Hot Topics

STAGE2

SEC-T 0x0D: Erik Hjelmvik - Hiding in Plain Sight - How the SolarWinds Hack Went Undetected

How the SolarWinds Hack (almost) went Undetected

| | ascii-art, backdoor, C2, dns, SEC-T, SolarWinds, Solorigate, Stage 2, STAGE2, SUNBURST, video, YouTube
My lightning talk from the SEC-T 0x0D conference has now been published on YouTube. This 13 minute talk covers tactics and techniques that the SolarWinds hackers used in order to avoid being ...
NETRESEC Network Security Blog
SolarWinds Backdoor State Diagram

Targeting Process for the SolarWinds Backdoor

| | avsvmcloud.com, backdoor, C2, CNAME, dns, fireeye, Microsoft, SolarWinds, Solorigate, Stage 2, STAGE2, SUNBURST, targeted
The SolarWinds Orion backdoor, known as SUNBURST or Solorigate, has been analyzed by numerous experts from Microsoft, FireEye and several anti-virus vendors. However, we have noticed that many of the published reports ...
NETRESEC Network Security Blog
23 SUNBURST Targets Identified

Twenty-three SUNBURST Targets Identified

| | avsvmcloud.com, CERT-SE, CNAME, dns, fireeye, Microsoft, Passive DNS, pDNS, SecureList, SolarWinds, Solorigate, STAGE2, SUNBURST, VriesHd
Remember when Igor Kuznetsov and Costin Raiu announced that two of the victims in FireEye's SUNBURST IOC list were ***net.***.com and central.***.gov on Kaspersky's Securelist blog in December? Reuters later reported that ...
NETRESEC Network Security Blog
Were you targeted by SUNBURST? Image credit: NASA

Robust Indicators of Compromise for SUNBURST

| | 22334A7227544B1E, avsvmcloud, avsvmcloud.com, CNAME, Cobalt Strike, dns, Indicators, IOC, NetBIOS, Palo Alto, paloaltonetworks, SolarStorm, SolarWinds, STAGE2, SUNBURST
There has been a great deal of confusion regarding what network based Indicators of Compromise (IOC) SolarWinds Orion customers can use to self assess whether or not they have been targeted after ...
NETRESEC Network Security Blog
Sunburst stages 1 to 3 (passive, associated and active)

Finding Targeted SUNBURST Victims with pDNS

| | 1dbecfd99ku6fi2e5fjb, 2039AFE13E5307A1, 22334A7227544B1E, 4n4vte5gmor7j9lpegsf, 5qbtj04rcbp3tiq8bo6t, associated, avsvmcloud, C2, deftsecurity, DNSSEC, E258332529826721, ext, flag, freescanonline, Netresec, pDNS, SolarWinds, Solorigate, STAGE2, SUNBURST, SunburstDomainDecoder, thedoccloud
Our SunburstDomainDecoder tool can now be used to identify SUNBURST victims that have been explicitly targeted by the attackers. The only input needed is passive DNS (pDNS) data for avsvmcloud.com subdomains. Companies ...
NETRESEC Network Security Blog