SpearTip SolarWinds Recommendation Steps

Thank you for downloading our free tool SunScreen to check for compromised versions of SolarWinds. Below are a few recommendations, if you are still concerned about malicious activity associated with SunBurst malware.

What to look for on your PC or servers:

Compromised versions of the DLL named “SolarWinds.Orion.Core.BusinessLayer.dll”
The SolarWinds update package “CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp”
Malicious network communications disguised under the “Orion Improvement Program”
For more Indicators of Compromise see https://github.com/fireeye/sunburst_countermeasu

What to do next if you feel that your organization is compromised:

Call SpearTip’s Security Operations Center – 833.997.7327 to initiate a forensic investigation
Per SolarWinds, if your company uses Orion Platform v2020.2 with no hotfix or 2020.2 HF 1, update to version 2020.2.1. HF 1. If Orion Platform v2019.4 HF 5 is in use, update to 2019.4 HF 6.

Recommendations for SolarWinds’Orion Platform Users on ShadowSpear

Validate the ShadowSpear® Platform is updated and running on all critical endpoints.
Isolating all SolarWinds servers until further review and investigation to include blocking egress
Change all SolarWinds password accounts

Our proprietary tool, ShadowSpear®, is able to block memory injection performed by SunBurst malware. Current ShadowSpear® partners have been examined for potentially malicious activity.

SpearTip SolarWinds Recommendation Steps

Related Articles

DoppelPaymer Rebrands to Grief Threat Group

New Ransomware Appears: BlackMatter & Haron

New ‘AvosLocker’ Ransomware Targets Ohio City

SpearTip SolarWinds Recommendation Steps

Sign Up & Stay Informed

Email Signup

Related Articles

DoppelPaymer Rebrands to Grief Threat Group

New Ransomware Appears: BlackMatter & Haron

New ‘AvosLocker’ Ransomware Targets Ohio City