Experts link the attack on SolarWinds to Kazuar backdoor

Experts link the attack on SolarWinds to Kazuar backdoor
© naftemporiki.gr

On December 13, 2020, “FireEye”, “Microsoft” and “SolarWinds” announced the discovery of a large, sophisticated supply chain attack, developed by the new —previously unknown— “Sunburst” malware, used against “SolarWinds Orion IT” customers.  

Kaspersky experts have identified several specific code similarities between “Sunburst” and known versions of “Kazuar” backdoors; the type of malware that provides remote access to the victim’s machine. The new findings provide information that could help researchers investigate the attack.

While researching the “Sunburst” backdoor, Kaspersky experts discovered a number of features that overlap with “Kazuar” —previously identified— a backdoor written using the “.NET” frame, first reported by “Palo Alto” in 2017 and used in digital attacks around the world. Many similarities in the code indicate a connection between “Kazuar” and “Sunburst”, though of an indeterminate nature. 

The overlapping characteristics between “Sunburst” and “Kazuar” include the victim’s “UID” production algorithm, inertia algorithm, and extensive use of “FNV-1a hash”. According to experts, these pieces of code are not 100% identical, which suggests that “Kazuar” and “Sunburst” may be related, although the nature of this relationship is not yet completely clear.

After the first development of the malware “Sunburst” in February 2020, “Kazuar” continued to evolve and later the 2020 variants are even more similar to “Sunburst”. 

Overall, during the years of evolution of “Kazuar”, experts observed a continuous evolution, to which were added important characteristics resembling “Sunburst”. There could be many reasons for their existence; among them: “Sunburst” was developed by the same team as “Kazuar”, the developers of “Sunburst” use “Kazuar” as an inspiration, moving one of the developers of “Kazuar” to the “Sunburst” group, or both groups behind “Sunburst” and “Kazuar” have acquired their malware from the same source.

Learn more technical details about “Sunburst” and “Kazuar” similarities in the Securelist report. Read more about Kaspersky’s research on “Sunburst” here.

Source:

naftemporiki.gr

Σᾶς ἀρέσει τὸ ἂρθρο; / Do you like this post?
+1
0
+1
0
+1
0
+1
0
+1
0
+1
0
+1
0
(Συνολικές Επισκέψεις: / Total Visits: 14)

(Σημερινές Επισκέψεις: / Today's Visits: 1)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.