A new sophisticated APT group, dubbed Dark Halo (UNC2452, SolarStrom), has recently emerged in the cyber-security arena, gathering top press headlines during the last months. Researchers believe this advanced actor might stand behind the historical SolarWinds hack as well as the attack against Malwarebytes security vendor.
Who is Dark Halo?
Security experts from Volexity estimate that Dark Halo started its malicious operations at the end of 2019. The group launched several attacks against the unnamed US think tank to steal the emails of its senior executives. Presumably, Dark Halo searched for valuable data to enhance further reconnaissance operations against major US vendors and governmental organizations. Notably, threat actors applied a rich malicious toolset, including Red Team tools and sophisticated malware samples. However, such instruments were used occasionally and only in case other opportunities remained blocked. The selectivity in methods is explained by APT’s intent to stay under the radar during their data theft activities.
Volexity describes three sequential attacks against the US think tank that occurred during Q3 2019 – Q2 2020. Initially, Dark Halo members used sophisticated implants and backdoor Trojans to penetrate the organization and stay unnoticed. After being uncovered and blocked, adversaries abused a remote execution flaw in Microsoft Exchange Control Panel (CVE-2020-0688) to restore their access to the organizational assets. Finally, Dark Halo compromised the vendor for the third time via maliciously-modified SolarWinds Orion updates.
The research from Volexity resonates closely with FireEye’s conclusions, allowing researchers to estimate that the Dark Halo is the same UNC2452 group responsible for SolarWinds attack. Although the origin of hackers is still unclear, the US intelligence suspects Dark Halo is working on behalf of the Russian government.
Dark Halo Attack Routine
Security researchers detail some malicious approaches Dark Halo applied to achieve its goals. Particularly, adversaries used an interesting method to extract email data from Outlook Web App (OWA) in course of their campaigns. Although targeted mailboxes were protected with Duo Multi-factor authentication, cyber-criminals managed to compromise the email accounts by simply entering the stolen login details. The second factor was not triggered in this case, and the Duo authentication server didn’t register any authentication attempts. The investigation revealed that Dark Halo successfully grabbed the Duo integration secret key (akey) from the OWA server. Further, they used this key to master the duo-sid cookie and present it to the server as a valid instance.
As for reconnaissance activities, Dark Halo evidently relied on the Exchange servers. Specifically, security experts identified that hackers used Exchange to retrieve a list of users on the server, verify their current role, and get valuable data on the configured Virtual Directory. Also, hackers utilized the AdFind command-line tool to grab data from Active Directory.
Security experts note that hackers paid much attention to disguise their malicious actions. Reportedly, adversaries deleted all affiliated logs from the targeted applications and cleaned any traces of their commands. Such a behavior again proves hackers’ intent for reconnaissance, not destruction, and their desire to fly under the radar while searching for valuable pieces of information.
Researchers state with confidence that the Dark Halo APT group is responsible for SolarWinds epoch-making attack. The group compromised dozens of public and private institutions around the globe via Trojanized SolarWinds Orion updates. As in previously described campaigns, attackers used multiple tools to camouflage their activities. For instance, researchers identified two malicious strains, dubbed Teardrop and Raindrop, which delivered the Cobalt Strike Beacon to the compromised environments and enhanced the attackers’ ability to move laterally across the network. The investigation is still ongoing, with new details constantly being revealed. Still, all experts are consonant that Dark Halo is an advanced threat group, likely state-sponsored. The hackers can support a complex attack routine to steal sensitive data from the organizations of their interest.
On January 19, 2021, another security company, Malwarebytes, announced it had fallen victim to the Dark Halo attack. According to the official statement of Malwarebytes CEO, hackers managed to penetrate several email accounts of company employees. Reportedly, adversaries relied on a security hole in the Azure Active Directory and a dormant Office 365 security app to grab the email data. Malwarebytes claims this breach is not related to the SolarWinds hack since the company does not rely on any SolarWinds software in its daily routine. Furthermore, the company says hackers did not access any of its environments, so all products remain safe to use.
Malwarebytes compromise promotes the count of security vendors compromised by Dark Halo to four, with FireEye, Microsoft, and CrowdStrike already on this list.
Dark Halo Detection
To detect possible Dark Halo activity, the SOC Prime team of threat hunting engineers released a dedicated Sigma rule:
The rule has translations to the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness
EDR: Carbon Black, Microsoft Defender ATP
Techniques: Account Discovery (T1087)
Additionally, you might download a Rule Pack from our team that contains real-time correlation rules for QRadar to detect Dark Halo (UNC2452) presence inside your network:
More rules related to Dark Halo malicious activity you can find in our blog posts dedicated to FireEye breach, SUNBURST backdoor analysis, and Raindrop malware overview. Additional details on the SolarWinds incident you might check in our posts devoted to the Golden SAML attack and SUPERNOVA backdoor.
Searching for the best SOC content to enhance your threat detection capabilities? Subscribe to the Threat Detection Marketplace, an industry-leading Threat Detection Content-as-a-Service (CaaS) platform that helps SecOps teams advance their security analytics. Want to produce your own Sigma rules and create dedicated detection content? Join our Threat Bounty program to share your insights with the SOC Prime community!