ThreatSTOP Blog

Block Threats Before They're Famous – How We Beat the SolarWinds Hack

Written by Ofir Ashman | August 11, 2021

Cyber criminals will create roughly 100 million malware variants over the next 12 months. Security vendors will respond with new static and behavioral signatures to stop them, but thousands of companies will be victimized before they are secured, experiencing costly or catastrophic breaches. This isn’t new - it’s a cycle.

Threats succeed by avoiding detection. Victim-specific malware, domain generation algorithms (DGAs), and data exfiltration over DNS are the handiwork of motivated and innovative attackers. Reacting to yesterday's threats with a new signature is clearly inadequate. 

Stop admiring the problem

Attackers have limitless ways at nominal cost to change malware and attack vectors to increase the chances that their attacks succeed. It’s why we see tens of millions of new variants every year. Traditional security controls work by using known signatures and behaviors to pinpoint a threat, but aren’t very effective against advanced and persistent attackers, or new, different malware and tactics. 

By focusing on behavioral data and specific malware files, these security solutions admire every new, specific problem instead of spreading a wide proactive defense shield for their customers. Although these traditional controls are still a necessary layer, the odds are stacked against them and they are left with too many security blind spots.


Find the threat factory


Malware and methods always evolve, but attackers continue to use (and reuse) infrastructure to carry out attacks - the same command and control (C2) servers, domains, AS’s, NS’s, hosting, etc. Threats are transient, moving targets, but the infrastructure delivering them is far less dynamic and easier to pin down. The infrastructure used by criminals to conduct targeted attacks or broad campaigns is an investment in time and money, and not easily moved or replaced. How do we know? We’ve been tracking attacker infrastructure for over a decade - mapping the threat factories behind nation-state APTs and commodity attacks.

Prevent attacks before they have a name – like Dark Halo

The SolarWinds compromise last year shook the tech and security worlds. Dubbed the "largest and most sophisticated attack" ever by Microsoft president Brad Smith, security news outlets reported a large number of major businesses and organizations were targeted and potentially impacted - including Cisco, Deloitte, and of course - FireEye. On December 13, 2020, the security company released an analysis of a breach discovered in their network, including related indicators of compromise.

 
IOCs from the SolarWinds compromise attack on FireEye. Image: FireEye GitHub 
 

The domain highdatabase[.]com was hosted on the IP address 139.99.115[.]204 from late 2019 to December 2020. ThreatSTOP has been monitoring and blocking this IP since March 2020, back when it was hosting malicious infrastructure for a campaign called Operation Overtrap. Our system automatically and periodically re-analyzes IOCs entered by our team's research. Since we saw continuing malicious activity on the IP we continued to block it even after Operation Overtrap was, well... over. Fast forward to July 2020, and the same IP was hosting C2s used by Dark Halo to attack FireEye (and who knows who else) with a trojanized SolarWinds Orion update. With fool-proof breach methods and evasion tactics, this attack was set up to be a success. But even if hackers successfully enter a network they can still be blocked from calling home. Networks protected by ThreatSTOP were protected from having a threat like this communicate with its C2 servers to exfiltrate data or download later-stage malware.

Not long after FireEye's analysis, the Cybersecurity forensics firm Veloxity analyzed three additional cyber attacks leveraging the SolarWinds compromise. For these breaches as well, ThreatSTOP recognized IOCs that we have long been tracking and blocking.

 
 

Dark Halo malware infrastructure. Image: Volexity

For example, the domain webcodez[.]com resolved to 45.141.152[.]18 in July 2020, when the attackers utilized this domain as part of the trojanized SolarWinds supply chain. This IP had already entered in our systems a year earlier thanks to our CyberCrime threat intelligence feeds because of other bad activity, so ThreatSTOP users could not access the malicious domain hosted on it during the SolarWinds attacks even if their network tried a thousand times. Different attack - same infrastructure.

 

 

Block the threat factory, not only the threats


ThreatSTOP has studied what makes attacks successful and what causes them to fail. We’ve reverse engineered malware, performed source attribution and conducted incident response. Here’s the big takeaway: regardless of the attack type, the vectors, or the variant, the IP addresses and domains cyber criminals use to conduct an attack must be real and routable over the Internet – and your network must be able to communicate with them for an attack to succeed.


Find the infrastructure, block communications to and from, and stop the kill chain early on - that is how you block the threat factory.

 

It takes less than an hour to install ThreatSTOP, and the security benefits are immediately visible.
Ready to try ThreatSTOP in your network?