News You Might’ve Missed. 18 – 22 Jan

What's new this week in the news for MSPs? How the SolarWinds Hackers skipped detection by Microsoft; researchers find new malware from SolarWinds attack; "vishing" or voice phishing attacks warning from FBI; and hackers attack utility developer IObit to spread ransomware to members.
Let's see what it's all about.

How the SolarWinds Hackers Skipped Detection by Microsoft

Microsoft shared details about the SolarWinds attack, including how the hackers kept their activities on the breached networks hidden. The security experts are a part of the Microsoft 365 Defender Research Team, the Microsoft Cyber Defense Operations Center (CDOC), and the Microsoft Threat Intelligence Center (MSTIC). They came forward with previously unknown information to share.

The report from Microsoft details information about the “Solorigate” second-stage activation in the attack. It includes the tools and steps in play during the deployment of the custom Cobalt Strike loaders, Teardrop, Raindrop, and others. The attackers would use these after dropping the Solorigate (Sunburst) DLL backdoor.

According to Microsoft's information, the hackers behind the SolarWinds attack used various methods. Some of these were anti-forensic behavior and operational security, which kept the compromised networks from detecting their malicious acts.

These details came to light during their ongoing investigation of the SolarWinds supply-chain attack.

Researchers Find New Malware from SolarWinds Attack

Security analysts and researchers say that a new strain of malware was in play during the SolarWinds Worldwide LLC hacking last year.

Symantec researchers say the malware, dubbed Raindrop, is a loader that delivers a payload of Cobalt Strike by design. What's more, it's a type of penetration platform. It is widely preferred by hackers and was leaked online last November.

Using Cobalt Strike, hackers can deploy an agent on a compromised system. This method provides them with deeper access for additional actions, such as keylogging, file transfer, command execution, privilege escalation, and port scanning.

During the SolarWinds attack, Raindrop was used in conjunction with other malware, known as Teardrop and Sunburst. During this scenario, Raindrop also distributed Cobalt Strike across the targeted network.

Voice Phishing or "Vishing" Attacks Warning from FBI

Voice phishing, also known as “vishing”, is a cybercrime that uses social engineering over the telephone. The attacker then seeks to gain personal information from the victim.
In a notice on January 14th, the Federal Bureau of Investigation (FBI) said cybercriminals were targeting business employees who control network access and can assign network privileges.

These cybercriminals are targeting both internationally and locally based workers. Most of the targeted victims are from larger organizations. The criminals are using voice over internet protocol (VoIP) platforms as their method of attack.

According to what is known, the employee victims are tricked into logging into a phishing webpage during the vishing attack. The attackers then capture their username and password.
In using these platforms, a social engineer can impersonate a call from within the business. For example, they can say they are from the IT department.

Hackers Attack Utility Developer IObit to Spread Ransomware

IObit, a Windows utility developer, was hacked by cybercriminals to perform a wide-ranging attack in order to distribute DeroHE ransomware to its forum members. The Windows utility developer has an excellent reputation for its Windows system optimization and anti-malware programs, such as its Advanced SystemCare.

Its forum members began getting emails purporting to be from IObit. The emails contained an offer of a free one-year license to their software as a forum membership special perk. Fortunately, the page has since been taken down. While active, it downloaded zip files containing digitally signed files from the legitimate IObit License Manager program. However, the IObitUnlocker.dll was replaced with an unsigned, malicious version.
The malicious IObitUnlocker.dll is launched after IObit License Manager.exe is run and will install the DeroHE ransomware. According to IObit, the widespread attack targeted all forum members.

Currently, the ransomware is being assessed for vulnerabilities. It is not yet known whether files can be decrypted for free. Neither is it known whether the threat actors will provide the decryption key after receiving payment.

It is suspected that forum pages are now compromised by the cybercriminals who infiltrated the network. Moreover, if you visit missing pages that return a 404 error code, the web page will display a dialog to subscribe to browser notifications. Once you subscribe, your browser will begin to get desktop notifications that promote adult sites, malicious software, and additional undesired content.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back every week for more highlights.