CyberSecOps/SolarWinds-Sunburst-Solorigate-Supernova-FireEye

Resources related to the SolarWinds supply chain breach, connected to the FireEye breach

SolarWinds-Sunburst-Solorigate-Supernova-FireEye

Resources related to the SolarWinds supply chain breach, connected to the FireEye breach, that identified Sunburst and Supernova. Attribution hasn't been confirmed and FireEye have associated with campaign UNC2452, with several media outlets reporting intelligence agencies are attributing the attack to Russian intelligence.

Contents

• News & Media Articles
• Technical Guidance & Analysis
  • SolarWinds
  • FireEye
  • CISA / US-CERT / DHS
  • UK's NCSC
  • UK's ICO
  • US' NSA
  • Crowdstrike
  • Other Security Vendors
  • Other Security Researchers
• Tools
• Other Useful Resources
  • YouTube
  • GitHub
  • Other Vendors
• IOC's
  • VirusTotal

News & Media Articles

1. BBC News: CES 2021: Microsoft's Brad Smith slams SolarWinds 'indiscriminate assault'
2. CBS News: SolarWinds: How Russian spies hacked the Justice, State, Treasury, Energy and Commerce Departments
3. ZDNet: A second hacking group has targeted SolarWinds systems
4. ZDNet: CISA: SolarWinds hackers also used password guessing to breach targets
5. ZDNet: Fourth malware strain discovered in SolarWinds incident
6. ZDNet: Four security vendors disclose SolarWinds-related incidents
7. ZDNet: Microsoft: SolarWinds attack took more than 1,000 engineers to create
8. ZDNet: SolarWinds patches three newly discovered software vulnerabilities
9. The Register: Microsoft SolarWinds analysis: Attackers hid inside Windows systems by wearing the skins of legit processes
10. TheCyberWire: Cozy Bear's attack on FireEye affected more than one company, and was based on a compromised SolarWinds update
11. CRN: Crowdstrike Fends Off Attack Attempted By SolarWinds Hackers
12. CRN: AWS: SolarWinds Hackers Used Our Elastic Compute Cloud
13. Reuters: Exclusive - Microsoft breached in suspected Russian hack using SolarWinds
14. Reuters: Experts who wrestled with SolarWinds hackers say cleanup could take months - or longer
15. Reuters: Suspected Russian hackers used Microsoft vendors to breach customers
16. Reuters: SolarWinds hackers linked to known Russian spying tools, investigators say
17. Reuters: Exclusive: Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency – sources
18. Infosecurity: New Malware Implant Discovered as Part of SolarWinds Attack
19. Infosecurity: CrowdStrike Slams Microsoft Over SolarWinds Hack
20. CyberScoop: All Articles tagged with SolarWinds
21. CyberScoop: Microsoft alerts Crowdstrike of hackers' attempted break-in
22. CyberScoop: NSA warns defense contractors of potential SolarWinds fallout
23. CyberScoop: After SolarWinds breach, lawmakers ask NSA for help in cracking Juniper cold case
24. CyberScoop: Mimecast breach investigators probe possible SolarWinds connection
25. CyberScoop: Mimecast confirms SolarWinds attackers breached security certificate, 'potentially exfiltrated' credentials
26. CyberScoop: Symantec connects another hacking tool to SolarWinds campaign
27. CyberScoop: For Microsoft, cybersecurity has become bigger than business
28. CyberScoop: Microsoft shares tool to hunt for compromise in SolarWinds breach
29. CyberScoop: Senate hearing on SolarWinds hack lays bare US shortcomings, remaining mysteries
30. The Intercept: SolarWinds Hack Infected Critical Infrastructure
31. Securelist: Sunburst - connecting the dots in the DNS requests
32. Securelist: Sunburst backdoor - code overlaps with Kazuar
33. Bleeping Computer: The SolarWinds cyberattack - The hack victims and what we know
34. BleepingComputer Malwarebytes says SolarWinds hackers accessed its internal emails
