Protecting against Sunburst Indicator of Compromise with the Threat Lens, Secure X and Umbrella approach. Implementing Sunburst backdoor DNS filtering.
Security researchers discovered a cyber attack on the supply chain of US-based multinational conglomerate corporation called Solarwinds.
The attack on Solarwinds, which is one of the leading providers of enterprise-level network management and security software products, illustrates how an organization can be subject to supply chain attacks. With more and more organizations relying on suppliers for their products and services, it is important to protect against these risks.
Supply chain attacks are a major concern for businesses who are in the manufacturing and distribution industries. As more companies adopt remote monitoring and IoT technologies, they have opened up their processes to increased vulnerabilities from 3rd party suppliers. The best way to protect your company from these threats is through the use of passive perimeter security monitoring and proactive counter measures. I will explore one of these options below.
What is Sunburst?
SUNBURST is a sophisticated supply-chain attack, where adversaries compromised updates to SolarWind’s Orion IT monitoring and management software, specifically a component called ‘SolarWinds.Orion.Core.BusinessLayer.dll’ in versions 2019.4 HF 5 through 2020.2.1.
The digitally signed updates were posted on the SolarWinds website from March to May 2020. This backdoor has been named SUNBURST, and it can communicate to third party servers using HTTP. Find out more here.
What did we do to protect ourselves?
Integrating Umbrella into our defence perimeter, we are able to continuously scan our network for evolving compromise and detect any node attempting to communicate with adversarial systems.
Business’s supply chain is a major concern for us because at this level these products tends to resides outside or make up part of the security perimeter. Businesses need to increase security around these systems and infrastructure, and be more cautious when it comes to 3rd party vendors. Adopting a zero trust methodology even for your security measures. Supply chain attacks is believed to be where new threats are most likely to grow in the future. It is at these points where they have the least control and visibility on what is happening with their data. It’s not just the threat of a cyber-attack that needs to be considered – physical attacks also have potential to cause significant damage and loss for businesses.
For SUNBURST, our Threat Lens has been updated to display DNS resolution of domains in the SUNBURST Indicator of Compromise (IOC) list, even before the domains were discovered as part of the SUNBURST backdoor. We are then able to review our logs for previous signatures and block new domains going forward. We can view DNS resolution to these domains over any period in the last 12 months.
SUNBURST In depths
SUNBURST compromised updates to SolarWind’s management software, specifically a component called “SolarWinds.Orion.Core.BusinessLayer.dll” in versions 2019.4 HF 5 through 2020.2.1. This backdoor, named SUNBURST, communicates with third party servers using HTTP. The backdoor is loaded by the actual SolarWinds executable before the legitimate code, so as not to alert the victim that anything is amiss. After a period of dormancy, the backdoor is able to execute commands to transfer and execute files, profile the system, reboot the machine, and disable system services. SUNBURST samples have been observed deploying varying payloads, including the Cobalt Strike beacons.
The concern with these attacks centres around customer privacy. Software used to manage these systems are also be used to record system usage for compliance and risk assessments. They can also be used to lock, encrypt or wipe computers and hide potential misuse. Hackers targeting these companies, who hold valuable customer databases that can be sold on the dark web, can use these attacks to cover up installing more persistent malware. Doubling down on the advantage of companies who don’t have robust internal security measures.
Want more information?
For more information on SUNBURST and Sunburst backdoor DNS filtering please review the Talos Blog here: https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html
For more information from the SolarWinds Security Advisory, see here –
Fireeye Threat Research Blog summary from December 2020, see here –