When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
ShadowSpear® is an unparalleled resource that defends your organizations against advanced cyber threats and attacks 24/7/365.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
SpearTip’s SOC has been analyzing the recent attack on SolarWinds which appears to be a targeted supply chain attack on numerous organizations. During the attack, the threat actor was able to embed malware in apparently legitimate versions of the SolarWinds Orion software specifically the versions v2019.4 HF to v2020.2.
Within these versions, hidden malware gave the threat actor remote access. The malicious code was hidden within a DLL named Orion.Core.BusinessLayer.dll. This DLL was included within update packages downloaded from the SolarWinds website.
The DLL and associated malware have been dubbed SUNBURST. The malware, after two weeks of dormancy, would begin to beacon out to Command and Control (C2) Servers for instructions. These instructions enabled the threat actor to perform malicious tasks, including modifying files, the registry and processes, and even exfiltrating files from a network. All of the communications are disguised under the name of the “Orion Improvement Program” which emulates legitimate Orion software network activity.
Many organizations are concerned about vulnerabilities related to SUNBURST and compromised versions of SolarWinds. To help IT and security teams identify potentially compromised versions of SolarWinds, SpearTip has released a free tool called SunScreen SPF 10. We hope that this simple tool will help root out compromised versions and also enable the detection of potentially malicious activity. To download the current version of the tool, please use the links below.
If you would like to contribute to the project or receive a notification as we add features based on emerging indicators of compromise, please see our GitHub project below. As SpearTip begins to adapt to the changes forthcoming, versioning will be released in increments of SPF 10, SPF 20, SPF 30, and so on.
ShadowSpear® Neutralize actively prevents malicious programs from injecting into memory, and our Security Operations Center works 24/7 to respond to such events. Fortunately, ShadowSpear® stopped malicious activity associated with SunBurst in several environments.
SpearTip Also Recommends to our Clients:
If there are any additional questions concerning this incident, please do not hesitate to reach out to the Security Operations Center at 833.997.7327.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
24/7 Breach Response: US/CAN: 833.997.7327
Main Office: 800.236.6550
1714 Deer Tracks Trail, Suite 150
St. Louis, MO 63131
©2024 SpearTip, LLC. All rights reserved.