NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge

Just in Time Bulletin: Sunburst

Sep 02, 2021

What is “Sunburst”? 

FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware which is called SUNBURST. 

It has discovered a global intrusion campaign which is tracking the actors behind this campaign as UNC2452.

How bad is this? 

Active exploitation today: Exploited in the wild

Severity: Critical

  • gaining a foothold in the network
  • authentication bypass

The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWinds Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.

Who is affected by this? 

FireEye has detected this activity at multiple entities worldwide. The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals. FireEye has notified all entities we are aware of being affected.

How are they exploited? 

An intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials.

How do I protect myself? 

SolarWinds is recommending you upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment. The latest version is available in the SolarWinds Customer Portal.

If you aren’t sure which version of the Orion Platform you are using, see directions on how to check that here. To check which hotfixes you have applied, please go here.

If you cannot upgrade immediately, please follow the guidelines available here for securing your Orion Platform instance. The primary mitigation steps include having your Orion Platform installed behind firewalls, disabling internet access for the Orion Platform, and limiting the ports and connections to only what is necessary.  

An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tuesday, December 15, 2020. We recommend that all customers update to release 2020.2.1 HF 2 once it is available, as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security enhancements.

NopSec strongly encourages organizations to apply these patches as soon as possible.

Under what circumstances would I consider using the registry key workaround?

FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild. The signatures are found on FireEye’s public GitHub page.

Additional Resources: