Swiss cybersecurity firm Prodaft described a novel form of the sandbox. Attackers use existing victim networks to test out detection rates of their payloads.
Cyberattackers from SilverFish, a hacker group involved in numerous worldwide hacking campaigns, are behind these tests.
In a report this Thursday, Prodaft said that SilverFish (.PDF) has been responsible for attacks at over 4,720 private and government organizations. Some of these organizations are Fortune 500 companies, airlines, ministries, defense contractors, audit and consultancy companies, and car manufacturers. Attackers focus their activity on US and European entities with a preference for critical infrastructure and targets with a market value of over $100 million.
Microsoft links SilverFish to the recent SolarWinds breach, but is one of many threat groups taking advantage of the flaws in soon-to-be-phased-out SolarWinds Orion software. The series of attacks lead to thousands of corporate networks compromised.
Prodaft said they found evidence about links between recent sandbox attacks by SilverFish to existing SolarWinds security incidents by analyzing IPs, usernames, command execution, country, and timestamp records.
Among victims, they confirmed a US military contractor, a top COVID-19 testing kit manufacturer, police networks, aerospace and automotive giants, airport systems, and banking institutions in the US and Europe.
Prodaft says that SilverFish attackers used various tactics using legitimate domains to reroute traffic to the C2.
However, the most interesting tactic they observed was the use of existing enterprise systems as sandboxes.
“The SilverFish group has designed an unprecedented malware detection sandbox formed by actual enterprise victims which enables the adversaries to test their malicious payloads on victim servers with different enterprise AV and EDR solutions, further expanding the high success rate of the SilverFish group attacks,” the company says.
SilverFish-SolarWinds attacks began at the end of August 2020 and only ended with the seizure and sinkholing of a key domain. However, Prodaft predicts that spying and data theft-related attacks will continue throughout 2021.
“SilverFish are still using relevant machines for lateral movement stages of their campaigns,” the company added. “Unfortunately, despite being large critical infrastructure, most of their targets are unaware of the SilverFish group’s presence on their networks.”
The Prodaft shared its findings “with all responsible CERTs, and different law enforcement agencies; so that they can get in touch with the victims as the authorized body and share their findings.”
