U.S. cyber agency releases tool to help SolarWinds Orion defenders

The U.S. Cybersecurity and Infrastructure Security Agency has issued a new forensics tool to help infosec pros find suspicious tracks from threat actors leveraging vulnerabilities stemming from the 2020 SolarWinds Orion hack.

The CISA Hunt and Incident Response Program tool — or CHRIP — detects indicators of compromise in Windows environments relating to the installation of backdoors from the hacking of Orion’s security updates and possible compromised accounts and applications in Microsoft’s Azure and Office 365 environments.

CHIRP is available for free on the CISA’s Github repository.

The agency says organizations should use CHIRP to:

  • Examine Windows event logs for artifacts associated with these attacks.
  • Examine Windows Registry for evidence of intrusion.
  • Query Windows network artifacts.
  • Apply YARA rules to detect malware, backdoors, or implants (YARA is a tool that helps malware researchers identify and classify malware samples).

Network defenders should review and confirm any post-compromise threat activity detected by the tool, CISA advises. It has provided confidence scores for each IOC and YARA rule included with CHIRP’s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).

“Responding to confirmed positive hits is essential to evict an adversary from a compromised network,” the agency added.

CHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise. CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures. CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity detailed in CISA Alerts AA20-352A and AA21-008A.

Currently, the tool looks for:

  • The presence of malware identified by security researchers as TEARDROP and RAINDROP.
  • Credential dumping certificate pulls.
  • Certain persistence mechanisms identified as associated with this campaign.
  • System, network, and M365 enumeration.
  • Known observable indicators of lateral movement.

Silverfish threat

Meanwhile, a Swiss-based cybersecurity company called Prodaft says it has found a threat actor it dubs Silverfish with links to the SolarWinds attack.

In a report issued Thursday it said it found evidence of  “a global cyber-espionage campaign, which has strong ties with the SolarWinds attack,” and a group called EvilCorp modified the TrickBot malware infrastructure for attacks.

Out of 4,700 victims of SilverFish’s work, says the report, “there is a significant overlap with the companies affected during SolarWinds attacks.” Organizations hit include governmental institutions, global IT providers, the aviation industry, and defence companies in Canada, the U.S., Italy and other countries.

“We believe SilverFish is the first group that has targeted EU states by using the vulnerabilities which were tied to the SolarWinds incident,” the report says.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now