SolarWinds Breach – SUNBURST Trojan – IOCs

Summary:

As of 12/15/20, there have been several high-profile breaches in the media, recently from the U.S Treasury and Commerce departments (12/13) to Information Security company FireEye (12/7). When reports of each of these breaches were first released, they appeared state sponsored, but not necessarily related. However, as more details were released, the scope started to become clear, and it started to appear that these breaches were in fact related. Current reports are indicating that the breaches all came about due to a supply chain attack on SolarWinds’ Orion Platform.

Attackers appear to have gained access through weaponized updates of SolarWinds’ Orion Platform. The updates pushed a digitally signed copy of the SolarWinds.Orion.Core.BusinessLayer.dll containing a backdoor, dubbed SUNBURST.

Vertek’s Response:

Neither Vertek, nor the AlienVault USM products leverage any SolarWinds products in any capacity. Additionally, Vertek is dedicated to providing the latest IOCs in regards to this continually evolving situation, which can be found in our OTX pulse here.

Affected Versions:

The affected versions of the Orion Platform are as follows:

• v2019.4 HF5
• v2020.2 (no hotfix)
• v2020.2 HF1

The known affected software of the Orion Platform are as follows (running an affected version):

• Application Centric Monitor (ACM)
• Database Performance Analyzer Integration Module (DPAIM)
• Enterprise Operations Console (EOC)
• High Availability (HA)
• IP Address Manager (IPAM)
• Log Analyzer (LA)
• Network Automation Manager (NAM)
• Network Configuration Manager (NCM)
• Network Operations Manager (NOM)
• Network Performance Monitor (NPM)
• NetFlow Traffic Analyzer (NTA)
• Server & Application Monitor (SAM)
• Server Configuration Monitor (SCM)
• Storage Resource Monitor (SRM)
• User Device Tracker (UDT)
• Virtualization Manager (VMAN)
• VoIP & Network Quality Manager (VNQM)
• Web Performance Monitor (WPM)

SolarWinds has released patches for the affected versions and recommends that customers update to either v2020.2.1 HF1 or v2019.4 HF6.

The updates can be found at https://customerportal.solarwinds.com/.

 References:

• https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/
• https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
• https://www.solarwinds.com/securityadvisory
• https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/