Thousands of organizations have been affected by a supply chain attack that compromised the update mechanism for SolarWinds Orion software in order to deliver a backdoor Trojan known as Sunburst (Backdoor.Sunburst) (aka Solorigate).
Details on the attacks were disclosed yesterday (December 13) by the security firm FireEye. SolarWinds has also published a security advisory for its customers.
The campaign has been underway since at least March 2020. Any Orion user who downloaded an update in this period is likely to have been infected with Sunburst. According to FireEye, the attackers conducted further malicious activity on a subset of victim organizations that were of interest to them.
By their nature, supply chain attacks are indiscriminate and will infect any user of the compromised software. They are carried out in order to provide the attacker with access to a large number of organizations, a subset of which will be identified as targets of interest for further compromise.
Symantec has identified more than 2,000 computers at over 100 customers that received Trojanized software updates but has not identified any further malicious impact on those machines. However, this investigation is still ongoing, and it is possible that additional Indicators of Compromise (IOCs) will be discovered over the coming days and weeks which may lead to previously unidentified activity.
Sunburst analysis
An existing SolarWinds DLL called SolarWinds.Orion.Core.BusinessLayer.dll was modified by the attackers to include an added class.
The malware is designed to remain inactive for a period after installation. It will then attempt to resolve a subdomain of avsvmcloud[.]com. The DNS response will deliver a CNAME record that directs t ..
Support the originator by clicking the read the rest link below.
