Thank you for downloading our free tool SunScreen to check for compromised versions of SolarWinds. Below are a few recommendations, if you are still concerned about malicious activity associated with SunBurst malware.
What to look for on your PC or servers:
- Compromised versions of the DLL named “SolarWinds.Orion.Core.BusinessLayer.dll”
- The SolarWinds update package “CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp”
- Malicious network communications disguised under the “Orion Improvement Program”
- For more Indicators of Compromise see https://github.com/fireeye/sunburst_countermeasu
What to do next if you feel that your organization is compromised:
- Call SpearTip’s Security Operations Center – 833.997.7327 to initiate a forensic investigation
- Per SolarWinds, if your company uses Orion Platform v2020.2 with no hotfix or 2020.2 HF 1, update to version 2020.2.1. HF 1. If Orion Platform v2019.4 HF 5 is in use, update to 2019.4 HF 6.
Recommendations for SolarWinds’Orion Platform Users on ShadowSpear
- Validate the ShadowSpear® Platform is updated and running on all critical endpoints.
- Isolating all SolarWinds servers until further review and investigation to include blocking egress
- Change all SolarWinds password accounts
Our proprietary tool, ShadowSpear®, is able to block memory injection performed by SunBurst malware. Current ShadowSpear® partners have been examined for potentially malicious activity.