CyFIR Enterprise Provides Tools for Rapid Assessment of SolarWinds SUNBURST Attack

By CyFIR   
CyFIR

On December 8, 2020, cybersecurity company FireEye announced that it discovered and was victimized by a global intrusion campaign through trojanized updates to SolarWind’s Orion IT monitoring and management software. FireEye is tracking the actors as “UNC2452” and has coined the malware as “SUNBURST.”[1],[2]  CyFIR LLC and its CyFIR Enterprise digital forensics investigation and incident response platform was not affected by this attack.

SolarWinds Orion products (affected versions are 2019.4 through 2020.2.1 HF1) are currently being exploited by malicious actors. Government agencies have been directed to forensically image system memory and/or host operating systems hosting all instances of SolarWinds Orion affected versions and to power-down those products immediately while they identify and remove all threat actor-controlled accounts and identified persistence mechanisms.[3] CyFIR has the ability to remotely image full system RAM, individual processes in memory, complete storage devices/hard drives in a forensic image, and individual files—down the hall or across the globe, all from a single analyst’s workstation.

Cybersecurity vendor Sophos published a list of indicators of compromise thus far linked to the attack (https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/iocs.csv) which can potentially be used to determine if a system has been affected by this attack. These indicators include filenames, website domains, IP addresses, and SHA256 hash values. CyFIR Enterprise can concurrently search computing resources enterprise wide for existence of each of these indicators of compromise without having been preinstalled during the attack.

After installing CyFIR on Windows, Mac, and Linux computers in an organization’s environment, analysts can perform searches across the network simultaneously, significantly reducing the time to search through an extensive network for these indicators. To effectively search for the provided indicators, CyFIR filename searches, CyFIR full-text searches, and CyFIR’s Network Monitoring and Process Monitoring reports will all provide rapid, relevant information regarding this attack from these indicators of compromise. Lateral movement of malicious code can be identified across the organization simultaneously, reducing the “Whack-a-Mole” challenges presented by entrenched attackers.

Cybersecurity company Volexity also has been tracking this actor under the name “Dark Halo.” In their document, “Dark Halo Leverages SolarWinds Compromise to Breach Organizations,” (https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/) Volexity identifies other methodologies and artifacts from these attacks that can also be searched for throughout an organization using the power of CyFIR’s enterprise search functionality, such as looking for Microsoft Outlook storage files (.PST files) in unusual locations. Searches across a worldwide network for named files or file types often complete within minutes using CyFIR.

Given the relative success of this attack campaign with more than 18,000 potential victims including numerous Federal Government agencies and the majority of Fortune 500 companies, there is little doubt that supply chain attacks such as this one will continue into the future. Strong perimeter defenses from antivirus and other EDR companies are table stakes in today’s hostile computing environments, but adding the enterprise-wide investigative and incident response capabilities of CyFIR will give your organization the ability to respond faster, more comprehensively, and with lower costs.

To put CyFIR's capabilities immediately to work for your company, CyFIR is available via the Amazon Web Services Marketplace on an hourly basis. CyFIR Enterprise is also available to organizations both large and small as a licensed software product, a managed security service, or through professional services. For more information, please contact Mr. Ray Ibarguen at ray.ibarguen@cyfir.com or Mr. Claude Broglé at claude.brogle@cyfir.com.

 

[1] “Threat Research: Highly Evasive Attacker Leverages SolarWindws Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor,” December 13, 2020, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

[2] “FireEye Stories: FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community,” December 8, 2020, https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

[3] “Emergency Directive 21-01,” Department of Homeland Security, December 13, 2020, https://cyber.dhs.gov/ed/21-01/