The U.S. Cybersecurity and Infrastructure Security Agency has issued a new forensics tool to help infosec pros find suspicious tracks from threat actors leveraging vulnerabilities stemming from the 2020 SolarWinds Orion hack.
The CISA Hunt and Incident Response Program tool — or CHRIP — detects indicators of compromise in Windows environments relating to the installation of backdoors from the hacking of Orion’s security updates and possible compromised accounts and applications in Microsoft’s Azure and Office 365 environments.
CHIRP is available for free on the CISA’s Github repository.
The agency says organizations should use CHIRP to:
- Examine Windows event logs for artifacts associated with these attacks.
- Examine Windows Registry for evidence of intrusion.
- Query Windows network artifacts.
- Apply YARA rules to detect malware, backdoors, or implants (YARA is a tool that helps malware researchers identify and classify malware samples).
Network defenders should review and confirm any post-compromise threat activity detected by the tool, CISA advises. It has provided confidence scores for each IOC and YARA rule included with CHIRP’s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).
“Responding to confirmed positive hits is essential to evict an adversary from a compromised network,” the agency added.
CHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise. CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures. CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity detailed in CISA Alerts AA20-352A and AA21-008A.
Currently, the tool looks for:
- The presence of malware identified by security researchers as TEARDROP and RAINDROP.
- Credential dumping certificate pulls.
- Certain persistence mechanisms identified as associated with this campaign.
- System, network, and M365 enumeration.
- Known observable indicators of lateral movement.
Meanwhile, a Swiss-based cybersecurity company called Prodaft says it has found a threat actor it dubs Silverfish with links to the SolarWinds attack.
In a report issued Thursday it said it found evidence of “a global cyber-espionage campaign, which has strong ties with the SolarWinds attack,” and a group called EvilCorp modified the TrickBot malware infrastructure for attacks.
Out of 4,700 victims of SilverFish’s work, says the report, “there is a significant overlap with the companies affected during SolarWinds attacks.” Organizations hit include governmental institutions, global IT providers, the aviation industry, and defence companies in Canada, the U.S., Italy and other countries.
“We believe SilverFish is the first group that has targeted EU states by using the vulnerabilities which were tied to the SolarWinds incident,” the report says.