SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sunburst (Back to overview)

SUNBURST

aka: Solorigate

Actor(s): UNC2452


FireEye describes SUNBURST as a trojanized SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, it uses a DGA to generate specific subdomains for a set C&C domain. The backdoor retrieves and executes commands, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications: Orion Improvement Program (OIP) protocol. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website.

References
2021-09-02Bleeping ComputerSergiu Gatlan
@online{gatlan:20210902:autodesk:a947f3f, author = {Sergiu Gatlan}, title = {{Autodesk reveals it was targeted by Russian SolarWinds hackers}}, date = {2021-09-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/}, language = {English}, urldate = {2021-09-06} } Autodesk reveals it was targeted by Russian SolarWinds hackers
SUNBURST
2021-07-27GigamonJoe Slowik
@online{slowik:20210727:ghosts:af3dc18, author = {Joe Slowik}, title = {{Ghosts on the Wire: Expanding Conceptions of Network Anomalies}}, date = {2021-07-27}, organization = {Gigamon}, url = {https://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/}, language = {English}, urldate = {2021-08-02} } Ghosts on the Wire: Expanding Conceptions of Network Anomalies
SUNBURST
2021-07-13YouTube ( Matt Soseman)Matt Soseman
@online{soseman:20210713:solarwinds:cb7df1d, author = {Matt Soseman}, title = {{Solarwinds and SUNBURST attacks compromised my lab!}}, date = {2021-07-13}, organization = {YouTube ( Matt Soseman)}, url = {https://www.youtube.com/watch?v=GfbxHy6xnbA}, language = {English}, urldate = {2021-07-21} } Solarwinds and SUNBURST attacks compromised my lab!
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-06-12YouTube (BSidesBoulder)Kurt Baumgartner, Kaspersky
@online{baumgartner:20210612:same:49bc254, author = {Kurt Baumgartner and Kaspersky}, title = {{Same and Different - sesame street level attribution}}, date = {2021-06-12}, organization = {YouTube (BSidesBoulder)}, url = {https://youtu.be/SW8kVkwDOrc?t=24706}, language = {English}, urldate = {2021-06-21} } Same and Different - sesame street level attribution
Kazuar SUNBURST
2021-06-01SANSKevin Haley, Jake Williams
@online{haley:20210601:contrarian:6aff18c, author = {Kevin Haley and Jake Williams}, title = {{A Contrarian View on SolarWinds}}, date = {2021-06-01}, organization = {SANS}, url = {https://www.sans.org/webcasts/contrarian-view-solarwinds-119515}, language = {English}, urldate = {2021-06-21} } A Contrarian View on SolarWinds
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-05-14CISAUS-CERT
@online{uscert:20210514:analysis:f0b767a, author = {US-CERT}, title = {{Analysis Report (AR21-134A): Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise}}, date = {2021-05-14}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a}, language = {English}, urldate = {2021-07-19} } Analysis Report (AR21-134A): Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise
SUNBURST
2021-05-08The RecordCatalin Cimpanu
@online{cimpanu:20210508:solarwinds:501c002, author = {Catalin Cimpanu}, title = {{SolarWinds says fewer than 100 customers were impacted by supply chain attack}}, date = {2021-05-08}, organization = {The Record}, url = {https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack}, language = {English}, urldate = {2021-05-11} } SolarWinds says fewer than 100 customers were impacted by supply chain attack
SUNBURST
2021-05-07SolarWindsSolarwind
@online{solarwind:20210507:investigative:54c699d, author = {Solarwind}, title = {{An Investigative Update of the Cyberattack}}, date = {2021-05-07}, organization = {SolarWinds}, url = {https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000173994221000076/swi-20210507.htm}, language = {English}, urldate = {2021-05-11} } An Investigative Update of the Cyberattack
SUNBURST
2021-04-22RiskIQRiskIQ
@online{riskiq:20210422:solarwinds:83581ea, author = {RiskIQ}, title = {{SolarWinds: Advancing the Story}}, date = {2021-04-22}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/9a515637}, language = {English}, urldate = {2021-04-28} } SolarWinds: Advancing the Story
SUNBURST
2021-04-15North Atlantic Treaty OrganizationNATO
@online{nato:20210415:north:823013b, author = {NATO}, title = {{North Atlantic Council Statement following the announcement by the United States of actions with regard to Russia}}, date = {2021-04-15}, organization = {North Atlantic Treaty Organization}, url = {https://www.nato.int/cps/en/natolive/official_texts_183168.htm?selectedLocale=en}, language = {English}, urldate = {2021-04-16} } North Atlantic Council Statement following the announcement by the United States of actions with regard to Russia
SUNBURST
2021-04-15Ministry of foreign affairs of the Republic of LatviaMinistry of foreign affairs of the Republic of Latvia
@online{latvia:20210415:latvias:9f5fa8a, author = {Ministry of foreign affairs of the Republic of Latvia}, title = {{Latvia’s statement following the announcement by the United States of actions to respond to the Russian Federation’s destabilizing activities (Deadlink)}}, date = {2021-04-15}, organization = {Ministry of foreign affairs of the Republic of Latvia}, url = {https://www.mfa.gov.lv/en/news/latest-news/67813-latvia-s-statement-following-the-announcement-by-the-united-states-of-actions-to-respond-to-the-russian-federation-s-destabilizing-activities}, language = {English}, urldate = {2021-08-02} } Latvia’s statement following the announcement by the United States of actions to respond to the Russian Federation’s destabilizing activities (Deadlink)
SUNBURST
2021-04-15European CouncilCouncil of the European Union
@online{union:20210415:declaration:f535296, author = {Council of the European Union}, title = {{Declaration by the High Representative on behalf of the European Union expressing solidarity with the United States on the impact of the SolarWinds cyber operation}}, date = {2021-04-15}, organization = {European Council}, url = {https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation}, language = {English}, urldate = {2021-04-16} } Declaration by the High Representative on behalf of the European Union expressing solidarity with the United States on the impact of the SolarWinds cyber operation
SUNBURST
2021-04-15Ministry of Foreign Affairs Republic of PolandMinistry of Foreign Affairs Republic of Poland
@online{poland:20210415:statement:3a57d39, author = {Ministry of Foreign Affairs Republic of Poland}, title = {{Statement on Solar Winds Orion cyberattacks}}, date = {2021-04-15}, organization = {Ministry of Foreign Affairs Republic of Poland}, url = {https://www.gov.pl/web/diplomacy/statement-on-solar-winds-orion-cyberattacks}, language = {English}, urldate = {2021-04-16} } Statement on Solar Winds Orion cyberattacks
SUNBURST
2021-03-18Github (cisagov)CISA
@online{cisa:20210318:cisa:49f510f, author = {CISA}, title = {{CISA Hunt and Incident Response Program (CHIRP)}}, date = {2021-03-18}, organization = {Github (cisagov)}, url = {https://github.com/cisagov/CHIRP}, language = {English}, urldate = {2021-03-19} } CISA Hunt and Incident Response Program (CHIRP)
SUNBURST
2021-03-18CISAUS-CERT
@online{uscert:20210318:alert:bff148c, author = {US-CERT}, title = {{Alert (AA21-077A): Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool}}, date = {2021-03-18}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-077a}, language = {English}, urldate = {2021-03-19} } Alert (AA21-077A): Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool
SUNBURST
2021-03-17CISAUS-CERT
@techreport{uscert:20210317:solarwinds:3d7860a, author = {US-CERT}, title = {{SolarWinds and Active Directory/M365 Compromise: Detecting Advanced Persistent Threat Activity from Known Tactics, Techniques, and Procedures (Dead Link)}}, date = {2021-03-17}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/SolarWinds_and_AD-M365_Compromise-Detecting_APT_Activity_from_Known_TTPs.pdf}, language = {English}, urldate = {2021-08-02} } SolarWinds and Active Directory/M365 Compromise: Detecting Advanced Persistent Threat Activity from Known Tactics, Techniques, and Procedures (Dead Link)
SUNBURST
2021-03-16MimecastMimecast
@online{mimecast:20210316:incident:2c3e79a, author = {Mimecast}, title = {{Incident Report}}, date = {2021-03-16}, organization = {Mimecast}, url = {https://www.mimecast.com/incident-report/}, language = {English}, urldate = {2021-03-22} } Incident Report
SUNBURST
2021-03-10US-CERTCISA
@online{cisa:20210310:remediating:23bf74d, author = {CISA}, title = {{Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise}}, date = {2021-03-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/remediating-apt-compromised-networks}, language = {English}, urldate = {2021-03-12} } Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
