{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/solarwinds-orion-platform/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["APT29","Cozy Bear","NOBELIUM","UNC2452","Midnight Blizzard","The Dukes"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SolarWinds Orion Platform"],"_cs_severities":["high"],"_cs_tags":["solarwinds","sunburst","supply-chain","command-and-control"],"_cs_type":"threat","_cs_vendors":["SolarWinds"],"content_html":"\u003cp\u003eThe SUNBURST malware, attributed to UNC2452, is a sophisticated supply chain attack targeting SolarWinds Orion business software. The trojanized SolarWinds.Orion.Core.BusinessLayer.dll plugin contains a backdoor that establishes command and control (C2) communication via HTTP to third-party servers. After a dormant period of up to two weeks, SUNBURST retrieves and executes commands, enabling file transfer, file execution, system profiling, system reboot, and service disabling. The malware disguises its network traffic to resemble legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol. SUNBURST also uses obfuscated blocklists to evade forensic and anti-virus tools. This activity was observed starting in early 2020 and impacted numerous organizations globally.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e The attacker compromises the SolarWinds Orion software build process, injecting the SUNBURST backdoor into the SolarWinds.Orion.Core.BusinessLayer.dll plugin.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeployment:\u003c/strong\u003e The compromised SolarWinds Orion software is deployed to target organizations as a routine software update.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDormant Period:\u003c/strong\u003e The SUNBURST backdoor remains dormant for up to two weeks after initial deployment to evade immediate detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBeaconing:\u003c/strong\u003e After the dormant period, SUNBURST begins beaconing to command and control (C2) servers, mimicking OIP protocol behavior over HTTP.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Execution:\u003c/strong\u003e The C2 server delivers commands to the SUNBURST backdoor, instructing it to perform actions such as file transfer, execution, and system profiling.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e SUNBURST exfiltrates sensitive data from the compromised system to the C2 server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Attackers leverage the compromised SolarWinds Orion server to move laterally within the victim's network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The backdoor stores persistent state data within legitimate plugin configuration files for continued access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe SUNBURST attack compromised numerous organizations across various sectors, including government, technology, and telecommunications. Successful attacks resulted in the exfiltration of sensitive data, potential intellectual property theft, and disruption of critical services. The compromise affected over 18,000 SolarWinds customers who installed the trojanized Orion software updates. The financial impact of the SUNBURST attack is estimated to be in the tens of millions of dollars due to incident response, remediation, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect SUNBURST C2 Activity via HTTP Body\u0026quot; to your SIEM to identify suspicious network connections mimicking the OIP protocol (references: rule).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect SUNBURST related processes\u0026quot; to identify SolarWinds processes involved in suspicious network activity (references: rule).\u003c/li\u003e\n\u003cli\u003eReview and harden SolarWinds Orion installations, ensuring they are updated to the latest versions to prevent reinfection (references: references).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to non-standard SolarWinds domains and IPs, investigating any anomalies (references: references).\u003c/li\u003e\n\u003cli\u003eExamine process execution chains for SolarWinds processes to identify any unknown or unexpected parent processes (references: references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-sunburst-c2/","summary":"This rule detects post-exploitation command and control activity related to the SUNBURST backdoor, which targets SolarWind's Orion software, mimicking the Orion Improvement Program (OIP) protocol for covert communication.","title":"SUNBURST Command and Control Activity Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-sunburst-c2/"}],"language":"en","title":"CraftedSignal Threat Feed - SolarWinds Orion Platform","version":"https://jsonfeed.org/version/1.1"}