💣🔗

Symantec Security Incident

early July 2020 1888 days ago Resolved

Incident Overview

Situation Description

Symantec uncovered additional malware, Raindrop, used in the SolarWinds attacks to deliver Cobalt Strike payloads and spread across victim networks.

Event Types

Malware / Destructive Attack Supply Chain Compromise

Industry Sector

Technology

Geographic Scope

nan

Response Actions

Hardened Attack Surface Shared Threat Intelligence

Impact Analysis

Event Types (2 identified)

Malware / Destructive Attack Supply Chain Compromise

Financial Impact

$0 USD

Records Affected

Primary Impacts

Operational Disruption

Key Decisions Made

Symantec identified Raindrop as a loader delivering Cobalt Strike, distinct from Teardrop.; Raindrop was observed being used for lateral movement and payload deployment on victim networks, distinct from Teardrop's initial delivery.; Symantec products will detect and block tools associated with these attacks, providing file-based and network-based protection.

Technical Analysis

Attack Method

Unpatched Vulnerability

Vulnerability / Tool

SolarWinds Orion Cobalt Strike Raindrop Teardrop Sunburst

Additional Information

Symantec, a division of Broadcom (NASDAQ: AVGO), has uncovered an additional piece of malware used in the SolarWinds attacks which was used against a select number of victims that were of interest to the attackers. Raindrop (Backdoor.Raindrop) is a loader which delivers a payload of Cobalt Strike. Raindrop is very similar to the already documented Teardrop tool, but there are some key differences between the two. While Teardrop was delivered by the initial Sunburst backdoor (Backdoor.Sunburst), Raindrop appears to have been used for spreading across the victims network. Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst. Raindrop attacks In one victim, in early July 2020, Sunburst was installed through the SolarWinds Orion update, as has been well documented. Two computers were compromised. The following day, Teardrop was subsequently installed on one of these computers. That computer was found to have an active directory query tool, as well as a credential dumper designed specifically for SolarWinds Orion databases. The credential dumper was similar to, but not the same as, the open source Solarflare tool. Eleven days later, on a third victim computer in the organization, where no previous malicious activity had been observed, a copy of the previously unseen Raindrop was installed under the name bproxy.dll. This computer was running computer access and management software. The attackers could have used this software to access any of the computers in the compromised organization. One hour later, the Raindrop malware installed an additional file called "7z.dll". We were unable to retrieve this file, however, within hours a legitimate version of 7zip was used to extract a copy of what appeared to be Directory Services Internals (DSInternals) onto the computer. DSInternals is a legitimate tool which can be used for...

... (truncated for display)

Quick Facts

Company:: Symantec
Date:: early July 2020
Status:: Resolved
Decision Maker:: nan
Position:: nan
Published:: nan

Source Information

Original Query

timeline of company actions after discovering ransomware

View Original Source

Timeline

Information Published

nan

Incident Occurred

early July 2020 (1888 days ago)

Status: Resolved

Estimated resolution based on age

Actions

View Company Profile

Navigation

Quick Stats