35. Bleeping Computer: Microsoft: SolarWinds hackers downloaded Azure, Exchange source code
36. The Wall Street Journal: Hackers Lurked in SolarWinds Email System for at Least 9 Months, CEO Says
37. Security Week: Continuous Updates: Everything You Need to Know About the SolarWinds Attack
38. Security Week: SolarWinds Likely Hacked at Least One Year Before Breach Discovery
39. Security Week: New Zero-Day, Malware Indicate Second Group May Have Targeted SolarWinds
40. Security Week: SolarWinds Taps Firm Started by Ex-CISA Chief Chris Krebs, Former Facebook CSO Alex Stamos
41. Security Week: Similarities Found Between Malware Used in SolarWinds Attack and Backdoor Linked to Turla Cyberspies
42. Security Week: Investigation Launched Into Role of JetBrains Product in SolarWinds Hack: Reports
43. Security Week: Kaspersky Connects SolarWinds Attack Code to Known Russian APT Group
44. Security Week: Microsoft Details OPSEC, Anti-Forensic Techniques Used by SolarWinds Hackers
45. Security Week: CISA Says Many Victims of SolarWinds Hackers Had No Direct Link to SolarWinds
46. Security Week: Microsoft Says Its Services Not Used as Entry Point by SolarWinds Hackers
47. Schneier: Russia's SolarWinds Attack
48. The Hacker News: 3 New Severe Security Vulnerabilities Found In SolarWinds Software
49. Forbes: 1,500 SolarWinds Customers Are Exposing Themselves To Hackers As 'Russian' Espionage Continues
50. Security Affairs: CISA revealed that threat actors behind the SolarWinds hack also used password guessing and password spraying in its attacks
51. Security Affairs: SolarWinds hackers also used common hacker techniques, CISA revealed
52. Security Boulevard: How X.509 Certificates Were Involved in SolarWinds Attack | Keyfactor
53. Security Boulevard: Hackers Didn’t Only Use SolarWinds to Break In, Says CISA
54. Wired: The SolarWinds Hackers Shared Tricks With a Notorious Russian Spy Group
55. Wired: The SolarWinds Hackers Used Tactics Other Groups Will Copy
56. Wired: A Second SolarWinds Hack Deepens Third-Party Software Fears
57. The Guardian: DoJ confirms email accounts breached by SolarWinds hackers
58. Financial Times: SolarWinds cyber attack linked to tools used by Russian hacking group
59. CNN: SolarWinds hackers gave themselves top administrative privileges to spy on victims undetected, DHS says
60. arsTECHNICA: SolarWinds malware has “curious” ties to Russian-speaking hackers
61. Council on Foreign Relations: Most Tools Failed to Detect the SolarWinds Malware. Those That Did Failed Too
62. The Street: SolarWinds Says It Has Found Source of Massive Cyberattack
63. cna: SolarWinds hackers linked to known Russian spying tools, investigators say
64. techradar: SolarWinds hackers also guessed passwords of many victims
65. FCW: CISA: Hackers access to federal networks without SolarWinds
66. Market Watch: SolarWinds has found and reverse engineered 'highly sophisticated and malicious' code used in recent cyberattack
67. Barron's: The SolarWinds Hack Was Huge. Here’s Why JPMorgan Is Defending the Stock.
68. Fox Business: Cybersecurity firm identifies third SolarWinds hack malware strain
69. Fox Business: SolarWinds shareholder files class-action lawsuit alleging leadership 'misrepresented and failed to disclose' information about hack
70. The Hill: Hackers had access to SolarWinds email system for months: report
71. State Scoop: No evidence SolarWinds hack touched election systems, acting CISA chief says
72. CNBC: CrowdStrike CEO on who bears responsibility for SolarWinds hack

Technical Guidance & Analysis

SolarWinds

1. Security Advisory
2. SolarWinds Update on Security Vulnerability
3. Our Commitment to Cooperation
4. Our Plan for a Safer SolarWinds and Customer Community
5. New Findings From Our Investigation of SUNBURST

