Cyber Security

CISA Releases 'CHIRP' Tool to Track Malware Activity Related to the SolarWinds Hack

Reactionary Times News DeskMar 23, 2021 8:33 PM
0 22 1 minute read
Solarwinds logo seen on the smartphone screen, with simple C attack code on the paper background.
A new python-based tool has been released by the The Cybersecurity and Infrastructure Security Agency (CISA) to help companies detect malicious activities related to the SolarWinds hack. Credit: Shutterstock

The Cybersecurity and Infrastructure Security Agency (CISA) has released the CISA Hunt and Incident Response Program (CHIRP) tool, a Python-based forensics collection tool designed to detect malicious activity associated with the SolarWinds attacks on enterprise Windows environments.

In an official announcement, the CISA said that CHIRP is a free tool that searches for signs of APT compromise within an on-premises environment. The tool scans for IOCs associated with malicious activity detailed in the AA20-352A and AA21-008A alerts related to the SolarWinds attacks against organizations such as government agencies, critical infrastructure, and private sector organizations.

CHIRP was commissioned and built to search for indications of compromise related to SolarWinds Orion software, the network monitoring software hackers leveraged to distribute the Sunburst and SUNSPOT trojans.

CISA had previously released a similar detection tool, called Sparrow, a PowerShell-based tool that was developed to scan for compromise in the Microsoft environment. While CHIRP is similar to Sparrow, it provides complementary capabilities to Sparrow by scanning for on-premises systems for similar activity.

The CHIRP tool is now available for download off the CISA CHIRP GitHub repository.

About CHIRP tool

The CHIRP tool is a command-line executable that scans for anomalies within an on-premises environment. It examines Windows event logs for artifacts associated with AA20-352A and AA21-008A activities, as well as searches the Windows Registry for evidence of intrusion.

The CHIRP tool also allows administrators to query Windows network artifacts and apply YARA rules to detect malware, backdoors, or implants.

As CHIRP is a license-free tool, developers can take the source code and improve it further. 

Currently, the tool can scan for:

  • The presence of associated malware identified by security researchers as TEARDROP and RAINDROP;
  • Credential dumping certificate pulls;
  • Specific persistence mechanisms associated with the SolarWinds attacks;
  • System, network, and M365 enumeration; and
  • Known observable indicators of lateral movement.
Reactionary Times News DeskMar 23, 2021 8:33 PM
0 22 1 minute read
Reactionary Times News Desk

Reactionary Times News Desk

All breaking news stories that matter to America. The News Desk is covered by the sharpest eyes in news media, as they decipher fact from fiction.

Previous/Next Posts

Related Articles

Photo of Uncovering the Latest BEC Fraud Scheme: Nigerian National Arrested for $7.5 Million Scam Targeting US Charitable Organizations

Uncovering the Latest BEC Fraud Scheme: Nigerian National Arrested for $7.5 Million Scam Targeting US Charitable Organizations

Jan 9, 2024 1:20 PM
Photo of The Latest in Cybersecurity: Incidents, Vulnerabilities, and Industry Developments

The Latest in Cybersecurity: Incidents, Vulnerabilities, and Industry Developments

Jan 9, 2024 1:02 PM
Photo of Enhancing Cybersecurity: Okta's Acquisition of Spera Security and the Future of Identity Threat Detection

Enhancing Cybersecurity: Okta's Acquisition of Spera Security and the Future of Identity Threat Detection

Dec 31, 2023 10:40 AM
Photo of Troubleshooting Xvdd SCSI Miniport Issues in Virtualization Environments: Causes, Solutions, and Recommendations

Troubleshooting Xvdd SCSI Miniport Issues in Virtualization Environments: Causes, Solutions, and Recommendations

Dec 29, 2023 10:41 AM

Leave a Reply

Loading...
Back to top button