
Just a few days after the information about the FireEye data breach appeared, the company published the results of its investigation and details of the Sunburst backdoor (including the technical report and countermeasures), through which the APT group penetrated networks of multiple organizations, and now potentially compromised companies can quickly detect this threat. The scale of the supply chain attack detected is truly impressive: the state-sponsored group compromised SolarWinds Inc. and trojanized updates to Orion IT software that is used by the US military and Government agencies, as well as by 425+ of the US Fortune 500. Adversaries digitally signed the updates and posted them to the SolarWinds updates website during this spring, which left a huge number of companies around the world compromised (SolarWinds’ products are used by 300k+ customers worldwide).
CISA released Emergency Directive to Mitigate the Compromise of the SolarWinds Orion Network Management Products warning about the potential threat imposed by using the SolarWinds Orion products to networks of numerous organizations within public and private sectors.
Sunburst Backdoor Analysis and Detection Content
The Sunburst backdoor hides in SolarWinds.Orion.Core.BusinessLayer.dll. After getting into the system, the backdoor waits for up to two weeks and only then starts its harmful activity. The backdoor is capable of transferring and executing files, profiling the system, disabling system services, and rebooting the machine. The Sunburst backdoor utilizes the Orion Improvement Program protocol and saves collected data to legitimate plugin configuration files, making it extremely difficult to detect malware activity on an organization’s network.
Our SOC Prime Team and in collaboration with Threat Bounty Program developers released Sigma rules based on Sunburst Countermeasures that were published by FireEye on GitHub to detect the Sunburst backdoor and tools related to this attack. The article and the list of rules will be updated. Follow our blog and check out Threat Detection Marketplace for the latest rules for Sunburst backdoor and related threats detection to stay current.
Here’s the list of rules that are currently available:
|
|
Possible Dark Halo Exchange Reconnaissance Activity (via cmdline) |
|