SolarWinds Threat Actors Behind New Email Attack Campaign

The threat actors behind last year’s SolarWinds supply chain attack have launched a new email attack campaign aimed at organizations around the world. This attack wave attracted the attention of the Microsoft Threat Intelligence Center (MSTIC) on May 25. 

The threat actors targeted approximately 3,000 individual accounts in more than 150 organizations using the Constant Contact mass mailing service.

One of the attack emails sent out in this round appeared to originate from the United States Agency for International Development (USAID) <ashainfo@usaid.gov>, with the sender email address matching what’s typically used by Constant Contact’s legitimate services.

As reported by CNN, it appeared that the threat actors had sent out the attack emails after compromising a Constant Contact account used by USAID.

Clicking on a link included in the email led a recipient to a legitimate Constant Contact service. The campaign then redirected the user to attacker-controlled infrastructure that downloaded a malicious ISO onto their systems. This payload displayed a decoy document while executing a custom Cobalt Strike Beacon loader dubbed “NativeZone” by MSTIC.

Through NativeZone, the attackers gained the ability to move laterally through a victim’s network, exfiltrate data and/or deliver additional malware.

Part of a Broader Attack Effort

MSTIC linked the attack wave discussed above to a broader campaign that began back in January 2021. The operation’s beginnings involved a wave of phishing emails that used Firebase, Google’s mobile and web app development platform, to distribute a malicious ISO file.

Over the next few months, MSTIC observed several new rounds of the attack effort emerge. One of those iterations leveraged an HTML file that used JavaScript to write an ISO file to disk, at which point a shortcut file executed a DLL to load a Cobalt Strike Beacon on the system. This payload allowed the attackers to penetrate its victim’s network.

In other actions, the attackers appear to have experimented with moving away from Firebase. This involved encoding the ISO file within the HTML attachment, encoding the Cobalt Strike Beacon DLL within an RTF document contained in an ISO, and replacing the HTML document entirely with a fake website designed to spoof the targeted organization.

Putting This Latest Attack into Context

Threat actors like these use the same advanced R&D techniques and agile principles that we’ve been championing in cutting-edge development and technology labs for years. This explains why they’re able to change and update their tactics, techniques, and procedures (TTPs) almost overnight. 

So too does the fact that threat actors like these are more than just ‘five guys and a coffee machine.’ They operate large organizations numbering in the hundreds of people with support networks, investors, partners, labs, cloud operations, and more.

Imagine more of a modern, lean, entrepreneurial Silicon Valley type organization, then move it to Russia, give it protection from the state, and unleash it to make money through cybercrime, perform espionage, and conduct operations with no-holds-barred. And there you have a threat actor on par with the SolarWinds attackers.

Even so, new TTPs go only so far. That’s because breaches all begin with one of a few simple-to-identify but hard-to-prevent things like a compromised identity, a vulnerability, or something that’s too permissive or open. It’s not a surprise at all that the attack detected by MSTIC started through phishing. While human beings are the whole point of the systems we build, they are also often the Achilles Heel of these systems.

This highlights the need for defenders to augment their technical network protection capabilities. Set up a war room. Assume compromise. Invest now to ratchet up prevention and detection. Reduce single-points-of-failure, improve resilience, start doing regular risk assessment, and get more agile. 

We can fight fire with fire. Do not just buy more of the same old stuff. We must do things differently every day. This is about how fit we are, and that requires change, active self-awareness, and improvement every single day. This is not about more routines, more meetings, more consultants, or more of the same.

Developing Better Detection Strategies

Towards that end, organizations can stop focusing solely on Indicators of Compromise (IOCs) and broaden their view to include Indicators of Behavior (IOBs), the more subtle chains of malicious behavior that can reveal an attack at its earliest stages, which is why they are so powerful in detecting campaigns such as the SolarWinds attacks. 

Cybereason’s platform is one of those solutions that’s equipped to defend organizations against malicious activity such as the SolarWinds supply chain attack. It takes an operation-centric approach to security that correlates all of the elements of an attack chain, especially those behaviors that when observed in isolation would appear to be benign, but when manifested in relation to one another present a distinct advantage to an attacker. 

Behavior-based detections empower security professionals to prioritize what’s actually important so that they can commit their time to addressing potential security issues instead of combing through uncorrelated alerts that lack context and piecing together artifacts from an attack after the fact. 

Indicators of Behavior are the key to detecting attacks earlier and remediating against them faster, and solutions that leverage this paradigm shifting approach are already available - just ask us how your organization can benefit.

Sam Curry
About the Author

Sam Curry

Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.

All Posts by Sam Curry