More information continues to come out about the serious SolarWinds data breach.
It has recently been discovered that another strain of malware, Raindrop, was used in the attack.
Raindrop is used as a loader that delivers a payload of Cobalt Strike. It is similar to the well-known Teardop tool, but there are some notable differences.
The main difference is that Teardrop is delivered through the Sunburst backdoor, while Raindrop is used to spread across the victim's network.
Symantec was able to do some digging into SolarWinds and reported interesting findings.
In July of 2020, one victim had Sunburst installed through the SolarWinds Orion update, resulting in the compromise of two computers.
The next day, Teardrop was installed onto one of those computers. That device had an active directory query tool and a credential dumper designed for SolarWinds Orion databases.
Around 11 days after, Raindrop was installed onto a third victim computer in the organization that had no previous malicious activity. This device happened to be running computer access and management software, which resulted in the attackers being able to access any computer in the organization.
That same day, Raindrop installed the file "7z.dll". Later, a legitimate version of 7zip extracted a copy of what is believed to be Directory Services Internals onto the computer. DSInternals is a tool used for querying Active Directory servers and retrieving data such as passwords, keys, or password hashes.
There were other instances of Raindrop being used, but none as severe as the situation described above.
As the SolarWinds breach has impacted many organizations, cybersecurity professionals are taking note of what happened as the whole story begins to clear up.
Ivan Righi, Cyber Threat Intelligence Analyst at Digital Shadows, had this to say about the uncovering of Raindrop in the SolarWinds attack:
"Raindrop is the fourth malware variant identified in the SolarWinds attack, following Teardrop, Sunspot, and Sunburst. Raindrop is a backdoor that contained many similarities to Teardrop, but analysis indicates Raindrop was executed in later stages of attack chain.
The significance of a now fourth malware strain being discovered is that it further supports the assessment that the threat actors responsible for the SolarWinds compromise are likely a highly capable and resourceful nation-state-associated threat group.
Considering the sophistication demonstrated by the threat actors, who left little forensic evidence and took extensive steps to cover their tracks, it is realistically possible that more malware strains may have been used in the attack which have not yet been identified. Few historical cyber incidents have gotten this much attention and postmortem analysis. This will likely result in more malware strains being discovered and reported as more of the scope of the attack is revealed."
It seems as though there is still more to be discovered about the SolarWinds attack, and SecureWorld News will continue to provide updates on the situation.