So SolarStorm the SolarWinds supply chain hack... Yeah.... You might have heard about it?
SolarWinds supply chain was compromised. What that means is a trojanized version of a SolarWinds package was uploaded and distributed to their clients . The infected package contained malware named SUNBURST, and when clients installed the infected package it also installed the malware. The malware creates a backdoor to allow the bad actors to control the server, move laterally, and exfiltrate data. Basically what ever they want....
Updated Solarwinds Attack Lifecycle:
What should you do now:
As information starts to come out and the initial freak out calms down we are learning more about the impact of these exploits, and they are pretty huge. I wanted to gather a collection of information and vendor responses in one place to try to help fellow nerds have a resource of reliable information.
SolarWinds
- Security Advisory https://www.solarwinds.com/securityadvisory
Fireeye Links
- Initial write up about the Sunburst https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- Counter Measures https://github.com/fireeye/sunburst_countermeasures
- Emergency Directive https://cyber.dhs.gov/ed/21-01/
Palo Alto Networks Unit 42
- Analysis of Sunburst https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/
- Information https://blog.checkpoint.com/2020/12/16/solarwinds-sunburst-attack-what-do-you-need-to-know/
Cisco Networks
Splunk
- Response and Identification tool https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
Mcafee
Microsoft
- Pretty tough to get through :( https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/
- **Customer Guidance: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
Infoblox
Elasticsearch (Elastic Security)- Response and Identification tool https://www.elastic.co/blog/elastic-security-provides-free-and-open-protections-for-sunburst
- **Assessing the SolarWinds hack with their tool: https://www.crowdstrike.com/blog/tech-center/assess-solarwinds/