today it “Similarities in SUPERNOVA-related activity [against Orion Servers] in November and activity that CTU researchers examined in August [against Zoho Servers] suggest that the SPIRAL Threat Group was responsible for both intrusions.” These intrusions may be connected to China.

Secureworks did not provide any specifics on whether it was the Spiral Group was linked to Chinese security operations run by the government. Or, if they’re regular cybercrime organizations looking to gain access, steal, and then ransom corporate networks.

Daniel Downey

Daniel was born in Auckland and raised in Calgary, except for the time when he moved back to Quebec and attended high school there. He studied Physics and Science at the University of Auckland. He began writing after obsessing over books.