{"id":6245,"date":"2021-04-20T11:17:10","date_gmt":"2021-04-20T18:17:10","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6245"},"modified":"2024-04-26T13:20:45","modified_gmt":"2024-04-26T20:20:45","slug":"solarwinds-third-update","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/","title":{"rendered":"SolarWinds Third Update"},"content":{"rendered":"<h3>Author: Shashank Jain<\/h3>\n<h3>TLP: WHITE<\/h3>\n<p>&nbsp;<\/p>\n<h3>1.\u00a0 Executive Summary<\/h3>\n<p>On 15 December, Infoblox released a Cyber Threat Advisory on the supply chain attack affecting SolarWinds\u2019 Orion IT monitoring and management software.<sup>1<\/sup> This advisory detailed FireEye\u2019s report on the campaign, including analysis on the SUNBURST backdoor, initial information on the threat actor\u2019s tactics, techniques and procedures (TTPs), as well as the mitigations and indicators of compromise (IOCs) that were most current at the time.<\/p>\n<p>On 15 April, the Biden administration released a statement<sup>2<\/sup> formally attributing the SolarWinds supply chain compromise to Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and the Dukes). The statement reported that the compromise of the SolarWinds software supply chain gave threat actors the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide, including U.S. government agencies, business customers, consulting firms, and more.<\/p>\n<p>Infoblox published several Cyber Threat Advisories<sup>3<\/sup> about this campaign, as well as additional information about its wide-ranging effects after conducting several internal investigations. We also summarized some of the latest information from OSINT, conveyed what we were able to validate at the time, and provided additional IOCs.<\/p>\n<p>In this update, we have included new information provided by the latest alert<sup>4<\/sup> from the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense (DoD) Cyber National Mission Force (CNMF) on additional SolarWinds-related malware variants &#8211; referred to as SUNSHUTTLE and SOLARFLARE.<\/p>\n<p>This update also extended to cover recent Russian SVR activities, including compromising SolarWinds Orion software updates,<sup>5<\/sup> targeting COVID-19 research facilities through deploying WellMess malware and leveraging a VMware vulnerability that was zero-day at the time for follow-on Security Assertion Markup Language (SAML) authentication abuse.<\/p>\n<h3>2.\u00a0 Analysis<\/h3>\n<h4>2.1.\u00a0 \u00a0New SolarWinds-Related Malware Variants<\/h4>\n<p>CISA and the DoD have reported additional malware variants related to SolarWinds: SUNSHUTTLE and SOLARFLARE. The identified malicious samples and associated artifacts can be attributed to the Russian SVR based on the methods and patterns used throughout their hacking operation.<\/p>\n<p>The analysis covered a total of 18 files:<\/p>\n<ul>\n<li>Seven of them were identified as executables that attempt to connect to hard-coded command and control (C&amp;C) servers using Hypertext Transfer Protocol Secure (HTTPS) on port 443 and await a response upon execution.<\/li>\n<li>One is a text file that appears to be a configuration file for a SUNSHUTTLE sample.<\/li>\n<li>Six of the files are Visual Basic Script (VBScript) files designed to add the Windows registry keys to store and execute an obfuscated VBScript that will download and execute a malicious payload from its C&amp;C server. The VBScripts were identified as MISPRINT\/SIBOT.<\/li>\n<li>One of the analyzed files was identified as a server-side China Chopper web shell component observed on a network with an active SUNSHUTTLE infection. The web shell can provide a threat actor with an alternative method of accessing a network, even if the SUNSHUTTLE infection was remediated.<\/li>\n<li>Three executables identified by FireEye as SOLARFLARE malware are written in Golang (Go) and packed using the Ultimate Packer for Executables (UPX). One was unpacked and included in this report.<\/li>\n<\/ul>\n<p>Relatedly, FireEye also identified four executables as SUNSHUTTLE,<sup>6<\/sup> a second-stage backdoor written in Go that features some detection evasion capabilities. Two of which were unpacked and included in this report.<\/p>\n<p>The use of the same language (i.e GoLang) in all seven malicious binaries, as well as similar packing techniques, indicates that the same threat actor created all of the reported malicious binaries.<\/p>\n<h4><strong>2.2.<\/strong> \u00a0 <strong>Russian SVR Targets U.S. and Allied Networks<\/strong><\/h4>\n<p>The SVR has exploited &#8211; and continues to successfully exploit &#8211; the following software vulnerabilities to gain initial footholds into victim devices and networks. Exploiting these vulnerabilities allowed threat actors to execute unauthorized code.<\/p>\n<ul>\n<li>CVE-2018-13379 Fortinet: A path transversal vulnerability allows an authenticated attacker to download system files via specially-crafted HTTP resource requests.<\/li>\n<li>CVE-2019-9670 Zimbra: An XML External Entity injection (XXE) vulnerability in mailboxd component that allowed unauthenticated code execution.