SUNBURST
2021-03-08Youtube (SANS Digital Forensics and Incident Response)Katie Nickels, Adam Pennington, Jen Burns
@online{nickels:20210308:star:083eb29, author = {Katie Nickels and Adam Pennington and Jen Burns}, title = {{STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)}}, date = {2021-03-08}, organization = {Youtube (SANS Digital Forensics and Incident Response)}, url = {https://www.youtube.com/watch?v=LA-XE5Jy2kU}, language = {English}, urldate = {2021-03-11} } STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)
Cobalt Strike SUNBURST TEARDROP
2021-03-04MicrosoftRamin Nafisi, Andrea Lelli, Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team
@online{nafisi:20210304:goldmax:3fa3f68, author = {Ramin Nafisi and Andrea Lelli and Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team}, title = {{GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence}}, date = {2021-03-04}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware}, language = {English}, urldate = {2021-03-06} } GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence
SUNBURST TEARDROP UNC2452
2021-03-01MicrosoftMicrosoft
@online{microsoft:20210301:detect:330c71c, author = {Microsoft}, title = {{Detect and defend against the recent nation-state cyber attack}}, date = {2021-03-01}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/business/threat-protection/solorigate-detection-guidance}, language = {English}, urldate = {2021-03-04} } Detect and defend against the recent nation-state cyber attack
SUNBURST
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-26YouTube (Oversight Committee)Oversight Committee
@online{committee:20210226:weathering:6dfb09f, author = {Oversight Committee}, title = {{Weathering the Storm: The Role of Private Tech in the SolarWinds Breach and Ongoing Campaign}}, date = {2021-02-26}, organization = {YouTube (Oversight Committee)}, url = {https://www.youtube.com/watch?v=dV2QTLSecpc}, language = {English}, urldate = {2021-03-25} } Weathering the Storm: The Role of Private Tech in the SolarWinds Breach and Ongoing Campaign
SUNBURST
2021-02-25MicrosoftMicrosoft
@online{microsoft:20210225:codeql:a43a525, author = {Microsoft}, title = {{CodeQL queries to hunt for Solorigate activity}}, date = {2021-02-25}, organization = {Microsoft}, url = {https://github.com/github/codeql/tree/main/csharp/ql/src/experimental/Security%20Features/campaign}, language = {English}, urldate = {2021-02-25} } CodeQL queries to hunt for Solorigate activity
SUNBURST
2021-02-25BrightTALK (FireEye)Andrew Rector, Matt Bromiley, Mandiant
@online{rector:20210225:light:005aa58, author = {Andrew Rector and Matt Bromiley and Mandiant}, title = {{Light in the Dark: Hunting for SUNBURST}}, date = {2021-02-25}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/469525}, language = {English}, urldate = {2021-02-20} } Light in the Dark: Hunting for SUNBURST
SUNBURST
2021-02-25MicrosoftMicrosoft Identity Security Team
@online{team:20210225:microsoft:bd11fce, author = {Microsoft Identity Security Team}, title = {{Microsoft open sources CodeQL queries used to hunt for Solorigate activity}}, date = {2021-02-25}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/}, language = {English}, urldate = {2021-02-25} } Microsoft open sources CodeQL queries used to hunt for Solorigate activity
SUNBURST
2021-02-24Bleeping ComputerSergiu Gatlan
@online{gatlan:20210224:nasa:646b084, author = {Sergiu Gatlan}, title = {{NASA and the FAA were also breached by the SolarWinds hackers}}, date = {2021-02-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/}, language = {English}, urldate = {2021-02-25} } NASA and the FAA were also breached by the SolarWinds hackers
SUNBURST
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-19THE NEW STACKLior Sonntag, Dror Alon
@online{sonntag:20210219:behind:a40f5e6, author = {Lior Sonntag and Dror Alon}, title = {{Behind the Scenes of the SunBurst Attack}}, date = {2021-02-19}, organization = {THE NEW STACK}, url = {https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/}, language = {English}, urldate = {2021-02-20} } Behind the Scenes of the SunBurst Attack
SUNBURST
2021-02-17apirroAriel Levy
@online{levy:20210217:detect:e5bdc1b, author = {Ariel Levy}, title = {{Detect and prevent the SolarWinds build-time code injection attack}}, date = {2021-02-17}, organization = {apirro}, url = {https://blog.apiiro.com/detect-and-prevent-the-solarwinds-build-time-code-injection-attack}, language = {English}, urldate = {2021-02-20} } Detect and prevent the SolarWinds build-time code injection attack
SUNBURST
2021-02-17YouTube (The White House)Anne Neuberger
@online{neuberger:20210217:update:f24ad1e, author = {Anne Neuberger}, title = {{Update on Investigaton on Solarwinds supply chain attack from the Deputy National Security Advisor}}, date = {2021-02-17}, organization = {YouTube (The White House)}, url = {https://youtu.be/Ta_vatZ24Cs?t=59}, language = {English}, urldate = {2021-02-18} } Update on Investigaton on Solarwinds supply chain attack from the Deputy National Security Advisor
SUNBURST
2021-02-17NetresecErik Hjelmvik
@online{hjelmvik:20210217:targeting:6deceed, author = {Erik Hjelmvik}, title = {{Targeting Process for the SolarWinds Backdoor}}, date = {2021-02-17}, organization = {Netresec}, url = {https://netresec.com/?b=212a6ad}, language = {English}, urldate = {2021-02-18} } Targeting Process for the SolarWinds Backdoor
SUNBURST
2021-02-16AccentureAlexandrea Berninger
@online{berninger:20210216:hard:55e809e, author = {Alexandrea Berninger}, title = {{Hard lessons learned: Threat intel takeaways from the community response to Solarigate}}, date = {2021-02-16}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate}, language = {English}, urldate = {2021-02-20} } Hard lessons learned: Threat intel takeaways from the community response to Solarigate
SUNBURST TEARDROP
2021-02-16FireEyeMatt Bromiley, Andrew Rector, Robert Wallace
@online{bromiley:20210216:light:5541ad4, author = {Matt Bromiley and Andrew Rector and Robert Wallace}, title = {{Light in the Dark: Hunting for SUNBURST}}, date = {2021-02-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/products-and-services/2021/02/light-in-the-dark-hunting-for-sunburst.html}, language = {English}, urldate = {2021-02-20} } Light in the Dark: Hunting for SUNBURST
SUNBURST
2021-02-08US-CERTUS-CERT
@online{uscert:20210208:malware:3a963a6, author = {US-CERT}, title = {{Malware Analysis Report (AR21-039A): SUNBURST}}, date = {2021-02-08}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a}, language = {English}, urldate = {2021-02-09} } Malware Analysis Report (AR21-039A): SUNBURST
SUNBURST
2021-01-29AonPartha Alwar, Carly Battaile, Alex Parsons
@online{alwar:20210129:cloudy:e701758, author = {Partha Alwar and Carly Battaile and Alex Parsons}, title = {{Cloudy with a Chance of Persistent Email Access}}, date = {2021-01-29}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/}, language = {English}, urldate = {2021-02-09} } Cloudy with a Chance of Persistent Email Access
SUNBURST
2021-01-28Check PointLior Sonntag
@online{sonntag:20210128:deep:99eb275, author = {Lior Sonntag}, title = {{Deep into the SunBurst Attack}}, date = {2021-01-28}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/}, language = {English}, urldate = {2021-02-02} } Deep into the SunBurst Attack
SUNBURST
2021-01-28YouTube (Microsoft Security Community)Microsoft
@online{microsoft:20210128:microsoft:9c8f303, author = {Microsoft}, title = {{Microsoft 365 Defender webinar: Protect, Detect, and Respond to Solorigate using M365 Defender}}, date = {2021-01-28}, organization = {YouTube (Microsoft Security Community)}, url = {https://www.youtube.com/watch?v=-Vsgmw2G4Wo}, language = {English}, urldate = {2021-03-19} } Microsoft 365 Defender webinar: Protect, Detect, and Respond to Solorigate using M365 Defender
SUNBURST
2021-01-26Bleeping ComputerSergiu Gatlan
@online{gatlan:20210126:mimecast:ef80465, author = {Sergiu Gatlan}, title = {{Mimecast links security breach to SolarWinds hackers}}, date = {2021-01-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mimecast-links-security-breach-to-solarwinds-hackers/}, language = {English}, urldate = {2021-01-27} } Mimecast links security breach to SolarWinds hackers
SUNBURST
2021-01-26Kaspersky LabsKaspersky Lab ICS CERT
@online{cert:20210126:sunburst:0170800, author = {Kaspersky Lab ICS CERT}, title = {{SunBurst industrial victims}}, date = {2021-01-26}, organization = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/}, language = {English}, urldate = {2021-01-27} } SunBurst industrial victims
SUNBURST
2021-01-26FidelisChris Kubic