FireEye

1. Sunburst Malware
2. Sunburst Additional Technical Details
3. Global Intrusion Campaign Leverages Software Supply Chain Compromise
4. Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST backdoor
5. Mandiant UNC2452 - Highly Evasive Attacker Leverages Supply Chain to Compromise Targets Presentation Slides
6. FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community
7. Unauthorized Access of FireEye Red Team Tools
8. FireEye Red Team Tool Countermeasures
9. FireEye Mandiant SunBurst Countermeasures
10. UNC2452 Actor Overview
11. Sunburst Malware Overview
12. Sunburst Malware Profile
13. Teardrop Malware Overview
14. DebUNCing Attribution to Counter Threats More Effectively
15. New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452

Microsoft

1. Solorigate Resource Center
2. Important steps for customers to protect themselves from recent nation-state cyberattacks
3. Ensuring customers are protected from Solorigate
4. A moment of reckoning: the need for a strong and global cybersecurity response
5. Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
6. Microsoft Internal Solorigate Investigation
7. SolarWinds Post-Compromise Hunting with Azure Sentinel
8. Understanding "Solorigate's" Identity IOC's - for Identity Vendors and their customers
9. Azure AD workbook to help you assess Solorigate risk
10. Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
11. Strategies for Microsoft 365 to Defend Against UNC2452
12. Microsoft Internal Solorigate Investigation – Final Update
13. Using Zero Trust principles to protect against sophisticated attacks like Solorigate

CISA / US-CERT / DHS

1. Supply Chain Compromise
2. AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
3. AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
4. Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise

UK's NCSC

1. NCSC statement on the SolarWinds compromise
2. NCSC Enhanced Guidance on SolarWinds Incident: TLP Amber

UK's ICO

1. UK organisations using SolarWinds Orion platform should check whether personal data has been affected

US' NSA

1. Detecting Abuse of Authentication Mechanisms

Crowdstrike

1. Assessing the SolarWinds Vulnerability with Crowdstrike
2. SUNSPOT: An Implant in the Build Process

Other Security Vendors

1. Recorded Future: SolarWinds Attribution - Are We Getting Ahead of Ourselves?
2. Recorded Future: SolarWinds: What the Intelligence Tells Us
3. Splunk: Using Splunk to Detect Sunburst Backdoor
4. Splunk: A Golden SAML Journey - SolarWinds Continued
5. Volexity: Responding to the SolarWinds Breach - Detect, Prevent, and Remediate the Dark Halo Supply Chain Attack
6. Volexity: Dark Halo Leverages SolarWinds Compromise to Breach Organizations
7. Palo Alto's UNIT42: SolarStorm Timeline - Details of the Software Supply-Chain Attack
8. SentinelLabs: SolarWinds - Understanding & Detecting the SUPERNOVA Webshell Trojan
9. Check Point Research: SUNBURST, TEARDROP and the NetSec New Normal
10. Sygnia: Detection of Golden SAML attacks
11. Fortinet FortiGuard Labs: What We Have Learned So Far about the "Sunburst"-SolarWinds Hack
12. Symantec/Broadcom: Raindrop: New Malware Discovered in SolarWinds Investigation
13. TrustedSec: SolarWinds Backdoor (Sunburst) Incident Response Playbook
14. TrustedSec: SolarWinds Orion and UNC2452 - Summary and Recommendations
15. Netresec: Reassembling Victim Domain Fragments from SUNBURST DNS
16. Netresec: Robust Indicators of Compromise for SUNBURST
17. Netresec: Finding Targeted SUNBURST Victims with pDNS
18. Netresec: Extracting Security Products from SUNBURST DNS Beacons
19. Netresec: Twenty-three SUNBURST Targets Identified
20. Immersive Labs: Feel the heat of SUNBURST with Immersive Labs (so your business won't have to)
21. Immersive Labs: SUNBURST - When the sun bursts: responding to global cyber events

