Incident Response Blog: SUNBURST / SolarWinds
On December 13, FireEye and Microsoft released information regarding a newly discovered nation-state campaign actors leveraging access to the SolarWinds Orion Platform. The SolarWinds Orion Platform is used for IT infrastructure management in many government agencies and corporate networks. Nation-state actors compromised the SolarWinds supply chain to trojanize their software updates and gain access to SolarWinds’ customers. In response, the United States Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive to US Government agencies to disconnect or power down SolarWinds Orion products immediately. Several departments and agencies are known to be compromised and a Cyber Unified Coordination Group has been established to respond to this incident.
CTA members are working to identify and assist their customers that may be at risk of this incident and are publishing blogs and reports to detail their actions, as well as protections and mitigations that would be helpful for response efforts. As a part of this effort, CTA members are sharing information to ensure that we are coordinated and working together for the greater good. We are providing links to our members’ reports and updates related to this incident in this blog.
As of February 10, 2021, this blog is no longer being regularly updated.
Anomali
- Actionable Threat Intelligence Available for Sunburst Cyber Attacks on SolarWinds
- Anomali ThreatStream Sunburst Backdoor Custom Dashboard Provides Machine Readable IOCs Related To SolarWinds Supply Chain Attack
- FireEye, SolarWinds Hacks Show That Detection Is Key to Solid Defense
Check Point
- Deep into the SunBurst Attack
- Are Your Endpoints Affected by the SolarWinds Sunburst Attack?
- Webinar Replay: SolarWinds Attack: Insights and Advice from Check Point’s Head of Incident Response
- Use Infinity SOC to Find Out if You Are Affected by the SolarWinds Sunburst Hack
- SUNBURST, TEARDROP and the NetSec New Normal
- Best Practice: Identifying and Mitigating The Impact of Sunburst
- SolarWinds Sunburst Attack: What Do You Need to Know and How Can You Remain Protected
- Check Point Response to SolarWinds Supply Chain Attack
Cisco
- Talos Takes Ep. #39: SolarWinds’ implications for IoT and OT
- Talos Takes Ep. #37: What’s With All This Talk About Supply Chain Attacks?
- The SolarWinds Orion Breach, and What You Should Know
- Pinpoint Your SolarWinds Exposure with Cisco Endpoint Security Analytics
- Cisco Secure Workload Immediate Actions in Response to “SUNBURST” Trojan and Backdoor
- SolarWinds Orion Platform Supply Chain Attack
- Cisco Event Response: SolarWinds Orion Platform Software Attack
- Threat Advisory: SolarWinds Supply Chain Attack
- FireEye Breach Detection Guidance
Dragos
- SolarWinds Compromise and ICS/OT Networks Webinar Recording
- Responding to the SolarWinds Software Compromise in Industrial Environments
ElevenPaths – Telefónica Cyber Security Company
Fortinet
- Latest CISA Malware Analysis Report for SolarWinds Activity (SUPERNOVA)
- Supply Chain Attack on SolarWinds Orion Platform Affecting Multiple Organizations Worldwide (APT29)
- What We Have Learned So Far About The “Sunburst”/SolarWindwinds Hack
- FireEye Red Team Tool Breach
McAfee
- Special Edition Webinar: Combating SolarWinds Supply Chain and SUNBURST Backdoor – from Device to Cloud
- Why SolarWinds-SUNBURST is our Cyber Pearl Harbor
- How a Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise
- Additional Analysis Into the SUNBURST Backdoor
- SUNBURST Malware and SolarWinds Supply Chain Compromise
- McAfee Coverage for SolarWinds Sunburst Backdoor
Palo Alto Networks
- Cortex XDR: Fortify the SOC Against SolarStorm, Variants and Imitators
- Understanding the SolarStorm Threat
- SolarStorm Supply Chain Attack Timeline
- You Think You’re Prepared for the Next SolarWinds. You Are Not.
- Palo Alto Networks Rapid Response: Navigating the SolarStorm Attack
- SUPERNOVA: SolarStorm’s Novel .NET Webshell
- Cortex XSOAR for SolarStorm Breach Rapid Response
- Expanse Reveals SolarWinds Exposures and Attacker Communications
- Threat Brief: SolarStorm and SUNBURST Customer Coverage
- Threat Brief: FireEye Red Team Tool Breach
Panda Security
Radware
Rapid7
- SonicWall SNWLID-2021-0001 Zero-Day and SolarWinds’ 2021 CVE Trifecta: What You Need to Know
- Update on SolarWinds Supply-Chain Attack: SUNSPOT and New Malware Family Associations
- SolarWinds SUNBURST Backdoor Supply Chain Attack: What You Need to Know
ReversingLabs
- On-Demand Webinar: Lessons Learned from the SolarWinds SunBurst Attack
- SunBurst: The Next Level of Stealth
SecurityScorecard
SonicWall
Sophos
- MTR Casebook: Uncovering a Backdoor Implant In a SolarWinds Orion Server
- How SunBurst Malware Does Defense Evasion
- Incident Response Playbook for Responding to SolarWinds Orion Compromise
- SolarWinds Breach: How to Identify if You Have Been Affected
- Reassuring Sophos Customers Following the Theft of Mandiant/FireEye Tools
Symantec – A Division of Broadcom
- SolarWinds: How Sunburst Sends Data Back to the Attackers
- Raindrop: New Malware Discovered in SolarWinds Investigation
- SolarWinds: Insights into Attacker Command and Control Process
- SolarWinds: How a Rare DGA Helped Attacker Communications Fly Under the Radar
- SolarWinds Attacks: Stealthy Attackers Attempted To Evade Detection
- Sunburst: Supply Chain Attack Targets SolarWinds Users
VMware
- VMware Issues Updated Statement on SolarWinds Supply Chain Compromise and CVE 2020-4006
- TAU Threat Analysis: Insights on the SolarWinds Breach
(Last updated 3:15PM EST, February 10, 2021)