@online{kubic:20210126:ongoing:c57f443, author = {Chris Kubic}, title = {{Ongoing Analysis of SolarWinds Impacts}}, date = {2021-01-26}, organization = {Fidelis}, url = {https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/}, language = {English}, urldate = {2021-01-27} } Ongoing Analysis of SolarWinds Impacts
SUNBURST
2021-01-26MimecastMimecast Contributing Writer
@online{writer:20210126:important:b395e4f, author = {Mimecast Contributing Writer}, title = {{Important Security Update}}, date = {2021-01-26}, organization = {Mimecast}, url = {https://www.mimecast.com/blog/important-security-update/}, language = {English}, urldate = {2021-01-27} } Important Security Update
SUNBURST
2021-01-25NetresecErik Hjelmvik
@online{hjelmvik:20210125:twentythree:d3fad49, author = {Erik Hjelmvik}, title = {{Twenty-three SUNBURST Targets Identified}}, date = {2021-01-25}, organization = {Netresec}, url = {https://netresec.com/?b=211cd21}, language = {English}, urldate = {2021-01-25} } Twenty-three SUNBURST Targets Identified
SUNBURST
2021-01-25ZenGoTal Be'ery
@online{beery:20210125:ungilded:97355a8, author = {Tal Be'ery}, title = {{Ungilded Secrets: A New Paradigm for Key Security}}, date = {2021-01-25}, organization = {ZenGo}, url = {https://zengo.com/ungilded-secrets-a-new-paradigm-for-key-security/}, language = {English}, urldate = {2021-01-26} } Ungilded Secrets: A New Paradigm for Key Security
SUNBURST
2021-01-24Medium vrieshdVriesHD
@online{vrieshd:20210124:finding:ef9bdc1, author = {VriesHD}, title = {{Finding SUNBURST victims and targets by using passive DNS, OSINT}}, date = {2021-01-24}, organization = {Medium vrieshd}, url = {https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc}, language = {English}, urldate = {2021-01-25} } Finding SUNBURST victims and targets by using passive DNS, OSINT
SUNBURST
2021-01-22SymantecThreat Hunter Team
@online{team:20210122:solarwinds:b82c2df, author = {Threat Hunter Team}, title = {{SolarWinds: How Sunburst Sends Data Back to the Attackers}}, date = {2021-01-22}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-sending-data}, language = {English}, urldate = {2021-01-25} } SolarWinds: How Sunburst Sends Data Back to the Attackers
SUNBURST
2021-01-22DomainToolsJoe Slowik
@online{slowik:20210122:change:ed52aef, author = {Joe Slowik}, title = {{Change in Perspective on the Utility of SUNBURST-related Network Indicators}}, date = {2021-01-22}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/change-in-perspective-on-the-utility-of-sunburst-related-network-indicators#}, language = {English}, urldate = {2021-01-25} } Change in Perspective on the Utility of SUNBURST-related Network Indicators
SUNBURST
2021-01-20MicrosoftMicrosoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC), Microsoft Cyber Defense Operations Center (CDOC)
@online{team:20210120:deep:1cc0551, author = {Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber Defense Operations Center (CDOC)}, title = {{Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop}}, date = {2021-01-20}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/}, language = {English}, urldate = {2021-01-21} } Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
Cobalt Strike SUNBURST TEARDROP
2021-01-19Github (fireeye)FireEye
@online{fireeye:20210119:mandiant:26223c8, author = {FireEye}, title = {{Mandiant Azure AD Investigator: Focusing on UNC2452 TTPs}}, date = {2021-01-19}, organization = {Github (fireeye)}, url = {https://github.com/fireeye/Mandiant-Azure-AD-Investigator}, language = {English}, urldate = {2021-01-21} } Mandiant Azure AD Investigator: Focusing on UNC2452 TTPs
SUNBURST
2021-01-18SymantecThreat Hunter Team
@online{team:20210118:raindrop:9ab1262, author = {Threat Hunter Team}, title = {{Raindrop: New Malware Discovered in SolarWinds Investigation}}, date = {2021-01-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware}, language = {English}, urldate = {2021-01-21} } Raindrop: New Malware Discovered in SolarWinds Investigation
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-01-17a12d404Markus Piéton
@online{piton:20210117:backdooring:fa3eabe, author = {Markus Piéton}, title = {{Backdooring MSBuild}}, date = {2021-01-17}, organization = {a12d404}, url = {https://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html}, language = {English}, urldate = {2021-01-21} } Backdooring MSBuild
SUNBURST
2021-01-15SymantecThreat Hunter Team
@online{team:20210115:solarwinds:46d0db6, author = {Threat Hunter Team}, title = {{SolarWinds: Insights into Attacker Command and Control Process}}, date = {2021-01-15}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-command-control}, language = {English}, urldate = {2021-01-21} } SolarWinds: Insights into Attacker Command and Control Process
SUNBURST
2021-01-14MicrosoftMicrosoft 365 Defender Team
@online{team:20210114:increasing:dc031fe, author = {Microsoft 365 Defender Team}, title = {{Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender}}, date = {2021-01-14}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/}, language = {English}, urldate = {2021-01-18} } Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender
SUNBURST
2021-01-14DomainToolsJoe Slowik
@online{slowik:20210114:devils:ce9d4c8, author = {Joe Slowik}, title = {{The Devil’s in the Details: SUNBURST Attribution}}, date = {2021-01-14}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution}, language = {English}, urldate = {2021-01-18} } The Devil’s in the Details: SUNBURST Attribution
SUNBURST
2021-01-12BrightTALK (FireEye)Ben Read, John Hultquist
@online{read:20210112:unc2452:6e54c6c, author = {Ben Read and John Hultquist}, title = {{UNC2452: What We Know So Far}}, date = {2021-01-12}, organization = {BrightTALK (FireEye)}, url = {https://www.brighttalk.com/webcast/7451/462719}, language = {English}, urldate = {2021-01-18} } UNC2452: What We Know So Far
Cobalt Strike SUNBURST TEARDROP
2021-01-11Kaspersky LabsGeorgy Kucherin, Igor Kuznetsov, Costin Raiu
@online{kucherin:20210111:sunburst:a4ecf12, author = {Georgy Kucherin and Igor Kuznetsov and Costin Raiu}, title = {{Sunburst backdoor – code overlaps with Kazuar}}, date = {2021-01-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/sunburst-backdoor-kazuar/99981/}, language = {English}, urldate = {2021-01-11} } Sunburst backdoor – code overlaps with Kazuar
Kazuar SUNBURST
2021-01-11NetresecErik Hjelmvik
@online{hjelmvik:20210111:robust:5683220, author = {Erik Hjelmvik}, title = {{Robust Indicators of Compromise for SUNBURST}}, date = {2021-01-11}, organization = {Netresec}, url = {https://netresec.com/?b=211f30f}, language = {English}, urldate = {2021-01-21} } Robust Indicators of Compromise for SUNBURST
SUNBURST
2021-01-11SolarWindsSudhakar Ramakrishna
@online{ramakrishna:20210111:new:296b621, author = {Sudhakar Ramakrishna}, title = {{New Findings From Our Investigation of SUNBURST}}, date = {2021-01-11}, organization = {SolarWinds}, url = {https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/}, language = {English}, urldate = {2021-01-18} } New Findings From Our Investigation of SUNBURST
Cobalt Strike SUNBURST TEARDROP
2021-01-11CrowdStrikeCrowdStrike Intelligence Team
@online{team:20210111:sunspot:70e8a4c, author = {CrowdStrike Intelligence Team}, title = {{SUNSPOT: An Implant in the Build Process}}, date = {2021-01-11}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/}, language = {English}, urldate = {2021-01-21} } SUNSPOT: An Implant in the Build Process
SUNBURST
2021-01-08US-CERTUS-CERT
@online{uscert:20210108:alert:874cda9, author = {US-CERT}, title = {{Alert (AA21-008A): Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments}}, date = {2021-01-08}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-008a}, language = {English}, urldate = {2021-01-11} } Alert (AA21-008A): Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
SUNBURST SUPERNOVA
2021-01-08splunkMarcus LaFerrera, John Stoner, Lily Lee, James Brodsky, Ryan Kovar
@online{laferrera:20210108:golden:d31442a, author = {Marcus LaFerrera and John Stoner and Lily Lee and James Brodsky and Ryan Kovar}, title = {{A Golden SAML Journey: SolarWinds Continued}}, date = {2021-01-08}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html}, language = {English}, urldate = {2021-01-11} } A Golden SAML Journey: SolarWinds Continued
SUNBURST
2021-01-07SymantecThreat Hunter Team
@online{team:20210107:solarwinds:29f7094, author = {Threat Hunter Team}, title = {{SolarWinds: How a Rare DGA Helped Attacker Communications Fly Under the Radar}}, date = {2021-01-07}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga}, language = {English}, urldate = {2021-01-11} } SolarWinds: How a Rare DGA Helped Attacker Communications Fly Under the Radar
SUNBURST
2021-01-07TRUESECSebastian Olsson
