SolarWinds攻擊：我們從未見過這樣的情況

時(shí)間：2022-04-15 18:27:01 | 來源：行業(yè)動(dòng)態(tài)

時(shí)間：2022-04-15 18:27:01 來源：行業(yè)動(dòng)態(tài)

Its been covered in the press but in case you dont know the details, SolarWinds is a company that provides software to monitor many aspects of on-premises infrastructure, including network performance, log files, configuration data, storage, servers and the like. Like all software companies, SolarWinds sends out regular updates and patches. Hackers were able to infiltrate the update and trojanize the software meaning when customers installed the updates, the malware just went along for the ride.

媒體報(bào)道過SolarWinds攻擊，但假若讀者并不知道細(xì)節(jié)的話，SolarWinds公司提供的軟件用于監(jiān)控企業(yè)內(nèi)部基礎(chǔ)架構(gòu)許多方面的運(yùn)行，包括網(wǎng)絡(luò)性能、日志文件、配置數(shù)據(jù)、存儲(chǔ)、服務(wù)器等等。SolarWinds和所有其他軟件公司一樣也會(huì)定期發(fā)布更新和補(bǔ)丁。而黑客則成功滲透了SolarWinds的更新并植入木馬，這意味著客戶在安裝更新時(shí)，植入的惡意軟件就搭上了順風(fēng)車。




The reason this is so insidious is that often hackers will target installations that havent installed patches or updates and identify vulnerabilities in the infrastructure that exist as a result. In this case, the very code designed to protect organizations actually facilitated a breach. According to experts, this was quite a sophisticated attack with multiple variants that most believe was perpetrated by the Russian hacker group Cozy Bear, an advanced persistent threat or APT as classified by the U.S. government.

這種情況下的中招很隱蔽，原因是黑客往往會(huì)瞄著那些沒有安裝補(bǔ)丁或更新的系統(tǒng)，然后找到存在的基礎(chǔ)架構(gòu)漏洞。在這種情況下，用作保護(hù)組織的代碼實(shí)際上還促進(jìn)了漏洞的發(fā)生。據(jù)專家介紹，這次的SolarWinds攻擊屬于高級(jí)攻擊，而且有多個(gè)變種，大多數(shù)人認(rèn)為是出自俄羅斯黑客組織Cozy Bear的手筆。Cozy Bear被美國(guó)政府歸類為高級(jí)持久性威脅，或APT。

It is suspected that somehow they phished their way into a GitHub repo and stole username and password access to allow them to penetrate the supply chain of software that is delivered over the Internet. But public information on this attack is still spotty. What is known is that the attackers had been lurking since March of last year and had nine months to exfiltrate troves of data from the U.S. government and numerous other companies, including Microsoft Corp. and Cisco Systems Inc.

據(jù)推測(cè)，Cozy Bear是以某種釣魚方式進(jìn)入一個(gè)GitHub庫(kù)并竊取了用戶名和密碼訪問權(quán)限，進(jìn)而滲透到經(jīng)互聯(lián)網(wǎng)交付的軟件供應(yīng)鏈里。但關(guān)于這次攻擊的公開信息還是很零散。已經(jīng)知道的信息是攻擊者去年3月就潛伏下來，在9個(gè)月的時(shí)間從美國(guó)政府和眾多其他公司（包括微軟公司和思科系統(tǒng)公司）那竊取了大量數(shù)據(jù)。

### What CISOs say about the attack