Hello, welcome to the Thursday, January 21st, 2021 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, one item, of course, that's still sort of dominating a lot of the news is solar winds and solarigate or the sunburst and various other piece of matter

that have been found since then. Microsoft has a real good write-up by the Microsoft 365

Defender Research Team in association with their threat intelligence center

and their Cyber Defense Operations Center.

And they're sort of going step by step over how the attack worked and also what steps

the attacker took to evade detection.

Plus, of course, how you are able to detect these kinds of attacks,

which to summarize in short isn't really easy. And one thing I found really interesting

is a lot of people always talk about indicators of compromise, hashes and the like. And that's

something that specifically fails here because

the attacker took the time to custom develop payloads for individual victims. So if you're just

relying on hashes and the like, that's really not going to cut it in this case. Well, it's

really about good TTPs, techniques,

tactics, and procedures. How did the attacker operate? And that's sort of what this blog post

by Microsoft goes over. In addition, there are also new victims coming forward. With that,

we do have a little bit name confusion between like

teardrop, rain drop, and of course the Cobalt Strike Backdoor.

Various names being used for very similar really functionality.

But then again, because we have these custom payloads being deployed, everybody that's affected sort of finds

something that's a little bit different. Malware Bites, the anti-malware company, also came

forward that its Office 365 environment was attacked and breached by the same actor.

...