@online{olsson:20210107:avoiding:e492089, author = {Sebastian Olsson}, title = {{Avoiding supply-chain attacks similar to SolarWinds Orion’s (SUNBURST)}}, date = {2021-01-07}, organization = {TRUESEC}, url = {https://blog.truesec.com/2021/01/07/avoiding-supply-chain-attacks-similar-to-solarwinds-orions-sunburst}, language = {English}, urldate = {2021-01-11} } Avoiding supply-chain attacks similar to SolarWinds Orion’s (SUNBURST)
SUNBURST
2021-01-06Department of JusticeDepartment of Justice
@online{justice:20210106:department:b7e85eb, author = {Department of Justice}, title = {{Department of Justice Statement on Solarwinds Update}}, date = {2021-01-06}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update}, language = {English}, urldate = {2021-01-11} } Department of Justice Statement on Solarwinds Update
SUNBURST
2021-01-06CISAUS-CERT
@online{uscert:20210106:supply:e8f4577, author = {US-CERT}, title = {{Supply Chain Compromise}}, date = {2021-01-06}, organization = {CISA}, url = {https://www.cisa.gov/supply-chain-compromise}, language = {English}, urldate = {2021-03-19} } Supply Chain Compromise
SUNBURST
2021-01-06MITREMITRE ATT&CK
@online{attck:20210106:attck:841bad7, author = {MITRE ATT&CK}, title = {{ATT&CK Navigator layer for UNC2452}}, date = {2021-01-06}, organization = {MITRE}, url = {https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json}, language = {English}, urldate = {2021-01-11} } ATT&CK Navigator layer for UNC2452
SUNBURST
2021-01-06Github (SentinelLabs)SentinelLabs
@online{sentinellabs:20210106:solarwindscountermeasures:c2aa91e, author = {SentinelLabs}, title = {{SolarWinds_Countermeasures}}, date = {2021-01-06}, organization = {Github (SentinelLabs)}, url = {https://github.com/SentineLabs/SolarWinds_Countermeasures}, language = {English}, urldate = {2021-01-11} } SolarWinds_Countermeasures
SUNBURST
2021-01-05SangforClairvoyance Safety Laboratory
@online{laboratory:20210105:red:9ddfb7a, author = {Clairvoyance Safety Laboratory}, title = {{Red team's perspective on the TTPs in Sunburst's backdoor}}, date = {2021-01-05}, organization = {Sangfor}, url = {https://www.4hou.com/posts/KzZR}, language = {Chinese}, urldate = {2021-01-11} } Red team's perspective on the TTPs in Sunburst's backdoor
SUNBURST
2021-01-04NetresecErik Hjelmvik
@online{hjelmvik:20210104:finding:d869bd9, author = {Erik Hjelmvik}, title = {{Finding Targeted SUNBURST Victims with pDNS}}, date = {2021-01-04}, organization = {Netresec}, url = {https://netresec.com/?b=2113a6a}, language = {English}, urldate = {2021-01-05} } Finding Targeted SUNBURST Victims with pDNS
SUNBURST
2020-12-31IronNetIronNet
@online{ironnet:20201231:solarwindssunburst:1422ef4, author = {IronNet}, title = {{SolarWinds/SUNBURST: Behavioral analytics and Collective Defense in action}}, date = {2020-12-31}, organization = {IronNet}, url = {https://www.ironnet.com/blog/solarwinds/sunburst-behavioral-analytics-and-collective-defense-in-action}, language = {English}, urldate = {2021-01-05} } SolarWinds/SUNBURST: Behavioral analytics and Collective Defense in action
SUNBURST
2020-12-31MicrosoftMSRC Team
@online{team:20201231:microsoft:c94b7aa, author = {MSRC Team}, title = {{Microsoft Internal Solorigate Investigation Update}}, date = {2020-12-31}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/}, language = {English}, urldate = {2021-01-04} } Microsoft Internal Solorigate Investigation Update
SUNBURST
2020-12-30Recorded FutureJohn Wetzel
@techreport{wetzel:20201230:solarwinds:59c847b, author = {John Wetzel}, title = {{SOLARWINDS ATTRIBUTION: Are We Getting Ahead of Ourselves? An Analysis of UNC2452 Attribution}}, date = {2020-12-30}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/pov-2020-1230.pdf}, language = {English}, urldate = {2021-01-05} } SOLARWINDS ATTRIBUTION: Are We Getting Ahead of Ourselves? An Analysis of UNC2452 Attribution
SUNBURST
2020-12-29CyberArkShaked Reiner
@online{reiner:20201229:golden:8601f2d, author = {Shaked Reiner}, title = {{Golden SAML Revisited: The Solorigate Connection}}, date = {2020-12-29}, organization = {CyberArk}, url = {https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection}, language = {English}, urldate = {2021-01-05} } Golden SAML Revisited: The Solorigate Connection
SUNBURST
2020-12-29NetresecErik Hjelmvik
@online{hjelmvik:20201229:extracting:1640842, author = {Erik Hjelmvik}, title = {{Extracting Security Products from SUNBURST DNS Beacons}}, date = {2020-12-29}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2020-12&post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons}, language = {English}, urldate = {2021-01-04} } Extracting Security Products from SUNBURST DNS Beacons
SUNBURST
2020-12-28MicrosoftMicrosoft 365 Defender Team
@online{team:20201228:using:f8e8574, author = {Microsoft 365 Defender Team}, title = {{Using Microsoft 365 Defender to protect against Solorigate}}, date = {2020-12-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/}, language = {English}, urldate = {2021-01-01} } Using Microsoft 365 Defender to protect against Solorigate
SUNBURST TEARDROP
2020-12-25ComaeMatt Suiche
@online{suiche:20201225:sunburst:4169084, author = {Matt Suiche}, title = {{SUNBURST & Memory Analysis}}, date = {2020-12-25}, organization = {Comae}, url = {https://www.comae.com/posts/sunburst-memory-analysis/}, language = {English}, urldate = {2020-12-26} } SUNBURST & Memory Analysis
SUNBURST
2020-12-24FireEyeStephen Eckels, Jay Smith, William Ballenthin
@online{eckels:20201224:sunburst:3fcb239, author = {Stephen Eckels and Jay Smith and William Ballenthin}, title = {{SUNBURST Additional Technical Details}}, date = {2020-12-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html}, language = {English}, urldate = {2020-12-26} } SUNBURST Additional Technical Details
SUNBURST
2020-12-23PrevasioSergei Shevchenko
@techreport{shevchenko:20201223:dns:0f3f013, author = {Sergei Shevchenko}, title = {{DNS Tunneling In The SolarWinds Supply Chain Attack}}, date = {2020-12-23}, institution = {Prevasio}, url = {https://prevasio.com/static/web/viewer.html?file=/static/Anatomy_Of_SolarWinds_Supply_Chain_Attack.pdf}, language = {English}, urldate = {2021-01-01} } DNS Tunneling In The SolarWinds Supply Chain Attack
SUNBURST
2020-12-23QianxinQi AnXin CERT
@online{cert:20201223:solarwindsapt:a237c40, author = {Qi AnXin CERT}, title = {{从Solarwinds供应链攻击(金链熊)看APT行动中的隐蔽作战}}, date = {2020-12-23}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q}, language = {Chinese}, urldate = {2020-12-23} } 从Solarwinds供应链攻击(金链熊)看APT行动中的隐蔽作战
SUNBURST
2020-12-23CrowdStrikeMichael Sentonas
@online{sentonas:20201223:crowdstrike:ee76d67, author = {Michael Sentonas}, title = {{CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory}}, date = {2020-12-23}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/}, language = {English}, urldate = {2021-01-01} } CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory
SUNBURST
2020-12-23Palo Alto Networks Unit 42Unit 42
@online{42:20201223:timeline:466b51a, author = {Unit 42}, title = {{A Timeline Perspective of the SolarStorm Supply-Chain Attack}}, date = {2020-12-23}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline}, language = {English}, urldate = {2020-12-26} } A Timeline Perspective of the SolarStorm Supply-Chain Attack
SUNBURST TEARDROP
2020-12-22Medium mitre-attackMatt Malone, Adam Pennington
@online{malone:20201222:identifying:259fcd9, author = {Matt Malone and Adam Pennington}, title = {{Identifying UNC2452-Related Techniques for ATT&CK}}, date = {2020-12-22}, organization = {Medium mitre-attack}, url = {https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714}, language = {English}, urldate = {2020-12-23} } Identifying UNC2452-Related Techniques for ATT&CK
SUNBURST TEARDROP UNC2452
2020-12-22Youtube (Colin Hardy)Colin Hardy
@online{hardy:20201222:sunburst:78b5056, author = {Colin Hardy}, title = {{SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims}}, date = {2020-12-22}, organization = {Youtube (Colin Hardy)}, url = {https://www.youtube.com/watch?v=mbGN1xqy1jY}, language = {English}, urldate = {2020-12-23} } SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims
SUNBURST
2020-12-22PrevasioSergei Shevchenko
@online{shevchenko:20201222:sunburst:9670fa6, author = {Sergei Shevchenko}, title = {{Sunburst Backdoor, Part III: DGA & Security Software (Broken Link)}}, date = {2020-12-22}, organization = {Prevasio}, url = {https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html}, language = {English}, urldate = {2021-08-03} } Sunburst Backdoor, Part III: DGA & Security Software (Broken Link)
SUNBURST
2020-12-22SymantecThreat Hunter Team
@online{team:20201222:solarwinds:b77e372, author = {Threat Hunter Team}, title = {{SolarWinds Attacks: Stealthy Attackers Attempted To Evade Detection}}, date = {2020-12-22}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection}, language = {English}, urldate = {2020-12-23} } SolarWinds Attacks: Stealthy Attackers Attempted To Evade Detection
SUNBURST
2020-12-22ZscalerZscaler
@online{zscaler:20201222:hitchhikers:1875e0b, author = {Zscaler}, title = {{The Hitchhiker’s Guide to SolarWinds Incident Response}}, date = {2020-12-22}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response}, language = {English}, urldate = {2021-01-10} } The Hitchhiker’s Guide to SolarWinds Incident Response
SUNBURST
2020-12-22MicrosoftAlex Weinert
@online{weinert:20201222:azure:b2fee7b, author = {Alex Weinert}, title = {{Azure AD workbook to help you assess Solorigate risk}}, date = {2020-12-22}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718}, language = {English}, urldate = {2020-12-23} } Azure AD workbook to help you assess Solorigate risk
SUNBURST
2020-12-22FBIFBI
@online{fbi:20201222:pin:ea37578, author = {FBI}, title = {{PIN Number 20201222-001: Advanced Persistent Threat Actors Leverage SolarWinds Vulnerabilities}}, date = {2020-12-22}, organization = {FBI}, url = {https://drive.google.com/file/d/1R79Q1oC18GmKK8FYBoYEt0vYF7SpsvQI/view}, language = {English}, urldate = {2020-12-26} } PIN Number 20201222-001: Advanced Persistent Threat Actors Leverage SolarWinds Vulnerabilities
SUNBURST
2020-12-22CheckpointCheck Point Research
@online{research:20201222:sunburst:f3cfd5f, author = {Check Point Research}, title = {{SUNBURST, TEARDROP and the NetSec New Normal}}, date = {2020-12-22}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/}, language = {English}, urldate = {2020-12-23} } SUNBURST, TEARDROP and the NetSec New Normal
SUNBURST TEARDROP
2020-12-21McAfeeMo Cashman, Arnab Roy
@online{cashman:20201221:how:10d8756, author = {Mo Cashman and Arnab Roy}, title = {{How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise}}, date = {2020-12-21}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/}, language = {English}, urldate = {2020-12-23} } How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise
SUNBURST
2020-12-21FortinetUdi Yavo
@online{yavo:20201221:what:716b31d, author = {Udi Yavo}, title = {{What We Have Learned So Far about the “Sunburst”/SolarWinds Hack}}, date = {2020-12-21}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack}, language = {English}, urldate = {2021-01-18} } What We Have Learned So Far about the “Sunburst”/SolarWinds Hack
Cobalt Strike SUNBURST TEARDROP
2020-12-21SophosLabs UncutSophosLabs Threat Research
@online{research:20201221:how:42cc330, author = {SophosLabs Threat Research}, title = {{How SunBurst malware does defense evasion}}, date = {2020-12-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/}, language = {English}, urldate = {2020-12-23} } How SunBurst malware does defense evasion
SUNBURST UNC2452
2020-12-21IronNetPeter Rydzynski
@online{rydzynski:20201221:solarwindssunburst:cabeea6, author = {Peter Rydzynski}, title = {{SolarWinds/SUNBURST: DGA or DNS Tunneling?}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling}, language = {English}, urldate = {2021-01-05} } SolarWinds/SUNBURST: DGA or DNS Tunneling?
SUNBURST
2020-12-21MicrosoftMSRC Team
@online{team:20201221:solorigate:7c7ab64, author = {MSRC Team}, title = {{Solorigate Resource Center}}, date = {2020-12-21}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/}, language = {English}, urldate = {2021-01-01} } Solorigate Resource Center
SUNBURST TEARDROP
2020-12-21MicrosoftAlex Weinert
@online{weinert:20201221:understanding:ea5a2f8, author = {Alex Weinert}, title = {{Understanding "Solorigate"'s Identity IOCs - for Identity Vendors and their customers.}}, date = {2020-12-21}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610}, language = {English}, urldate = {2020-12-23} } Understanding "Solorigate"'s Identity IOCs - for Identity Vendors and their customers.
SUNBURST
2020-12-20Twitter (@TychoTithonus)Royce Williams
@online{williams:20201220:solarwindssunburst:c93e0ce, author = {Royce Williams}, title = {{SolarWinds/SunBurst FNV-1a-XOR hashes found in analysis}}, date = {2020-12-20}, organization = {Twitter (@TychoTithonus)}, url = {https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs}, language = {English}, urldate = {2021-02-18} } SolarWinds/SunBurst FNV-1a-XOR hashes found in analysis
SUNBURST
2020-12-20Medium Asuna AmawakaAsuna Amawaka
@online{amawaka:20201220:look:8cd19a2, author = {Asuna Amawaka}, title = {{A Look into SUNBURST’s DGA}}, date = {2020-12-20}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/a-look-into-sunbursts-dga-ba4029193947}, language = {English}, urldate = {2021-02-18} } A Look into SUNBURST’s DGA
SUNBURST
2020-12-19Bleeping ComputerLawrence Abrams
@online{abrams:20201219:solarwinds:0129ee8, author = {Lawrence Abrams}, title = {{The SolarWinds cyberattack: The hack, the victims, and what we know}}, date = {2020-12-19}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/}, language = {English}, urldate = {2020-12-19} } The SolarWinds cyberattack: The hack, the victims, and what we know
SUNBURST
2020-12-18Sentinel LABSJames Haughom
@online{haughom:20201218:solarwinds:8e1f0c5, author = {James Haughom}, title = {{SolarWinds SUNBURST Backdoor: Inside the APT Campaign}}, date = {2020-12-18}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/}, language = {English}, urldate = {2020-12-19} } SolarWinds SUNBURST Backdoor: Inside the APT Campaign
SUNBURST
2020-12-18IBMGladys Koskas
@online{koskas:20201218:sunburst:c79fb22, author = {Gladys Koskas}, title = {{SUNBURST indicator detection in QRadar}}, date = {2020-12-18}, organization = {IBM}, url = {https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar}, language = {English}, urldate = {2021-01-10} } SUNBURST indicator detection in QRadar
SUNBURST
2020-12-18Kaspersky LabsIgor Kuznetsov, Costin Raiu
@online{kuznetsov:20201218:sunburst:85b411a, author = {Igor Kuznetsov and Costin Raiu}, title = {{Sunburst: connecting the dots in the DNS requests}}, date = {2020-12-18}, organization = {Kaspersky Labs}, url = {https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/}, language = {English}, urldate = {2020-12-18} } Sunburst: connecting the dots in the DNS requests
SUNBURST
2020-12-18MicrosoftMicrosoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20201218:analyzing:9486213, author = {Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers}}, date = {2020-12-18}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/}, language = {English}, urldate = {2020-12-19} } Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
SUNBURST SUPERNOVA TEARDROP UNC2452
2020-12-18DomainToolsJoe Slowik
@online{slowik:20201218:continuous:71ffa78, author = {Joe Slowik}, title = {{Continuous Eruption: Further Analysis of the SolarWinds Supply Chain Incident}}, date = {2020-12-18}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident}, language = {English}, urldate = {2020-12-18} } Continuous Eruption: Further Analysis of the SolarWinds Supply Chain Incident
SUNBURST
2020-12-18ThreatConnectThreatConnect
@online{threatconnect:20201218:tracking:765f272, author = {ThreatConnect}, title = {{Tracking Sunburst-Related Activity with ThreatConnect Dashboards}}, date = {2020-12-18}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards}, language = {English}, urldate = {2020-12-19} } Tracking Sunburst-Related Activity with ThreatConnect Dashboards
SUNBURST
2020-12-18CloudflareNick Blazier, Jesse Kipp
@online{blazier:20201218:quirk:fe216c8, author = {Nick Blazier and Jesse Kipp}, title = {{A quirk in the SUNBURST DGA algorithm}}, date = {2020-12-18}, organization = {Cloudflare}, url = {https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/}, language = {English}, urldate = {2020-12-18} } A quirk in the SUNBURST DGA algorithm
SUNBURST
2020-12-18ElasticCamilla Montonen, Justin Ibarra
@online{montonen:20201218:combining:13fef73, author = {Camilla Montonen and Justin Ibarra}, title = {{Combining supervised and unsupervised machine learning for DGA detection}}, date = {2020-12-18}, organization = {Elastic}, url = {https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection}, language = {English}, urldate = {2020-12-18} } Combining supervised and unsupervised machine learning for DGA detection
SUNBURST
2020-12-17Youtube (Colin Hardy)Colin Hardy
@online{hardy:20201217:sunburst:059bdbe, author = {Colin Hardy}, title = {{SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering}}, date = {2020-12-17}, organization = {Youtube (Colin Hardy)}, url = {https://www.youtube.com/watch?v=JoMwrkijTZ8}, language = {English}, urldate = {2020-12-18} } SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering
SUNBURST
2020-12-17McAfeeChristiaan Beek, Cedric Cochin, Raj Samani
@online{beek:20201217:additional:cd38b54, author = {Christiaan Beek and Cedric Cochin and Raj Samani}, title = {{Additional Analysis into the SUNBURST Backdoor}}, date = {2020-12-17}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/}, language = {English}, urldate = {2020-12-18} } Additional Analysis into the SUNBURST Backdoor
SUNBURST
2020-12-17PrevasioSergei Shevchenko
@online{shevchenko:20201217:sunburst:9b615cf, author = {Sergei Shevchenko}, title = {{Sunburst Backdoor, Part II: DGA & The List of Victims}}, date = {2020-12-17}, organization = {Prevasio}, url = {https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html}, language = {English}, urldate = {2020-12-23} } Sunburst Backdoor, Part II: DGA & The List of Victims
SUNBURST
2020-12-17NetresecErik Hjelmvik
@online{hjelmvik:20201217:reassembling:2a2f222, author = {Erik Hjelmvik}, title = {{Reassembling Victim Domain Fragments from SUNBURST DNS}}, date = {2020-12-17}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS}, language = {English}, urldate = {2020-12-18} } Reassembling Victim Domain Fragments from SUNBURST DNS
SUNBURST
2020-12-17Twitter (@megabeets_)Itay Cohen
@online{cohen:20201217:sunburst:7931c48, author = {Itay Cohen}, title = {{Tweet on SUNBURST malware discussing some of its evasion techniques}}, date = {2020-12-17}, organization = {Twitter (@megabeets_)}, url = {https://twitter.com/megabeets_/status/1339308801112027138}, language = {English}, urldate = {2020-12-18} } Tweet on SUNBURST malware discussing some of its evasion techniques
SUNBURST
2020-12-17splunkJohn Stoner
@online{stoner:20201217:onboarding:cef2450, author = {John Stoner}, title = {{Onboarding Threat Indicators into Splunk Enterprise Security: SolarWinds Continued}}, date = {2020-12-17}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html}, language = {English}, urldate = {2021-01-11} } Onboarding Threat Indicators into Splunk Enterprise Security: SolarWinds Continued
SUNBURST
2020-12-17TRUESECFabio Viggiani
@online{viggiani:20201217:solarwinds:f367284, author = {Fabio Viggiani}, title = {{The SolarWinds Orion SUNBURST supply-chain Attack}}, date = {2020-12-17}, organization = {TRUESEC}, url = {https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/}, language = {English}, urldate = {2020-12-18} } The SolarWinds Orion SUNBURST supply-chain Attack
SUNBURST
2020-12-17MicrosoftBrad Smith
@online{smith:20201217:moment:cd1089e, author = {Brad Smith}, title = {{A moment of reckoning: the need for a strong and global cybersecurity response}}, date = {2020-12-17}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/}, language = {English}, urldate = {2020-12-18} } A moment of reckoning: the need for a strong and global cybersecurity response
SUNBURST
2020-12-17US-CERTUS-CERT
@online{uscert:20201217:alert:1d517b0, author = {US-CERT}, title = {{Alert (AA20-352A): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations}}, date = {2020-12-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-352a}, language = {English}, urldate = {2020-12-18} } Alert (AA20-352A): Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
SUNBURST
2020-12-17TrustedSecTrustedsec
@online{trustedsec:20201217:solarwinds:8185fab, author = {Trustedsec}, title = {{SolarWinds Backdoor (Sunburst) Incident Response Playbook}}, date = {2020-12-17}, organization = {TrustedSec}, url = {https://www.trustedsec.com/blog/solarwinds-backdoor-sunburst-incident-response-playbook/?hss_channel=tw-403811306}, language = {English}, urldate = {2020-12-18} } SolarWinds Backdoor (Sunburst) Incident Response Playbook
SUNBURST
2020-12-16Twitter (@0xrb)R. Bansal
@online{bansal:20201216:list:aa0388d, author = {R. Bansal}, title = {{List of domain infrastructure including DGA domain used by UNC2452}}, date = {2020-12-16}, organization = {Twitter (@0xrb)}, url = {https://twitter.com/0xrb/status/1339199268146442241}, language = {English}, urldate = {2020-12-17} } List of domain infrastructure including DGA domain used by UNC2452
SUNBURST
2020-12-16Github (RedDrip7)RedDrip7
@online{reddrip7:20201216:script:4476c58, author = {RedDrip7}, title = {{A script to decode SUNBURST DGA domain}}, date = {2020-12-16}, organization = {Github (RedDrip7)}, url = {https://github.com/RedDrip7/SunBurst_DGA_Decode}, language = {English}, urldate = {2020-12-17} } A script to decode SUNBURST DGA domain
SUNBURST
2020-12-16Intel 471Intel 471
@online{471:20201216:intel471s:f245d05, author = {Intel 471}, title = {{Intel471's full statement on their knowledge of SolarWinds and the cybercriminal underground}}, date = {2020-12-16}, organization = {Intel 471}, url = {https://twitter.com/Intel471Inc/status/1339233255741120513}, language = {English}, urldate = {2020-12-17} } Intel471's full statement on their knowledge of SolarWinds and the cybercriminal underground
SUNBURST
2020-12-16PastebinAnonymous
@online{anonymous:20201216:paste:a02ef52, author = {Anonymous}, title = {{Paste of subdomain & DGA domain names used in SolarWinds attack}}, date = {2020-12-16}, organization = {Pastebin}, url = {https://pastebin.com/6EDgCKxd}, language = {English}, urldate = {2021-01-13} } Paste of subdomain & DGA domain names used in SolarWinds attack
SUNBURST UNC2452
2020-12-16QianxinRed Raindrop Team
@online{team:20201216:solarwinds:0871f46, author = {Red Raindrop Team}, title = {{中招目标首次披露:SolarWinds供应链攻击相关域名生成算法可破解!}}, date = {2020-12-16}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug}, language = {Chinese}, urldate = {2020-12-17} } 中招目标首次披露:SolarWinds供应链攻击相关域名生成算法可破解!
SUNBURST
2020-12-16CloudflareJesse Kipp, Malavika Balachandran Tadeusz
@online{kipp:20201216:trend:29b2a2d, author = {Jesse Kipp and Malavika Balachandran Tadeusz}, title = {{Trend data on the SolarWinds Orion compromise}}, date = {2020-12-16}, organization = {Cloudflare}, url = {https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/}, language = {English}, urldate = {2020-12-18} } Trend data on the SolarWinds Orion compromise
SUNBURST
2020-12-16Twitter @cybercdh)Colin Hardy
@online{hardy:20201216:3:c3e0e68, author = {Colin Hardy}, title = {{Tweet on 3 key actions SUNBURST performs as soon as it's invoked}}, date = {2020-12-16}, organization = {Twitter @cybercdh)}, url = {https://twitter.com/cybercdh/status/1339241246024404994}, language = {English}, urldate = {2020-12-18} } Tweet on 3 key actions SUNBURST performs as soon as it's invoked
SUNBURST
2020-12-16Twitter (@FireEye)FireEye
@online{fireeye:20201216:sunburst:310ef08, author = {FireEye}, title = {{Tweet on SUNBURST from FireEye detailing some additional information}}, date = {2020-12-16}, organization = {Twitter (@FireEye)}, url = {https://twitter.com/FireEye/status/1339295983583244302}, language = {English}, urldate = {2020-12-17} } Tweet on SUNBURST from FireEye detailing some additional information
SUNBURST
2020-12-16Bleeping ComputerLawrence Abrams
@online{abrams:20201216:fireeye:d24dc6f, author = {Lawrence Abrams}, title = {{FireEye, Microsoft create kill switch for SolarWinds backdoor}}, date = {2020-12-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/}, language = {English}, urldate = {2020-12-17} } FireEye, Microsoft create kill switch for SolarWinds backdoor
SUNBURST
2020-12-16MicrosoftShain Wray
@online{wray:20201216:solarwinds:98db0a9, author = {Shain Wray}, title = {{SolarWinds Post-Compromise Hunting with Azure Sentinel}}, date = {2020-12-16}, organization = {Microsoft}, url = {https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095}, language = {English}, urldate = {2020-12-17} } SolarWinds Post-Compromise Hunting with Azure Sentinel
SUNBURST
2020-12-16Cyborg SecurityJosh Meltzer
@online{meltzer:20201216:sunburst:6866abc, author = {Josh Meltzer}, title = {{SUNBURST: SolarWinds Supply-Chain Attack}}, date = {2020-12-16}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/}, language = {English}, urldate = {2020-12-23} } SUNBURST: SolarWinds Supply-Chain Attack
SUNBURST
2020-12-16ReversingLabsTomislav Pericin
@online{pericin:20201216:sunburst:02a2fd8, author = {Tomislav Pericin}, title = {{SunBurst: the next level of stealth SolarWinds compromise exploited through sophistication and patience}}, date = {2020-12-16}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth}, language = {English}, urldate = {2020-12-17} } SunBurst: the next level of stealth SolarWinds compromise exploited through sophistication and patience
SUNBURST
2020-12-15Twitter @cybercdh)Colin Hardy
@online{hardy:20201215:cyberchef:9f25c79, author = {Colin Hardy}, title = {{Tweet on CyberChef recipe to extract and decode strings from #SolarWinds malware binaries.}}, date = {2020-12-15}, organization = {Twitter @cybercdh)}, url = {https://twitter.com/cybercdh/status/1338885244246765569}, language = {English}, urldate = {2020-12-17} } Tweet on CyberChef recipe to extract and decode strings from #SolarWinds malware binaries.
