On Dec. 12, 2020, FireEye provided detailed information on a widespread attack campaign involving a backdoored component of the SolarWinds Orion platform, which is used by organizations to monitor and manage IT infrastructure. FireEye has given the campaign an identifier of UNC2452 and is further naming the trojanized version of the SolarWinds Orion component SUNBURST (Microsoft has used the “Solorigate” identifier for the malware and added detection rules to its Defender antivirus). SolarWinds has issued a separate advisory for the incident.
In this blog post, we will focus on answering specific questions organizations may have regarding this situation.
What is Rapid7 doing as a result of the disclosure of the SUNBURST/Solorigate disclosure?
For InsightIDR customers
Rapid7 has deployed detections in InsightIDR for activity related to vulnerable versions of SolarWinds Orion and will continue to add additional IOCs/TTPs as they become available. We recommend that all customers running SolarWinds Orion versions 2019.4 through 2020.2.1 should upgrade to the Orion platform to version 2020.2.1 HF 1 ASAP.
We will also publish queries you can perform in your environment to look for this vulnerability.
For our MDR customers
We are analyzing your agent, DNS, firewall, and other log data that exists in IDR for IOCs/TTPs related to this threat, and specifically the IOCs released by FireEye.
For InsightVM customers
InsightVM customers can use Query Buil ..
Support the originator by clicking the read the rest link below.
