Wednesday, April 24, 2024

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library

Home
Security Creators Network
Webinars
Events
- Upcoming Events
- On-Demand Events
Sponsored Content
Chat
Library
Related Sites
Media Kit
About
Sponsor

Analytics
AppSec
CISO
Cloud
DevOps
GRC
Identity
Incident Response
IoT / ICS
Threats / Breaches
More
Humor

Hot Topics

Back to Security Basics
Miggo Unfurls Real-Time Application Detection and Response Platform
Test & Evaluation Techniques for Meeting M-24-10 Mandates to Manage Generative AI Risk
From Caesar to Cyberspace: The Growing Menace of Obfuscated Phishing Scams
HHS Strengthens Privacy of Reproductive Health Care Data

DevOps Malware Security Bloggers Network

Home » Cybersecurity » DevOps » Visual Notes : SolarWinds Supply Chain compromise using SUNBURST backdoor (detected by FireEye)

Visual Notes : SolarWinds Supply Chain compromise using SUNBURST backdoor (detected by FireEye)

by Chetan Conikee on December 17, 2020

Visual Notes : SolarWinds Supply Chain compromise using SUNBURST backdoor (detected by FireEye)

First, let me be clear that I have no insider knowledge. This is my best guess at what occurred, based on publicly available information here (FireEye) and others indicated in references section below.

FireEye discovered the supply chain attack that trojanized SolarWinds Orion business software updates in order to distribute malware they call SUNBURST. This report is a must read to understand details associated to this incident.

https://www.zdnet.com/article/sec-filings-solarwinds-says-18000-customers-are-impacted-by-recent-hack/

Locations of DLL

https://gist.github.com/KyleHanslovan/0c8a491104cc55d6e4bd9bff7214a99e

https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/orion_platform_administrator_guide.htm

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

IOC — (Indicator of Compromise) to hunt in DNS logs + full PCAP

DGA generated C2 Domain : avsvmcloud[.]com
Understanding Domain Generation Algorithms (DGA)
C2 domain for malware to connect to, retrieved via CNAME from DGA-generated C2
freescanonline[.]com
deftsecurity[.]com
thedoccloud[.]com
websitetheme[.]com
highdatabase[.]com
incomeupdate[.]com
databasegalore[.]com
panhardware[.]com
Zupertech[.]com
Virtualdataserver[.]com
digitalcollege[.]org
Malicious DLL (SolarWinds.Orion.Core.BusinessLayer.dll) beacons out to C2 infra (as indicated below) to get additional payloads and commands (backdoor)

https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

FireEye notes that if the malware resolves the domain to a private IP address, it will not execute.

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

Command data is spread across multiple strings that are disguised as GUID and HEX strings.

— @KyleHanslovan

References

FireEye Advisory : https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
Jake Williams tweet stream : https://twitter.com/MalwareJake/status/1338641921846239232
Kyle Hanslovan / DLL Locations https://gist.github.com/KyleHanslovan/0c8a491104cc55d6e4bd9bff7214a99e
Decompile of the SolarWinds “SUNBURST” Trojan associated with Campaign UNC2452 (for those interested in RE’ing or Static Code Analysis) https://github.com/Shadow0ps/solorigate_sample_source/tree/main
Play by Play tweet stream analyzing decompiled source code https://twitter.com/Shadow0pz/status/1338616137001693184

Techstrong Con 2024

Sponsorships Available

Sponsorships Available

Sponsorships Available

Visual Notes : SolarWinds Supply Chain compromise using SUNBURST backdoor (detected by FireEye) was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Recent Articles By Author

The Optus Breach: How Bad Code Keeps Happening to Good Companies
Log4Shell : JNDI Injection via Attackable Log4J
Evolving Threat series — Infiltrating NPM’s Supply Chain (UA-Parser-js)

More from Chetan Conikee

*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Chetan Conikee. Read the original post at: https://blog.shiftleft.io/visual-notes-solarwinds-supply-chain-compromise-using-sunburst-backdoor-detected-by-fireeye-561e097fff3c?source=rss----86a4f941c7da---4

December 17, 2020December 17, 2020 Chetan Conikee cyber, Cybersecurity, DEVOPS, Malware, security

← Hackers and Cyberthreats Are Relentless
Enterprises Increase Security Spending but not Efficacy →

Techstrong TV

Click full-screen to enable volume control

Watch latest episodes and shows

Upcoming Webinars

Mastering AI Security Posture Management for Cloud Security Professionals

Building better AppSec programs with ASPM

The Promise and Perils of AI

How Are You Protecting Your Company from API Security Breaches?

