Advintel cybersecurity experts: Malware operators now target exposed RDP connections to gain an initial foothold and exploit CVE-2018-8453 and CVE-2019-1069.
FireEye: SolarWinds attackers deploy Sunshuttle as a second stage payload. The malware is a GO backdoor, that uses cookie headers to pass values to the C2 and can select referrers from a list of popular websites to help such network traffic “blend in”
Sunshuttle is a new malware. Just discovered by FireEye cybersecurity experts, it has been used by SolarWinds hackers as a second stage payload. It’s a backdoor written in GO, that reads an embedded or local configuration file, communicates with a hard-coded command and control (C2) server over HTTPS, and supports commands including remotely uploading its configuration, file upload and download, and arbitrary command execution. Notably, it uses cookie headers to pass values to the C2, and if configured, can select referrers from a list of popular website URLs to help such network traffic “blend in.”