<\/li>\n<li>CVE-2019-11510 Pulse Secure: A critical arbitrary file disclosure vulnerability in Pulse Connect Secure that allowed an authenticated user to obtain usernames and plaintext passwords from vulnerable endpoints.<\/li>\n<li>CVE-2019-19781 Citrix: A critical directory transversal vulnerability in Citrix Application Delivery Controller that allowed an unauthenticated attacker to perform arbitrary code execution.<\/li>\n<li>CVE-2020-4006 VMware: A command injection vulnerability in VMWare products that allowed unauthenticated code execution.<\/li>\n<\/ul>\n<h3>3.\u00a0\u00a0\u00a0\u00a0 Prevention and Mitigation<\/h3>\n<p>The National Security Agency (NSA), CISA, and the Federal Bureau of Investigation (FBI) jointly issued a cybersecurity advisory, <em>Russian SVR Targets U.S. and Allied Networks,<\/em><em><sup>7<\/sup><\/em> that provides specific details on software vulnerabilities that the SVR uses to gain access to victim devices and networks. The advisory also provides specific steps that network defenders can take to identify and defend against the SVR\u2019s malicious cyber activity. Also, CISA has included details of new malicious binaries including YARA rules for most of them to defend against those malicious binaries.<\/p>\n<h4>3.1.\u00a0\u00a0\u00a0\u00a0 Indicators of Compromise<\/h4>\n<p>Below is a supplementary list of IOCs related to this attack, according to OSINT. CISA published an extended list of IOCs in their 15 April report<sup>8<\/sup> on the campaign. This table only includes the latter.<\/p>\n<table width=\"671\">\n<tbody>\n<tr>\n<td width=\"540\">\n<p style=\"text-align: center;\"><strong>Indicators<\/strong><\/p>\n<\/td>\n<td style=\"text-align: center;\" width=\"131\">\n<p style=\"text-align: center;\"><strong>Description<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"540\">\n<p style=\"text-align: center;\">0affab34d950321e3031864ec2b6c00e4edafb54f4b327717cb5b042c38a33c9<\/p>\n<p style=\"text-align: center;\">0d770e0d6ee77ed9d53500688831040b83b53b9de82afa586f20bb1894ee7116<\/p>\n<p style=\"text-align: center;\">4e8f24fb50a08c12636f3d50c94772f355d5229e58110cccb3b4835cb2371aec<\/p>\n<p style=\"text-align: center;\">6b01eeef147d9e0cd6445f90e55e467b930df2de5d74e3d2f7610e80f2c5a2cd<\/p>\n<p style=\"text-align: center;\">7e05ff08e32a64da75ec48b5e738181afb3e24a9f1da7f5514c5a11bb067cbfb<\/p>\n<p style=\"text-align: center;\">88cd1bc85e6a57fa254ede18f96566b33cee999c538902aefc5b819d71163d07<\/p>\n<p style=\"text-align: center;\">94c58c7fb43153658eaa9409fc78d8741d3c388d3b8d4296361867fe45d5fa45<\/p>\n<p style=\"text-align: center;\">acc74c920d19ea0a5e6007f929ef30b079eb2836b5b28e5ffcc20e68fa707e66<\/p>\n<p style=\"text-align: center;\">b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8<\/p>\n<p style=\"text-align: center;\">cb80a074e5fde8d297c2c74a0377e612b4030cc756baf4fff3cc2452ebc04a9c<\/p>\n<p style=\"text-align: center;\">e9ddf486e5aeac02fc279659b72a1bec97103f413e089d8fabc30175f4cdbf15<\/p>\n<p style=\"text-align: center;\">ec5f07c169267dec875fdd135c1d97186b494a6f1214fb6b40036fd4ce725def<\/p>\n<p style=\"text-align: center;\">f28491b367375f01fb9337ffc137225f4f232df4e074775dd2cc7e667394651c<\/p>\n<p style=\"text-align: center;\">f2a8bdf135caca0d7359a7163a4343701a5bdfbc8007e71424649e45901ab7e2<\/p>\n<p style=\"text-align: center;\">a9037af30ff270901e9d5c2ee5ba41d547bc19c880f5cb27f50428f9715d318f<\/p>\n<p style=\"text-align: center;\">bc7a3b3cfae59f1bfbde57154cb1e7deebdcdf6277ac446919df07e3b8a6e4df<\/p>\n<p style=\"text-align: center;\">d8009ad96082a31d074e85dae3761b51a78f99e2cc8179ba305955c2a645b94d\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 fa1959dd382ce868c975599c6c3cc536aa0073be44fc8a6571a20fb0c8bea836<\/p>\n<\/td>\n<td width=\"131\">\n<p style=\"text-align: center;\">Additional hashes related to SolarWinds attack<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"540\">\n<p style=\"text-align: center;\">eyetechltd[.]com<\/p>\n<p style=\"text-align: center;\">megatoolkit[.]com<\/p>\n<p style=\"text-align: center;\">nikeoutletinc[.]org<\/p>\n<p style=\"text-align: center;\">reyweb[.]com<\/p>\n<p style=\"text-align: center;\">sense4baby[.]fr<\/p>\n<\/td>\n<td width=\"131\">\n<p style=\"text-align: center;\">Additional domains related to SolarWinds attack<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\" width=\"540\">185[.]225[.]69[.]69<\/td>\n<td width=\"131\">\n<p style=\"text-align: center;\">Additional IPS related to SolarWinds attack<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h1><\/h1>\n<h3>Endnotes<\/h3>\n<ol>\n<li><a href=\"https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/\">https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/cyber-threat-advisory-solarwinds-supply-chain-attack\/<\/a><\/li>\n<li>.