https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach?
Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach
EXECUTIVE SUMMARY
SolarWinds announced on Sunday that the SolarWinds Orion Platform network monitoring product had been modified by a state-sponsored threat actor via embedding backdoor code into a legitimate SolarWinds library. This leads to the attacker having remote access into the victim’s environment and a foothold in the network, which can be used by the attacker to obtain privileged credentials. SolarWinds breach is also connected to the FireEye breach. In this article, we analyzed tactics, techniques, and procedures utilized by threat actors of the SolarWinds incident to understand their attack methods and the impact of this breach.
Key Findings
It is a global attack campaign that started in March 2020 and is ongoing.
The attack campaign has the potential to affect thousands of public and private organizations.
The attack started with a software supply chain compromise attack.
Threat actors trojanized a component of the SolarWinds Orion Platform software, dubbed as SUNBURST by FireEye [1].
The backdoored version of the software was distributed via its automatic update mechanism.
Attackers heavily used various defense evasion techniques such as masquerading, code signing, obfuscated files or information, indicator removal on host, and virtualization/sandbox evasion.
The threat actor leverages ten different MITRE ATT&CK tactics, including Lateral Movement, Command and Control, and Data Exfiltration.
Used techniques indicate that the threat actors are highly skilled.
article continues…