SUNBURST
2020-12-15CorelightJohn Gamble
@online{gamble:20201215:finding:50ef51c, author = {John Gamble}, title = {{Finding SUNBURST Backdoor with Zeek Logs & Corelight}}, date = {2020-12-15}, organization = {Corelight}, url = {https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/}, language = {English}, urldate = {2020-12-15} } Finding SUNBURST Backdoor with Zeek Logs & Corelight
SUNBURST
2020-12-15360 Threat Intelligence CenterAdvanced Threat Institute
@online{institute:20201215:operation:899bf4d, author = {Advanced Threat Institute}, title = {{Operation Falling Eagle-the secret of the most influential supply chain attack in history}}, date = {2020-12-15}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/lh7y_KHUxag_-pcFBC7d0Q}, language = {Chinese}, urldate = {2020-12-18} } Operation Falling Eagle-the secret of the most influential supply chain attack in history
SUNBURST
2020-12-15Twitter @cybercdh)Colin Hardy
@online{hardy:20201215:some:5b19d5f, author = {Colin Hardy}, title = {{Tweet on some more capabilties of SUNBURST backdoor}}, date = {2020-12-15}, organization = {Twitter @cybercdh)}, url = {https://twitter.com/cybercdh/status/1338975171093336067}, language = {English}, urldate = {2020-12-18} } Tweet on some more capabilties of SUNBURST backdoor
SUNBURST
2020-12-15Github (sophos-cybersecurity)Sophos Cyber Security Team
@online{team:20201215:solarwindsthreathunt:4357421, author = {Sophos Cyber Security Team}, title = {{solarwinds-threathunt}}, date = {2020-12-15}, organization = {Github (sophos-cybersecurity)}, url = {https://github.com/sophos-cybersecurity/solarwinds-threathunt}, language = {English}, urldate = {2020-12-15} } solarwinds-threathunt
Cobalt Strike SUNBURST
2020-12-15PrevasioSergei Shevchenko
@online{shevchenko:20201215:sunburst:7f6b5db, author = {Sergei Shevchenko}, title = {{Sunburst Backdoor: A Deeper Look Into The SolarWinds' Supply Chain Malware}}, date = {2020-12-15}, organization = {Prevasio}, url = {https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html}, language = {English}, urldate = {2020-12-17} } Sunburst Backdoor: A Deeper Look Into The SolarWinds' Supply Chain Malware
SUNBURST
2020-12-15PICUS SecuritySüleyman Özarslan
@online{zarslan:20201215:tactics:bba1b4f, author = {Süleyman Özarslan}, title = {{Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach}}, date = {2020-12-15}, organization = {PICUS Security}, url = {https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach}, language = {English}, urldate = {2020-12-17} } Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach
Cobalt Strike SUNBURST
2020-12-15Cyborg SecurityAustin Jackson
@online{jackson:20201215:threat:00bfb46, author = {Austin Jackson}, title = {{Threat Hunt Deep Dives: SolarWinds Supply Chain Compromise (Solorigate / SUNBURST Backdoor)}}, date = {2020-12-15}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/threat-hunt-deep-dives-solarwinds-supply-chain-compromise-solorigate-sunburst-backdoor/}, language = {English}, urldate = {2020-12-23} } Threat Hunt Deep Dives: SolarWinds Supply Chain Compromise (Solorigate / SUNBURST Backdoor)
SUNBURST
2020-12-14SolarwindSolarwind
@online{solarwind:20201214:security:a763c2a, author = {Solarwind}, title = {{Security Advisory on SolarWinds Supply chain attack FAQ}}, date = {2020-12-14}, organization = {Solarwind}, url = {https://www.solarwinds.com/securityadvisory/faq}, language = {English}, urldate = {2021-01-04} } Security Advisory on SolarWinds Supply chain attack FAQ
SUNBURST SUPERNOVA
2020-12-14SymantecThreat Hunter Team
@online{team:20201214:sunburst:12e5814, author = {Threat Hunter Team}, title = {{Sunburst: Supply Chain Attack Targets SolarWinds Users}}, date = {2020-12-14}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds}, language = {English}, urldate = {2020-12-19} } Sunburst: Supply Chain Attack Targets SolarWinds Users
SUNBURST TEARDROP
2020-12-14VolexityDamien Cash, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster, Volexity Threat Research
@online{cash:20201214:dark:7d54c5d, author = {Damien Cash and Matthew Meltzer and Sean Koessel and Steven Adair and Thomas Lancaster and Volexity Threat Research}, title = {{Dark Halo Leverages SolarWinds Compromise to Breach Organizations}}, date = {2020-12-14}, organization = {Volexity}, url = {https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/}, language = {English}, urldate = {2020-12-15} } Dark Halo Leverages SolarWinds Compromise to Breach Organizations
SUNBURST
2020-12-14Twitter (@ItsReallyNick)Nick Carr
@online{carr:20201214:summarizing:67227be, author = {Nick Carr}, title = {{Tweet on summarizing post-compromise actvity of UNC2452}}, date = {2020-12-14}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1338382939835478016}, language = {English}, urldate = {2020-12-14} } Tweet on summarizing post-compromise actvity of UNC2452
SUNBURST
2020-12-14splunkRyan Kovar
@online{kovar:20201214:using:7fa58c8, author = {Ryan Kovar}, title = {{Using Splunk to Detect Sunburst Backdoor}}, date = {2020-12-14}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html}, language = {English}, urldate = {2020-12-15} } Using Splunk to Detect Sunburst Backdoor
SUNBURST
2020-12-14TrustedSecNick Gilberti, Tyler Hudak
@online{gilberti:20201214:solarwinds:394f5d5, author = {Nick Gilberti and Tyler Hudak}, title = {{SolarWinds Orion and UNC2452 – Summary and Recommendations}}, date = {2020-12-14}, organization = {TrustedSec}, url = {https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/}, language = {English}, urldate = {2020-12-16} } SolarWinds Orion and UNC2452 – Summary and Recommendations
SUNBURST
2020-12-14Cado SecurityChristopher Doman
@online{doman:20201214:responding:639d2ce, author = {Christopher Doman}, title = {{Responding to Solarigate}}, date = {2020-12-14}, organization = {Cado Security}, url = {https://www.cadosecurity.com/post/responding-to-solarigate}, language = {English}, urldate = {2020-12-14} } Responding to Solarigate
SUNBURST
2020-12-14SophosRoss McKerchar
@online{mckerchar:20201214:incident:fa87d28, author = {Ross McKerchar}, title = {{Incident response playbook for responding to SolarWinds Orion compromise}}, date = {2020-12-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/}, language = {English}, urldate = {2020-12-15} } Incident response playbook for responding to SolarWinds Orion compromise
SUNBURST
2020-12-14Olaf Hartong
@online{hartong:20201214:fireeye:d7c17f5, author = {Olaf Hartong}, title = {{FireEye Sunburst KQL Detections}}, date = {2020-12-14}, url = {https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f}, language = {English}, urldate = {2020-12-15} } FireEye Sunburst KQL Detections
SUNBURST
2020-12-14Twitter (@lordx64)Taha Karim
@online{karim:20201214:one:5d9f92c, author = {Taha Karim}, title = {{Tweet on a one liner to decrypt SUNBURST backdoor}}, date = {2020-12-14}, organization = {Twitter (@lordx64)}, url = {https://twitter.com/lordx64/status/1338526166051934213}, language = {English}, urldate = {2020-12-15} } Tweet on a one liner to decrypt SUNBURST backdoor
SUNBURST
2020-12-14Twitter (@KimZetter)Kim Zetter
@online{zetter:20201214:thread:783b5ed, author = {Kim Zetter}, title = {{Tweet thread on microsoft report on Solarwind supply chain attack by UNC2452}}, date = {2020-12-14}, organization = {Twitter (@KimZetter)}, url = {https://twitter.com/KimZetter/status/1338305089597964290}, language = {English}, urldate = {2020-12-14} } Tweet thread on microsoft report on Solarwind supply chain attack by UNC2452
SUNBURST
2020-12-14SolarwindSolarwind
@online{solarwind:20201214:security:68f32e4, author = {Solarwind}, title = {{Security Advisory on SolarWinds Supply chain attack}}, date = {2020-12-14}, organization = {Solarwind}, url = {https://www.solarwinds.com/securityadvisory}, language = {English}, urldate = {2021-01-01} } Security Advisory on SolarWinds Supply chain attack
SUNBURST SUPERNOVA
2020-12-14Palo Alto Networks Unit 42Unit 42
@online{42:20201214:threat:032b92d, author = {Unit 42}, title = {{Threat Brief: SolarStorm and SUNBURST Customer Coverage}}, date = {2020-12-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/}, language = {English}, urldate = {2020-12-15} } Threat Brief: SolarStorm and SUNBURST Customer Coverage