<a href=\"https:\/\/www.whitehouse.gov\/briefing-room\/statements-releases\/2021\/04\/15\/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government\/\">https:\/\/www.whitehouse.gov\/briefing-room\/statements-releases\/2021\/04\/15\/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government\/<\/a><\/li>\n<li><a href=\"https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/solarwinds-and-sunburst-update\/\">https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/solarwinds-and-sunburst-update\/<\/a><\/li>\n<li><a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/04\/15\/cisa-and-cnmf-analysis-solarwinds-related-malware\">https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/04\/15\/cisa-and-cnmf-analysis-solarwinds-related-malware<\/a><\/li>\n<li><a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/04\/15\/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied\">https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/04\/15\/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied<\/a><\/li>\n<li><a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2021\/03\/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html\">https:\/\/www.fireeye.com\/blog\/threat-research\/2021\/03\/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html<\/a><\/li>\n<li><a href=\"https:\/\/media.defense.gov\/2021\/Apr\/15\/2002621240\/-1\/-1\/0\/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF\/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF\">https:\/\/media.defense.gov\/2021\/Apr\/15\/2002621240\/-1\/-1\/0\/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF\/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF<\/a><\/li>\n<li><a href=\"https:\/\/us-cert.cisa.gov\/ncas\/analysis-reports\/ar21-105a\">https:\/\/us-cert.cisa.gov\/ncas\/analysis-reports\/ar21-105a<\/a><\/li>\n<\/ol>\n<h1><\/h1>\n","protected":false},"excerpt":{"rendered":"<p>Author: Shashank Jain TLP: WHITE &nbsp; 1.\u00a0 Executive Summary On 15 December, Infoblox released a Cyber Threat Advisory on the supply chain attack affecting SolarWinds\u2019 Orion IT monitoring and management software.1 This advisory detailed FireEye\u2019s report on the campaign, including analysis on the SUNBURST backdoor, initial information on the threat actor\u2019s tactics, techniques and procedures [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":6734,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[554],"tags":[480,481,482,32,379,401,380],"class_list":{"0":"post-6245","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-threat-advisory","8":"tag-apt29","9":"tag-cozy-bear","10":"tag-dukes","11":"tag-malware","12":"tag-solarwinds","13":"tag-sunburst","14":"tag-supply-chain-attack","15":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>SolarWinds Third Update<\/title>\n<meta name=\"description\" content=\"SolarWinds Third Update. On 15 December, Infoblox released a Cyber Threat Advisory on the supply chain attack affecting SolarWinds\u2019 Orion IT monitoring and management software.1 This advisory detailed FireEye\u2019s report on the campaign, including analysis on the SUNBURST backdoor, initial information on the threat actor\u2019s tactics, techniques and procedures (TTPs), as well as the mitigations and indicators of compromise (IOCs) that were most current at the time.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SolarWinds Third Update\" \/>\n<meta property=\"og:description\" content=\"SolarWinds Third Update. On 15 December, Infoblox released a Cyber Threat Advisory on the supply chain attack affecting SolarWinds\u2019 Orion IT monitoring and management software.1 This advisory detailed FireEye\u2019s report on the campaign, including analysis on the SUNBURST backdoor, initial information on the threat actor\u2019s tactics, techniques and procedures (TTPs), as well as the mitigations and indicators of compromise (IOCs) that were most current at the time.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-04-20T18:17:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:20:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-23.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"344\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/solarwinds-third-update\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/solarwinds-third-update\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"SolarWinds Third Update\",\"datePublished\":\"2021-04-20T18:17:10+00:00\",\"dateModified\":\"2024-04-26T20:20:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/solarwinds-third-update\\\/\"},\"wordCount\":1224,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/solarwinds-third-update\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-23.jpg\",\"keywords\":[\"APT29\",\"Cozy Bear\",\"Dukes\",\"Malware\",\"SolarWinds\",\"sunburst\",\"Supply Chain Attack\"],\"articleSection\":[\"Cyber Threat Advisory\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/solarwinds-third-update\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/solarwinds-third-update\\\/\",\"name\":\"SolarWinds Third Update\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/solarwinds-third-update\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/solarwinds-third-update\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-23.jpg\",\"datePublished\":\"2021-04-20T18:17:10+00:00\",\"dateModified\":\"2024-04-26T20:20:45+00:00\",\"description\":\"SolarWinds Third Update. On 15 December, Infoblox released a Cyber Threat Advisory on the supply chain attack affecting SolarWinds\u2019 Orion IT monitoring and management software.1 This advisory detailed FireEye\u2019s report on the campaign, including analysis on the SUNBURST backdoor, initial information on the threat actor\u2019s tactics, techniques and procedures (TTPs), as well as the mitigations and indicators of compromise (IOCs) that were most current at the time.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/solarwinds-third-update\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/solarwinds-third-update\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/solarwinds-third-update\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-23.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-23.jpg\",\"width\":612,\"height\":344,\"caption\":\"Safety, Security, Lock, Locking, Digital Display\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/solarwinds-third-update\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Threat Advisory\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/cyber-threat-advisory\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"SolarWinds Third Update\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"SolarWinds Third Update","description":"SolarWinds Third Update. On 15 December, Infoblox released a Cyber Threat Advisory on the supply chain attack affecting SolarWinds\u2019 Orion IT monitoring and management software.1 This advisory detailed FireEye\u2019s report on the campaign, including analysis on the SUNBURST backdoor, initial information on the threat actor\u2019s tactics, techniques and procedures (TTPs), as well as the mitigations and indicators of compromise (IOCs) that were most current at the time.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/","og_locale":"en_US","og_type":"article","og_title":"SolarWinds Third Update","og_description":"SolarWinds Third Update. On 15 December, Infoblox released a Cyber Threat Advisory on the supply chain attack affecting SolarWinds\u2019 Orion IT monitoring and management software.1 This advisory detailed FireEye\u2019s report on the campaign, including analysis on the SUNBURST backdoor, initial information on the threat actor\u2019s tactics, techniques and procedures (TTPs), as well as the mitigations and indicators of compromise (IOCs) that were most current at the time.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/","og_site_name":"Infoblox Blog","article_published_time":"2021-04-20T18:17:10+00:00","article_modified_time":"2024-04-26T20:20:45+00:00","og_image":[{"width":612,"height":344,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-23.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"SolarWinds Third Update","datePublished":"2021-04-20T18:17:10+00:00","dateModified":"2024-04-26T20:20:45+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/"},"wordCount":1224,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-23.jpg","keywords":["APT29","Cozy Bear","Dukes","Malware","SolarWinds","sunburst","Supply Chain Attack"],"articleSection":["Cyber Threat Advisory"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/","name":"SolarWinds Third Update","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-23.jpg","datePublished":"2021-04-20T18:17:10+00:00","dateModified":"2024-04-26T20:20:45+00:00","description":"SolarWinds Third Update. On 15 December, Infoblox released a Cyber Threat Advisory on the supply chain attack affecting SolarWinds\u2019 Orion IT monitoring and management software.1 This advisory detailed FireEye\u2019s report on the campaign, including analysis on the SUNBURST backdoor, initial information on the threat actor\u2019s tactics, techniques and procedures (TTPs), as well as the mitigations and indicators of compromise (IOCs) that were most current at the time.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-23.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-23.jpg","width":612,"height":344,"caption":"Safety, Security, Lock, Locking, Digital Display"},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/solarwinds-third-update\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Cyber Threat Advisory","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/cyber-threat-advisory\/"},{"@type":"ListItem","position":4,"name":"SolarWinds Third Update"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6245","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=6245"}],"version-history":[{"count":1,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6245\/revisions"}],"predecessor-version":[{"id":6247,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6245\/revisions\/6247"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/6734"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=6245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=6245"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=6245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}