How Many Types of SBOM Are There?

Podcast

Listen to all of our podcasts

Press Releases

GoPlus's Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Subscribe to our Newsletters

Most Read on the Boulevard

LabHost Phishing Platform is Latest Target of International Law Agencies

Akira Ransomware Group Takes in $42 Million From 250 Attacks in a Year

BreachRx Gets $6.5 Million to Automate Security Incident Response

UnitedHealth: Ransomware Attackers Stole Huge Amount of Data

Oak Ridge, McCrary Institute Establish Cybersecurity Center Focused on Electrical Grid

Review: ‘Artificial Intelligence — A Primer for State and Local Governments’

The 10 Women in Cybersecurity You Need to Follow

Choosing SOC Tools? Read This First [2024 Guide]

Scaling Application Security With Application Security Posture Management (ASPM)

What is Mobile Application Security Testing? Explained

Industry Spotlight

Cyberlaw Cybersecurity Data Privacy Data Security Featured Industry Spotlight Mobile Security Network Security News Security Awareness Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight

HHS Strengthens Privacy of Reproductive Health Care Data

April 23, 2024 Jeffrey Burt | Yesterday 0

Cloud Security Cybersecurity Data Privacy Data Security Featured Identity & Access Incident Response Industry Spotlight Malware Network Security News Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Spotlight Threats & Breaches

UnitedHealth: Ransomware Attackers Stole Huge Amount of Data

April 23, 2024 Jeffrey Burt | Yesterday 0

API Security Application Security Cloud Security Cloud Security Cyberlaw Cybersecurity Data Privacy Deep Fake and Other Social Engineering Tactics Editorial Calendar Featured Governance, Risk & Compliance Humor Identity & Access Identity and Access Management Industry Spotlight Insider Threats IOT IoT & ICS Security Mobile Security Most Read This Week News Popular Post Regulatory Compliance Securing the Cloud Security Awareness Security Boulevard (Original) Social - Facebook Social - LinkedIn Social - X Social Engineering Spotlight Threats & Breaches Zero-Trust

House Passes Privacy-Preserving Bill, but Biden Blasts it

April 18, 2024 Richi Jennings | Apr 18 0

Top Stories

AI and Machine Learning in Security API Security Application Security AppSec Featured Identity & Access News Security Boulevard (Original) Social - Facebook Social - X

Miggo Unfurls Real-Time Application Detection and Response Platform

April 23, 2024 Michael Vizard | Yesterday 0

Cybersecurity News Ransomware Regulatory Compliance Securing the Edge Security Awareness Security Boulevard (Original) Social - Facebook Social - X Threats & Breaches

Oak Ridge, McCrary Institute Establish Cybersecurity Center Focused on Electrical Grid

April 23, 2024 Nathan Eddy | Yesterday 0

Careers Cybersecurity Featured News Security Boulevard (Original) Social - Facebook Social - X

Women in Cybersecurity Face Continued Pay Disparities

April 23, 2024 Nathan Eddy | Yesterday 0

Security Humor

Randall Munroe’s XKCD ‘Scary Triangles’

Randall Munroe’s XKCD ‘Scary Triangles’

Download Free eBook

The State of Cloud Native Security 2020

Join the Community

Add your blog to Security Creators Network
Write for Security Boulevard
Bloggers Meetup and Awards
Ask a Question
Email: [email protected]

Useful Links

About
Media Kit
Sponsor Info
Copyright
TOS
DMCA Compliance Statement
Privacy Policy

Related Sites

Techstrong Group
Cloud Native Now
DevOps.com
Digital CxO
Techstrong Research
Techstrong TV
Techstrong.tv Podcast
DevOps Chat
DevOps Dozen
DevOps TV

Powered by Techstrong Group

Copyright © 2024 Techstrong Group Inc. All rights reserved.