Cobalt Strike SUNBURST
2020-12-14Youtube (Ali Hadi)Ali Hadi
@online{hadi:20201214:learning:f4175a9, author = {Ali Hadi}, title = {{Learning about .NET Malware by Going Over the SUNBURST SolarWinds Backdoor}}, date = {2020-12-14}, organization = {Youtube (Ali Hadi)}, url = {https://www.youtube.com/watch?v=cMauHTV-lJg}, language = {English}, urldate = {2020-12-18} } Learning about .NET Malware by Going Over the SUNBURST SolarWinds Backdoor
SUNBURST
2020-12-14DomainToolsJoe Slowik
@online{slowik:20201214:unraveling:d212099, author = {Joe Slowik}, title = {{Unraveling Network Infrastructure Linked to the SolarWinds Hack}}, date = {2020-12-14}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack}, language = {English}, urldate = {2020-12-15} } Unraveling Network Infrastructure Linked to the SolarWinds Hack
SUNBURST
2020-12-14Cisco TalosNick Biasini
@online{biasini:20201214:threat:63acc35, author = {Nick Biasini}, title = {{Threat Advisory: SolarWinds supply chain attack}}, date = {2020-12-14}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more}, language = {English}, urldate = {2020-12-19} } Threat Advisory: SolarWinds supply chain attack
SUNBURST TEARDROP
2020-12-13CISACISA
@online{cisa:20201213:active:44eb4a4, author = {CISA}, title = {{Active Exploitation of SolarWinds Software}}, date = {2020-12-13}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software}, language = {English}, urldate = {2020-12-15} } Active Exploitation of SolarWinds Software
SUNBURST
2020-12-13VX-Underground
@online{vxunderground:20201213:directory:a270772, author = {VX-Underground}, title = {{Directory: /samples/Exotic/UNC2452/SolarWinds Breach/}}, date = {2020-12-13}, url = {https://vxug.fakedoma.in/samples/Exotic/UNC2452/SolarWinds%20Breach/}, language = {English}, urldate = {2020-12-14} } Directory: /samples/Exotic/UNC2452/SolarWinds Breach/
SUNBURST
2020-12-13FireEyeAndrew Archer, Doug Bienstock, Chris DiGiamo, Glenn Edwards, Nick Hornick, Alex Pennino, Andrew Rector, Scott Runnels, Eric Scales, Nalani Fraiser, Sarah Jones, John Hultquist, Ben Read, Jon Leathery, Fred House, Dileep Jallepalli, Michael Sikorski, Stephen Eckels, William Ballenthin, Jay Smith, Alex Berry, Nick Richard, Isif Ibrahima, Dan Perez, Marcin Siedlarz, Ben Withnell, Barry Vengerik, Nicole Oppenheim, Ian Ahl, Andrew Thompson, Matt Dunwoody, Evan Reese, Steve Miller, Alyssa Rahman, John Gorman, Lennard Galang, Steve Stone, Nick Bennett, Matthew McWhirt, Mike Burns, Omer Baig, Nick Carr, Christopher Glyer, Ramin Nafisi, Microsoft
@online{archer:20201213:highly:9fe1728, author = {Andrew Archer and Doug Bienstock and Chris DiGiamo and Glenn Edwards and Nick Hornick and Alex Pennino and Andrew Rector and Scott Runnels and Eric Scales and Nalani Fraiser and Sarah Jones and John Hultquist and Ben Read and Jon Leathery and Fred House and Dileep Jallepalli and Michael Sikorski and Stephen Eckels and William Ballenthin and Jay Smith and Alex Berry and Nick Richard and Isif Ibrahima and Dan Perez and Marcin Siedlarz and Ben Withnell and Barry Vengerik and Nicole Oppenheim and Ian Ahl and Andrew Thompson and Matt Dunwoody and Evan Reese and Steve Miller and Alyssa Rahman and John Gorman and Lennard Galang and Steve Stone and Nick Bennett and Matthew McWhirt and Mike Burns and Omer Baig and Nick Carr and Christopher Glyer and Ramin Nafisi and Microsoft}, title = {{Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor}}, date = {2020-12-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html}, language = {English}, urldate = {2020-12-19} } Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
SUNBURST SUPERNOVA TEARDROP UNC2452
2020-12-13Github (fireeye)FireEye
@online{fireeye:20201213:sunburst:04e594f, author = {FireEye}, title = {{SUNBURST Countermeasures}}, date = {2020-12-13}, organization = {Github (fireeye)}, url = {https://github.com/fireeye/sunburst_countermeasures}, language = {English}, urldate = {2020-12-19} } SUNBURST Countermeasures
SUNBURST SUPERNOVA TEARDROP UNC2452
2020-12-13MicrosoftMicrosoft Security Intelligence
@online{intelligence:20201213:trojanmsilsolorigatebdha:f470d89, author = {Microsoft Security Intelligence}, title = {{Trojan:MSIL/Solorigate.B!dha}}, date = {2020-12-13}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.B!dha}, language = {English}, urldate = {2020-12-14} } Trojan:MSIL/Solorigate.B!dha
SUNBURST
2020-12-08SecuronixOleg Kolesnikov, Den Iyzvyk
@techreport{kolesnikov:20201208:detecting:ba06a76, author = {Oleg Kolesnikov and Den Iyzvyk}, title = {{Detecting SolarWinds/SUNBURST/ECLIPSER Supply Chain Attacks}}, date = {2020-12-08}, institution = {Securonix}, url = {https://www.securonix.com/web/wp-content/uploads/2020/12/threat_research_solarwinds_sunburst_eclipser_supply_chain.pdf}, language = {English}, urldate = {2021-01-10} } Detecting SolarWinds/SUNBURST/ECLIPSER Supply Chain Attacks
SUNBURST
2020-12FireEyeFireEye
@online{fireeye:202012:solarwinds:4ce144e, author = {FireEye}, title = {{Solarwinds Breach Resource Center}}, date = {2020-12}, organization = {FireEye}, url = {https://www.fireeye.com/current-threats/sunburst-malware.html}, language = {English}, urldate = {2021-03-02} } Solarwinds Breach Resource Center
SUNBURST
2020-05-31WiredAndy Greenberg
@online{greenberg:20200531:hacker:8874190, author = {Andy Greenberg}, title = {{Hacker Lexicon: What Is a Supply Chain Attack?}}, date = {2020-05-31}, organization = {Wired}, url = {https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/}, language = {English}, urldate = {2021-06-09} } Hacker Lexicon: What Is a Supply Chain Attack?
EternalPetya SUNBURST
2020-01-22Thomas Barabosch
@online{barabosch:20200122:malware:f805475, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to PE timestamps}}, date = {2020-01-22}, url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/}, language = {English}, urldate = {2021-01-25} } The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020-01-05NSA, FBI, CISA, ODNI
@online{nsa:20200105:joint:ba51a6d, author = {NSA and FBI and CISA and ODNI}, title = {{Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA)}}, date = {2020-01-05}, url = {https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure}, language = {English}, urldate = {2021-01-11} } Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA)
SUNBURST
Yara Rules
[TLP:WHITE] win_sunburst_w0 (20201215 | This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.)
// Copyright 2020 by FireEye, Inc.
// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
rule win_sunburst_w0 {
    meta:
        author = "FireEye"
        description = "This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst"
        malpedia_ruledate = "20201215"
        malpedia_version = "20201215"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $cmd_regex_encoded = "U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA" wide
        $cmd_regex_plain = { 5C 7B 5B 30 2D 39 61 2D 66 2D 5D 7B 33 36 7D 5C 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 33 32 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 31 36 7D }
        $fake_orion_event_encoded = "U3ItS80rCaksSFWyUvIvyszPU9IBAA==" wide
        $fake_orion_event_plain = { 22 45 76 65 6E 74 54 79 70 65 22 3A 22 4F 72 69 6F 6E 22 2C }
        $fake_orion_eventmanager_encoded = "U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==" wide
        $fake_orion_eventmanager_plain = { 22 45 76 65 6E 74 4E 61 6D 65 22 3A 22 45 76 65 6E 74 4D 61 6E 61 67 65 72 22 2C }
        $fake_orion_message_encoded = "U/JNLS5OTE9VslKqNqhVAgA=" wide
        $fake_orion_message_plain = { 22 4D 65 73 73 61 67 65 22 3A 22 7B 30 7D 22 }
        $fnv_xor = { 67 19 D8 A7 3B 90 AC 5B }
    condition:
        $fnv_xor and ($cmd_regex_encoded or $cmd_regex_plain) or ( ($fake_orion_event_encoded or $fake_orion_event_plain) and ($fake_orion_eventmanager_encoded or $fake_orion_eventmanager_plain) and ($fake_orion_message_encoded and $fake_orion_message_plain) )
}
Download all Yara Rules