Thank you for downloading our free tool SunScreen to check for compromised versions of SolarWinds. Below are a few recommendations, if you are still concerned about malicious activity associated with SunBurst malware.

What to look for on your PC or servers:

  • Compromised versions of the DLL named “SolarWinds.Orion.Core.BusinessLayer.dll”
  • The SolarWinds update package “CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp”
  • Malicious network communications disguised under the “Orion Improvement Program”
  • For more Indicators of Compromise see https://github.com/fireeye/sunburst_countermeasu

What to do next if you feel that your organization is compromised:

  • Call SpearTip’s Security Operations Center – 833.997.7327 to initiate a forensic investigation
  • Per SolarWinds, if your company uses Orion Platform v2020.2 with no hotfix or 2020.2 HF 1, update to version 2020.2.1. HF 1. If Orion Platform v2019.4 HF 5 is in use, update to 2019.4 HF 6.

Recommendations for SolarWinds’Orion Platform Users on ShadowSpear

  • Validate the ShadowSpear® Platform is updated and running on all critical endpoints.
  • Isolating all SolarWinds servers until further review and investigation to include blocking egress
  • Change all SolarWinds password accounts

Our proprietary tool, ShadowSpear®, is able to block memory injection performed by SunBurst malware. Current ShadowSpear® partners have been examined for potentially malicious activity.