News of the SolarWinds breach, though still trickling in, is likely not news for most of us at this point. The backdoor, or compromised file behind it is being called SUNBURST and Solarigate, said to come from a threat actor being tracked as “UNC2452” by FireEye and “Dark Halo” by Volexity (others are stating APT29 – aka Cozy Bear – may be involved, though community research has yet to publicly confirm).
One thing that does seem to be clear is that the SolarWinds Orion ‘SUNBURST’ backdoor, which was inserted via a supply-chain attack, appears to have been code that was intended to be used in a targeted manner due to the manual intervention required for exploitation. Beyond that, there is a community consensus that due to the operational security and sophistication of the attack, this breach is showing all of the indicators of an outside nation-state actor having been behind it.
Blumira’s Director of Security, Mike Berhmann, provided a detailed summary of what you need to know about the SolarWinds supply chain malware campaign here. The latest information can be found at CISA’s Supply Chain Compromise page.
SUNBURST Mitigations & Resources
In response to this extremely significant threat, the security community has banded together and provided many different resources to assist in ensuring mitigation as well as we can. CISA (the Cybersecurity and Infrastructure Security Agency) has released a Microsoft PowerShell-based tool that they call Sparrow, which assists in detecting unusual/potentially malicious behavior specifically related to the recent identity and authentication-based attacks.
Microsoft has their Security Response Center. SolarWinds has their Security Advisory page. FireEye has their Github page with a repository of indicators of compromise (IOCs) from the initial public reports, along with significant community contributions. Crowdstrike recently published their Reporting Tool for Azure, in response to the challenges organizations face in auditing their Azure AD permissions.
If you are running SolarWinds Orion software, it is important to note that the versions affected are 2019.4 through 2020.2.1. In their Security Advisory, SolarWinds states that Orion Platform 2020.2.1 HF2 is the recommended software version to use.
Detecting Indicators of Compromise With Blumira
Here at Blumira, we have converted FireEye’s public IOCs into a formal threat feed composed of IP, domain names, and file hashes. New detection rules were deployed that look for matches of those file and network indicators of compromise in all Blumira customers out of an abundance of caution. You can easily get started by checking out Blumira’s Guide to Microsoft Security here and by using these additional free resources from both Blumira and NXLog: