{"id":5771,"date":"2020-12-15T16:30:44","date_gmt":"2020-12-16T00:30:44","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=5771"},"modified":"2024-04-26T13:21:02","modified_gmt":"2024-04-26T20:21:02","slug":"cyber-threat-advisory-solarwinds-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/","title":{"rendered":"Cyber Threat Advisory: SolarWinds Supply Chain Attack"},"content":{"rendered":"<p>Author: Nathan Toporek<\/p>\n<p>TLP:WHITE<\/p>\n<h3>1.\u00a0 Executive Summary<\/h3>\n<p>On 13 December, FireEye publicly disclosed information about a supply chain attack affecting SolarWinds&#8217; Orion IT monitoring and management software.<sup>1<\/sup> This attack infected all versions of Orion software released between March and June 2020 with SUNBURST malware, a sophisticated backdoor that uses HTTP to communicate with attacker infrastructure. The threat actor(s) employed several advanced tactics, techniques and procedures (TTPs) that indicate a nation state and\/or an advanced persistent threat group (APT) carried out the attack. Although some companies have suggested attributing the attack to a known APT, many organizations, including FireEye, are resisting early attribution.<\/p>\n<h3>2.\u00a0 Analysis<\/h3>\n<h3>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.1.\u00a0 \u00a0SUNBURST Backdoor<\/h3>\n<p>The <em>SolarWinds.Orion.Core.BusinessLayer.dll<\/em> file is a digitally-signed part of Orion software that contains the SUNBURST backdoor and is installed during either a routine software update or during initial SolarWinds Orion installation. Between twelve and fourteen days after the initial compromise, SUNBURST will create a unique pipe that ensures only one instance of itself runs on an infected machine. It will then read and modify the <em>SolarWinds.Orion.Core.BusinessLayer.dll.config<\/em> file&#8217;s appSettings field to repurpose it for a persistent configuration. SUNBURST then checks that it is a part of the victim&#8217;s domain, generates a userID and reads an initial value from its configuration.<\/p>\n<p>SUNBURST will iterate over a known blocklist of services and set the associated registry key values to four to disable these services. Once it disables all blocklisted services, SUNBURST will resolve the domain <em>api[.]solarwinds[.]com<\/em> to test for, and confirm, internet connectivity. SUNBURST then uses a domain generation algorithm (DGA) to determine and resolve a random subdomain of a malicious second-level domain (SLD). It is important to note that in some cases, the actor(s) behind SUNBURST specifically tailored their infrastructure to different victims.<sup>2<\/sup><\/p>\n<p>SUNBURST will wait between each DGA resolution; in some cases, it will wait between one and three minutes; in others, 30 to 120 minutes; and on error conditions, it will wait between 420 and 540 minutes. If a DNS response&#8217;s A record is within a known set of classless inter-domain routing (CIDR) blocks, SUNBURST will modify its configuration to prevent future execution before terminating itself.<\/p>\n<p>When SUNBURST retrieves a CNAME record in its response, it will start an HTTP thread that manages command and control (C&amp;C) communications. This thread will wait a configurable amount of time (at least one minute) between requests. It uses the HTTP GET or HEAD methods when requesting data from the C&amp;C, as well as the HTTP POST or PUT methods to send data in the form of a JSON blob to the C&amp;C. Responses appear as benign XML data, but the data has commands encoded in both Globally Unique Identifier (GUID) data and other hexadecimal (HEX) data.<\/p>\n<h3>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.2.\u00a0 TEARDROP &amp; BEACON Malware<\/h3>\n<p>FireEye reported that SUNBURST delivered multiple payloads, and on at least one occasion, they observed it delivering TEARDROP &#8211; a unique, memory-only dropper. Actors likely used TEARDROP to deploy Cobalt Strike&#8217;s BEACON malware.<\/p>\n<h3>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.3.\u00a0 Sophisticated Actor Behavior and Additional Malware<\/h3>\n<p>The actor(s) behind this attack exercised highly-sophisticated operational security (OPSEC) while carrying out operations against their victims. They:<\/p>\n<ul>\n<li>Ensured hostnames matched the victim&#8217;s environment,<\/li>\n<li>Used IP addresses in the same country as the victim,<\/li>\n<li>Used separate credentials for remote access and lateral movement, and<\/li>\n<li>Temporarily overwrote files with malicious utilities to later rewrite the original file contents.<\/li>\n<\/ul>\n<p>These actor(s) also leveraged two additional variants of malware: COSMICGATE and SUPERNOVA. COSMICGATE is a credential stealer written in PowerShell, and SUPERNOVA is a Windows .NET program that acts as a legitimate SolarWinds HTTP handler.<\/p>\n<h3>3.\u00a0 Prevention and Mitigation<\/h3>\n<p>FireEye recommends upgrading to Orion Platform release<strong> 2020.2.1 HF 1 <\/strong>if possible. If an organization is unable to upgrade to this version of Orion, they recommend taking the following actions:<\/p>\n<ul>\n<li>Disconnect SolarWinds servers from the internet and isolate them, or restrict access from SolarWinds servers if this is not possible.<\/li>\n<li>Rotate credentials to accounts that have access to SolarWinds servers and\/or infrastructure.<\/li>\n<li>Review network configurations created by SolarWinds, looking for anomalies.<\/li>\n<\/ul>\n<p>Microsoft\u2019s Security Response Center has also provided important steps customers should take to protect themselves from the recent nation-state activity.<sup>3<\/sup><\/p>\n<p>In addition to this, the US Department of Homeland Security (DHS) recommends taking the following actions <strong><em>once all known malicious accounts and persistence methods have been removed:<sup>4<\/sup><\/em><\/strong><\/p>\n<ul>\n<li>Assume all hosts monitored by SolarWinds Orion software are compromised.<\/li>\n<li>Rebuild hosts monitored by SolarWinds Orion software.<\/li>\n<li>Take actions to remediate Kerberoasting;<sup>5<\/sup> engage with third parties experienced in dealing with APTs as needed.<\/li>\n<\/ul>\n<h3>4.\u00a0 Indicators of Compromise<\/h3>\n<p>Below is a list of known IOCs related to this attack. As stated above, in some cases the actor(s) behind SUNBURST specifically tailored their infrastructure to different victims. Organizations may have been affected by this attack even if they do not observe the indicators below within their environment; the list of publicly available IOCs may grow as organizations investigate their environments and share their findings.<\/p>\n<p>&nbsp;<\/p>\n<table width=\"672\">\n<tbody>\n<tr>\n<td width=\"452\">\n<p style=\"text-align: center;\"><strong>Indicator<\/strong><\/p>\n<\/td>\n<td style=\"text-align: center;\" width=\"220\"><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\" width=\"452\">c:\\windows\\syswow64\\netsetupsvc.dll<\/td>\n<td width=\"220\">\n<p style=\"text-align: center;\">Path used by TEARDROP malware<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"452\">\n<p style=\"text-align: center;\">10.0.0.0\/8<\/p>\n<p style=\"text-align: center;\">172.16.0.0\/12<\/p>\n<p style=\"text-align: center;\">192.168.0.0\/16<\/p>\n<p style=\"text-align: center;\">224.0.0.0\/3<\/p>\n<p style=\"text-align: center;\">fc00:: &#8211; fe00::<\/p>\n<p style=\"text-align: center;\">fec0:: &#8211; ffc0::<\/p>\n<p style=\"text-align: center;\">ff00:: &#8211; ff00::<\/p>\n<p style=\"text-align: center;\">20.140.0.0\/15<\/p>\n<p style=\"text-align: center;\">96.31.172.0\/24<\/p>\n<p style=\"text-align: center;\">131.228.12.0\/22<\/p>\n<p style=\"text-align: center;\">144.86.226.0\/24<\/p>\n<\/td>\n<td style=\"text-align: center;\" width=\"220\">SUNBURST ceases execution if it receives a DNS A record response in these CIDR blocks<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\" width=\"452\">https:\/\/github.com\/fireeye\/sunburst_countermeasures<\/td>\n<td width=\"220\">\n<p style=\"text-align: center;\">Additional countermeasures \/ IOCs provided by FireEye<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h1><\/h1>\n<h3>Endnotes<\/h3>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>&#8220;Highly Evasive Attacker Leverages SolarWinds Supply Chain &#8230;.&#8221; 13 Dec. 2020, <a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2020\/12\/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\">https:\/\/www.fireeye.com\/blog\/threat-research\/2020\/12\/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html<\/a>. Accessed 14 Dec. 2020.<\/li>\n<li>&#8220;SANS Emergency Webcast: What you need to know about the &#8230;.&#8221; 14 Dec. 2020, <a href=\"https:\/\/www.sans.org\/webcasts\/emergency-webcast-about-solarwinds-supply-chain-attack-118015\">https:\/\/www.sans.org\/webcasts\/emergency-webcast-about-solarwinds-supply-chain-attack-118015<\/a>. Accessed 14 Dec. 2020.<\/li>\n<li>Microsoft Security Response Centre &#8211; <a href=\"https:\/\/msrc-blog.microsoft.com\/2020\/12\/13\/customer-guidance-on-recent-nation-state-cyber-attacks\/\">https:\/\/msrc-blog.microsoft.com\/2020\/12\/13\/customer-guidance-on-recent-nation-state-cyber-attacks\/<\/a><\/li>\n<li>&#8220;cyber.dhs.gov &#8211; Emergency Directive 21-01.&#8221; 13 Dec. 2020, <a href=\"https:\/\/cyber.dhs.gov\/ed\/21-01\/\">https:\/\/cyber.dhs.gov\/ed\/21-01\/<\/a>. Accessed 14 Dec. 2020.<\/li>\n<li>See <a href=\"https:\/\/attack.mitre.org\/techniques\/T1558\/003\/\">https:\/\/attack.mitre.org\/techniques\/T1558\/003\/<\/a><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Author: Nathan Toporek TLP:WHITE 1.\u00a0 Executive Summary On 13 December, FireEye publicly disclosed information about a supply chain attack affecting SolarWinds&#8217; Orion IT monitoring and management software.1 This attack infected all versions of Orion software released between March and June 2020 with SUNBURST malware, a sophisticated backdoor that uses HTTP to communicate with attacker infrastructure. [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":3386,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[254],"tags":[339,194,32,379,380],"class_list":{"0":"post-5771","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threat-intelligence","8":"tag-apt","9":"tag-fireeye","10":"tag-malware","11":"tag-solarwinds","12":"tag-supply-chain-attack","13":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Cyber Threat Advisory: SolarWinds Supply Chain Attack<\/title>\n<meta name=\"description\" content=\"On 13 December, FireEye publicly disclosed information about a supply chain attack affecting SolarWinds&#039; Orion IT monitoring and management software.1 This attack infected all versions of Orion software released between March and June 2020 with SUNBURST malware, a sophisticated backdoor that uses HTTP to communicate with attacker infrastructure. The threat actor(s) employed several advanced tactics, techniques and procedures (TTPs) that indicate a nation state and\/or an advanced persistent threat group (APT) carried out the attack. Although some companies have suggested attributing the attack to a known APT, many organizations, including FireEye, are resisting early attribution.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cyber Threat Advisory: SolarWinds Supply Chain Attack\" \/>\n<meta property=\"og:description\" content=\"On 13 December, FireEye publicly disclosed information about a supply chain attack affecting SolarWinds&#039; Orion IT monitoring and management software.1 This attack infected all versions of Orion software released between March and June 2020 with SUNBURST malware, a sophisticated backdoor that uses HTTP to communicate with attacker infrastructure. The threat actor(s) employed several advanced tactics, techniques and procedures (TTPs) that indicate a nation state and\/or an advanced persistent threat group (APT) carried out the attack. Although some companies have suggested attributing the attack to a known APT, many organizations, including FireEye, are resisting early attribution.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2020-12-16T00:30:44+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:21:02+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/june-2-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"660\" \/>\n\t<meta property=\"og:image:height\" content=\"454\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-solarwinds-supply-chain-attack\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-solarwinds-supply-chain-attack\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Cyber Threat Advisory: SolarWinds Supply Chain Attack\",\"datePublished\":\"2020-12-16T00:30:44+00:00\",\"dateModified\":\"2024-04-26T20:21:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-solarwinds-supply-chain-attack\\\/\"},\"wordCount\":953,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-solarwinds-supply-chain-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/june-2-1.jpg\",\"keywords\":[\"apt\",\"FireEye\",\"Malware\",\"SolarWinds\",\"Supply Chain Attack\"],\"articleSection\":[\"Infoblox Threat Intel\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-solarwinds-supply-chain-attack\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-solarwinds-supply-chain-attack\\\/\",\"name\":\"Cyber Threat Advisory: SolarWinds Supply Chain Attack\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-solarwinds-supply-chain-attack\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-solarwinds-supply-chain-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/june-2-1.jpg\",\"datePublished\":\"2020-12-16T00:30:44+00:00\",\"dateModified\":\"2024-04-26T20:21:02+00:00\",\"description\":\"On 13 December, FireEye publicly disclosed information about a supply chain attack affecting SolarWinds' Orion IT monitoring and management software.1 This attack infected all versions of Orion software released between March and June 2020 with SUNBURST malware, a sophisticated backdoor that uses HTTP to communicate with attacker infrastructure. The threat actor(s) employed several advanced tactics, techniques and procedures (TTPs) that indicate a nation state and\\\/or an advanced persistent threat group (APT) carried out the attack. Although some companies have suggested attributing the attack to a known APT, many organizations, including FireEye, are resisting early attribution.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-solarwinds-supply-chain-attack\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-solarwinds-supply-chain-attack\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-solarwinds-supply-chain-attack\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/june-2-1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/june-2-1.jpg\",\"width\":660,\"height\":454},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory-solarwinds-supply-chain-attack\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Threat Advisory: SolarWinds Supply Chain Attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Cyber Threat Advisory: SolarWinds Supply Chain Attack","description":"On 13 December, FireEye publicly disclosed information about a supply chain attack affecting SolarWinds' Orion IT monitoring and management software.1 This attack infected all versions of Orion software released between March and June 2020 with SUNBURST malware, a sophisticated backdoor that uses HTTP to communicate with attacker infrastructure. The threat actor(s) employed several advanced tactics, techniques and procedures (TTPs) that indicate a nation state and\/or an advanced persistent threat group (APT) carried out the attack. Although some companies have suggested attributing the attack to a known APT, many organizations, including FireEye, are resisting early attribution.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/","og_locale":"en_US","og_type":"article","og_title":"Cyber Threat Advisory: SolarWinds Supply Chain Attack","og_description":"On 13 December, FireEye publicly disclosed information about a supply chain attack affecting SolarWinds' Orion IT monitoring and management software.1 This attack infected all versions of Orion software released between March and June 2020 with SUNBURST malware, a sophisticated backdoor that uses HTTP to communicate with attacker infrastructure. The threat actor(s) employed several advanced tactics, techniques and procedures (TTPs) that indicate a nation state and\/or an advanced persistent threat group (APT) carried out the attack. Although some companies have suggested attributing the attack to a known APT, many organizations, including FireEye, are resisting early attribution.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/","og_site_name":"Infoblox Blog","article_published_time":"2020-12-16T00:30:44+00:00","article_modified_time":"2024-04-26T20:21:02+00:00","og_image":[{"width":660,"height":454,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/june-2-1.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Cyber Threat Advisory: SolarWinds Supply Chain Attack","datePublished":"2020-12-16T00:30:44+00:00","dateModified":"2024-04-26T20:21:02+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/"},"wordCount":953,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/june-2-1.jpg","keywords":["apt","FireEye","Malware","SolarWinds","Supply Chain Attack"],"articleSection":["Infoblox Threat Intel"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/","name":"Cyber Threat Advisory: SolarWinds Supply Chain Attack","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/june-2-1.jpg","datePublished":"2020-12-16T00:30:44+00:00","dateModified":"2024-04-26T20:21:02+00:00","description":"On 13 December, FireEye publicly disclosed information about a supply chain attack affecting SolarWinds' Orion IT monitoring and management software.1 This attack infected all versions of Orion software released between March and June 2020 with SUNBURST malware, a sophisticated backdoor that uses HTTP to communicate with attacker infrastructure. The threat actor(s) employed several advanced tactics, techniques and procedures (TTPs) that indicate a nation state and\/or an advanced persistent threat group (APT) carried out the attack. Although some companies have suggested attributing the attack to a known APT, many organizations, including FireEye, are resisting early attribution.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/june-2-1.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/june-2-1.jpg","width":660,"height":454},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Cyber Threat Advisory: SolarWinds Supply Chain Attack"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5771","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=5771"}],"version-history":[{"count":3,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5771\/revisions"}],"predecessor-version":[{"id":5774,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/5771\/revisions\/5774"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/3386"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=5771"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=5771"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=5771"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}