cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Radioteacher
Community Champion

SolarWinds - Sunburst, Supernova Sunspot (Not an astronomy thread)

Here are some important links for information and background on the hack of Solarwinds.

 

SunBurst: the next level of stealth
SolarWinds compromise exploited through sophistication and patience

https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth

 

Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers - Microsoft Security
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromis[…]icated-cyber...

SolarWinds releases updated advisory for new SUPERNOVA malware
https://www.bleepingcomputer.com/news/security/solarwinds-releases-updated-advisory-for-new-supernov...

 

cyber.dhs.gov - Emergency Directive 21-01
Updated guidance from CISA

https://cyber.dhs.gov/ed/21-01/#supplemental-guidance

 

SUNSPOT Malware: A Technical Analysis | CrowdStrike
This is a great analysis of how the code was injected into the Software pipeline.

https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

Hacking victim SolarWinds hires ex-Homeland Security official Krebs as consultant
Stamos helped Zoom...now teamed up with Chris Krebs their first client is SolarWinds.

https://www.reuters.com/article/technologyNews/idUSKBN29D0CL

 

Paul

 

5 Replies
Radioteacher
Community Champion

I have seen a lot of wild speculation and guessing about the SolarWinds supply chain compromise.  If you have any questions that I can help with, please reply here.  I am not saying SolarWinds is without blame.  Have they made mistakes, yes they have.  

 

Over and over I read and hear their stupid password "Solarwinds123".  That was a dumb move.  The issue was reported to them November 19, 2019 and was remediated on November 22, 2019.  

 

I have been working with SolarWinds products since 2005 and built up and maintained an extensive SolarWinds Orion implementation from 2011 to 2017.  I am SolarWinds Certified and an MVP on their Community Site called THWACK.

 

One of the few things not disclosed at this time is how SolarWinds was initially breached which allowed the bad actor to place the Sunspot software on the system that complies the Orion software.

 

They will be re-releasing the Orion software package signed with a new certificate and revoke the old certificate.  

 

SolarWinds New Digital Code-Signing Certificate
https://www.solarwinds.com/trust-center/new-digital-certificate 

 

 

EequalsMC2
Newcomer I

Does anyone believe a properly configured IDS cold have caught the malicious behavior (US Spelling)? With all the lateral movement in the attack, I wonder if we can effectively plug the gaps?
Radioteacher
Community Champion

@EequalsMC2 

 

Good question.  One thing I know that would have helped is if they installers would follow the data below to secure the installation.  The server does not need access to the entire Internet. 

 

This follows for every server in your network. 

 

Application servers like Orion are easier to secure then desktops.   They should have either no access or very limited access to the Internet. 

 

Below is a link to the "Secure Configuration for the Orion Platform" information.  If followed, the server would not have access to the initial C&C server and the malware would not have activated.  

 

https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configurati...

 

Paul

Stephen6321
Viewer II


@EequalsMC2 wrote:
Does anyone believe a properly configured IDS cold have caught the malicious behavior (US Spelling)? With all the lateral movement in the attack, I wonder if we can effectively plug the gaps?

Thanks for the information keep sharing this type of support.

Nox
denbesten
Community Champion


@Radioteacher wrote:

Below is a link to the "Secure Configuration for the Orion Platform" information.  If followed, the server would not have access to the initial C&C server and the malware would not have activated.  


I don't quite get how it would have done that.  Missing from the list seems to be "use egress filtering to deny Solar Winds access to the Internet", which is one of the first defensive actions we took (shortly before getting approval to yank its network cables pending rebuild).

 

They do have "don't allow access to our web interface from the Internet", but that is the opposite direction.