SpearTip’s SOC has been analyzing the recent attack on SolarWinds that appears to be a targeted supply chain attack on numerous organizations. During the attack, the threat actor was able to embed malware in apparently legitimate versions of the SolarWinds Orion software and specifically the versions v2019.4 HF to v2020.2.
Within these versions, hidden malware gave the threat actor remote access. The malicious code was hidden within a DLL named Orion.Core.BusinessLayer.dll. This DLL was included within update packages downloaded from the SolarWinds website.
The DLL and associated malware has been dubbed SUNBURST. The malware, after two weeks of dormancy, would begin to beacon out to Command and Control (C2) Servers for instructions. These instructions enabled the threat actor to perform malicious tasks, including modifying files, the registry and processes, and even exfiltrating files from a network. All of the communications are disguised under the name of the “Orion Improvement Program” that emulated legitimate Orion software network activity.
Many organizations are concerned about vulnerabilities related to SUNBURST and compromised versions of SolarWinds. To help IT and security teams identify potentially compromised versions of SolarWinds, SpearTip has released a free tool called SunScreen SPF 10. We hope that this simple tool will help root out compromised versions and also enable the detection of potentially malicious activity. To download the current version of the tool, please use the links below.
If you would like to contribute to the project or receive a notification as we add features based on emerging indicators of compromise, please see our GitHub project below. As SpearTip begins to adapt to the changes forthcoming, versioning will be released in increments of SPF 10, SPF 20, SPF 30, and so on.
ShadowSpear® Neutralize actively prevents malicious programs from injecting into memory, and our Security Operations Center works 24/7 to respond to such events. Fortunately, ShadowSpear® stopped malicious activity associated with SunBurst in several environments.
SpearTip Also Recommends to our Clients:
- Per SolarWinds, if your company uses Orion Platform v2020.2 with no hotfix or 2020.2 HF 1, update to version 2020.2.1. HF 1. If Orion Platform v2019.4 HF 5 is in use, update to 2019.4 HF 6.
- Validate the ShadowSpear® Platform is updated and running on all critical endpoints.
- Isolating all SolarWinds servers from the network until further review and investigation to include blocking egress.
- Change all SolarWinds credentials.
If there are any additional questions concerning this incident, please do not hesitate to reach out to the Security Operations Center at 833.997.7327.