SolarWinds Orion Supply Chain (SUNBURST) Backdoor
On December 13th, the security firm FireEye released the details of a sophisticated manual supply chain attack that affects SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 (with no hotfix installed) or 2020.2 HF 1. The threat actors involved were able to incorporate a malicious “SolarWinds.Orion.Core.BusinessLayer.dll” dubbed Sunburst into the SolarWinds Orion software distribution, which was digitally signed by SolarWinds. The malicious .DLL remains dormant for up to two weeks, where it then connects to several command-and-control servers, where it has the ability to conduct “Jobs”, which allow activities such as transfer of files, execution of files, system enumeration, and more. After initial compromise, the threat actors utilize available remote access tools and valid credentials within the environment to appear as legitimate traffic. Additional tools have also been deployed, one called Teardrop, an in-memory only dropper, being used in this campaign to pull a custom version of Cobalt Strike onto affected systems. SolarWinds recommends updating to Orion version 2020.2.2, which was made available Tuesday December 15th, 2020. More details, as well as further mitigation may be found at: https://www.solarwinds.com/securityadvisory.
Frontline.Cloud Active Threat Sweep (ATS) can identify the malicious Sunburst DLL file and received additional associated detections with NIRV release 3.0.67.2, released December 15th, 2020. Please contact your Client Advocate, if you do not currently subscribe to ATS.
EDIT 12/17/2020: Update to correct the description of the Teardrop tool.