All publicly available indicators that CIS is tracking related to these pieces of malware are linked in the Available IOCs section below. Separately yet similar to TEARDROP, a loader dubbed RAINDROP, was recently discovered and appears to be used to move laterally across networks compromised via SUNBURST. BEACON supports lateral movement across a variety of protocols, and a number of command and control (C2) functions. TEARDROP is a post-exploitation, memory-resident dropper that, in the observed cases so far, has only dropped BEACON, a payload included with Cobalt Strike, a red team emulation tool used by both security professionals and malicious actors. An initial implant, SUNSPOT, is assessed to be responsible for delivering the SUNBURST backdoor into SolarWinds Orion products. In addition to the originally discovered SUNBURST backdoor, four other distinct pieces of malware have been discovered as part of the attack.
Solarwinds breach software#
Recent evidence shows that not all organizations with the malicious SolarWinds software were compromised by the threat actor, and that there were different stages of the attack. SLTTs with SolarWinds Orion Platform versions 2019.4 HF5, 2020.2 with no hotfix installed, and 2020.2 HF 1 within their environment. Note: there is evidence of organizations being compromised by this same cyber threat actor without SolarWinds products present in the network. Who: Organizations in private industry and U.S.In particular, if an attacker appends a PathInfo parameter of WebResource.adx, ScriptResource.adx, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication, potentially resulting in a compromise of the SolarWinds instance. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands. SolarWinds Orion is prone to one vulnerability that could allow for authentication bypass. Security patches have been released for each of these versions specifically to address this new vulnerability. SolarWinds Orion Platform Version 2020.2 HF 1įor CVE-2020-10148, SolarWinds Orion Platform versions 2019.2 HF 3, 2018.4 HF 3, and 2018.2 HF 6 are also affected.SolarWinds Orion Platform Version 2020.2.SolarWinds Orion Platform Version 2019.4 HF 5.Recommendations For Organizations with Monitoring Tools and Some Cybersecurity Expertise.Recommendations For Organizations with Limited or No Cybersecurity Expertise.
![solarwinds breach solarwinds breach](https://www.cyberark.com/wp-content/uploads/2020/12/SolarWinds-Breach-Privilege-768x432.jpg)
There is also a dedicated section with specific actions and support for MS-ISAC members and SLTT governments.
![solarwinds breach solarwinds breach](https://motiva.net/wp-content/uploads/2020/12/Solarwinds-Data-Breach.jpg)
We have provided available IOCs as well as detailed a tiered set of guidance that organizations can take based on their specific capabilities and cybersecurity maturity.
![solarwinds breach solarwinds breach](https://assets.perimeter81.com/uploads/2020/12/blog_1450167512.jpg)
Affected organizations should prepare for a complex and difficult remediation from this attack. The attackers randomized parts of their actions making traditional identification steps such as scanning for known indicators of compromise (IOC) of limited value. This cyber-attack is exceptionally complex and continues to evolve. As customers downloaded the Trojan Horse installation packages from SolarWinds, attackers were able to access the systems running the SolarWinds product(s). It was determined that the advanced persistent threat (APT) actors infiltrated the supply chain of SolarWinds, inserting a backdoor into the product. On December 13, 2020, FireEye announced the discovery of a highly sophisticated cyber intrusion that leveraged a commercial software application made by SolarWinds.