Other Security Researchers

1. Katie Nickels: Twitter: A brief thread on the @Crowdstrike blog on SUNSPOT...
2. SimeonOnSecurity.ch: SolarWinds Orion Supply Chain Compromised, C2, and Mitigations
3. SimeonOnSecurity.ch: GitHub - SolarWinds Sunburst Countermeasures
4. z3r0trust: SUNBURST Malware Used Digital Steganography
5. @MalwareRE: Twitter Thread
6. Carnegie Mellon CERT Coordination Center: Vulnerability Note VU#843464 SolarWinds Orion API authentication bypass allows remote code execution
7. Securehat: Extracting the Cobalt Strike Config from a TEARDROP Loader

Tools

1. 2igosha: SUNBURST DGA decoder
2. RedDrip7: SunBurst DGA Decode Script
3. CISA: Sparrow.ps1
4. Command Post Technologies: SolarWinds Exploit Hash Hunter
5. Crowdstrike: Crowdstrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory
6. Crowdstrike: Crowdstrike Reporting Tool for Azure (CRT)
7. Crowdstrike: CRT (Crowdstrike Reporting Tool for Azure)
8. FireEye/Mandiant: FireEye Mandiant SunBurst Countermeasures
9. FireEye/Mandiant: Mandiant Azure AD Investigator
10. JoeW: SolarWinds IOC Scanner
11. Microsoft: Protecting Microsoft 365 from on-premise attacks
12. Mubix: SolarFlare Release: Password Dumper for SolarWinds Orion
13. Neo23x0: Sigma Rule: UNC2452 PowerShell pattern

Other Useful Resources

YouTube

1. TeachJing: Animated SolarWinds Breach Attack Flow - EP1
2. TeachJing: SolarWinds Breach | Protecting from on-premises attacks | EP2
3. TeachJing: Solarwinds Breach Update | UCG is formed and CISA release a Free Tool - Sparrow.ps1 | EP3
4. TeachJing: Solarwinds Breach Update | CISA has Important update to Emergency Directive as of Jan 6 | EP4
5. McCrary Institute: SolarWinds: What It Means & What’s Next
6. Corelight, Inc: Finding SolarWinds / SUNBURST backdoors with Zeek & Corelight
7. Infosec: Memory forensics demo: SolarWinds breach and Sunburst malware | Cyber Work Podcast
8. Infosec: SolarWinds breach: Insights from the trenches | Live incident response demo | Cyber Work Podcast
9. Colin Hardy: SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering
10. SANS Institute: SANS Emergency Webcast: What you need to know about the SolarWinds Supply-Chain Attack

GitHub

1. Ean Meyer: SolarWinds Vulnerability Info
2. Subfission: SUNBURST Data Aggregation
3. Will Oram: Azure AD Incident Response - note for understanding the techniques used by solarWinds actor to facilitate long-term access to Microsoft environments

Other Vendors

1. Jetbrains: Statement on the story from The New York Times regarding JetBrains and SolarWinds
2. Jetbrains: An Update on SolarWinds
3. Jetbrains: January 8th Update on SolarWinds

IOC's

VirusTotal

1. TEARDROP
2. TEARDROP
3. TEARDROP
4. TEARDROP
5. TEARDROP
6. TEARDROP
7. TEARDROP
8. TEARDROP
9. TEARDROP
10. TEARDROP
11. TEARDROP
12. TEARDROP
13. SUNBURST
14. SUNBURST
15. SUNBURST
16. SUNBURST
17. SUNBURST
18. SUNBURST
19. SUNBURST
20. SUNBURST
21. SUNBURST
22. SUNBURST
23. SUNBURST
24. SUNBURST
25. SUNBURST
26. SUNBURST
27. SUNBURST
28. SUNBURST
29. SUNBURST
30. SUNBURST
31. SUNBURST
32. SUNBURST
33. SUNBURST
34. SUNBURST
35. SUNBURST
36. SUNBURST
37. SUNBURST
38. SUNBURST
39. SUNBURST
40. SUNBURST
41. SUNBURST
42. SUNBURST
43. SUNBURST
44. SUNBURST
45. SUNBURST
46. SUNBURST