Caleb Boma | December 16th, 2020


SpearTip’s SOC has been analyzing the recent attack on SolarWinds which appears to be a targeted supply chain attack on numerous organizations. During the attack, the threat actor was able to embed malware in apparently legitimate versions of the SolarWinds Orion software specifically the versions v2019.4 HF to v2020.2.

Details of SolarWinds’ Orion Vulnerability

Within these versions, hidden malware gave the threat actor remote access. The malicious code was hidden within a DLL named Orion.Core.BusinessLayer.dll. This DLL was included within update packages downloaded from the SolarWinds website.

The DLL and associated malware have been dubbed SUNBURST. The malware, after two weeks of dormancy, would begin to beacon out to Command and Control (C2) Servers for instructions. These instructions enabled the threat actor to perform malicious tasks, including modifying files, the registry and processes, and even exfiltrating files from a network. All of the communications are disguised under the name of the “Orion Improvement Program” which emulates legitimate Orion software network activity.

Many organizations are concerned about vulnerabilities related to SUNBURST and compromised versions of SolarWinds. To help IT and security teams identify potentially compromised versions of SolarWinds, SpearTip has released a free tool called SunScreen SPF 10. We hope that this simple tool will help root out compromised versions and also enable the detection of potentially malicious activity. To download the current version of the tool, please use the links below.

Download SunScreen SPF

If you would like to contribute to the project or receive a notification as we add features based on emerging indicators of compromise, please see our GitHub project below. As SpearTip begins to adapt to the changes forthcoming, versioning will be released in increments of SPF 10, SPF 20, SPF 30, and so on.

SpearTip Github

ShadowSpear® Neutralize actively prevents malicious programs from injecting into memory, and our Security Operations Center works 24/7 to respond to such events. Fortunately, ShadowSpear® stopped malicious activity associated with SunBurst in several environments.

SpearTip Also Recommends to our Clients:

  • Per SolarWinds, if your company uses Orion Platform v2020.2 with no hotfix or 2020.2 HF 1, update to version 2020.2.1. HF 1. If Orion Platform v2019.4 HF 5 is in use, update to 2019.4 HF 6.
  • Validate the ShadowSpear® Platform is updated and running on all critical endpoints.
  • Isolating all SolarWinds servers from the network until further review and investigation to include blocking egress.
  • Change all SolarWinds credentials.

If there are any additional questions concerning this incident, please do not hesitate to reach out to the Security Operations Center at 833.997.7327.


Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.