<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>SolarWinds Orion Platform - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/solarwinds-orion-platform/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/solarwinds-orion-platform/feed.xml" rel="self" type="application/rss+xml"/><item><title>SUNBURST Command and Control Activity Detected</title><link>https://feed.craftedsignal.io/briefs/2024-01-sunburst-c2/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-sunburst-c2/</guid><description>This rule detects post-exploitation command and control activity related to the SUNBURST backdoor, which targets SolarWind's Orion software, mimicking the Orion Improvement Program (OIP) protocol for covert communication.</description><content:encoded><![CDATA[<p>The SUNBURST malware, attributed to UNC2452, is a sophisticated supply chain attack targeting SolarWinds Orion business software. The trojanized SolarWinds.Orion.Core.BusinessLayer.dll plugin contains a backdoor that establishes command and control (C2) communication via HTTP to third-party servers. After a dormant period of up to two weeks, SUNBURST retrieves and executes commands, enabling file transfer, file execution, system profiling, system reboot, and service disabling. The malware disguises its network traffic to resemble legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol. SUNBURST also uses obfuscated blocklists to evade forensic and anti-virus tools. This activity was observed starting in early 2020 and impacted numerous organizations globally.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Compromise:</strong> The attacker compromises the SolarWinds Orion software build process, injecting the SUNBURST backdoor into the SolarWinds.Orion.Core.BusinessLayer.dll plugin.</li>
<li><strong>Deployment:</strong> The compromised SolarWinds Orion software is deployed to target organizations as a routine software update.</li>
<li><strong>Dormant Period:</strong> The SUNBURST backdoor remains dormant for up to two weeks after initial deployment to evade immediate detection.</li>
<li><strong>Beaconing:</strong> After the dormant period, SUNBURST begins beaconing to command and control (C2) servers, mimicking OIP protocol behavior over HTTP.</li>
<li><strong>Command Execution:</strong> The C2 server delivers commands to the SUNBURST backdoor, instructing it to perform actions such as file transfer, execution, and system profiling.</li>
<li><strong>Data Exfiltration:</strong> SUNBURST exfiltrates sensitive data from the compromised system to the C2 server.</li>
<li><strong>Lateral Movement:</strong> Attackers leverage the compromised SolarWinds Orion server to move laterally within the victim's network.</li>
<li><strong>Persistence:</strong> The backdoor stores persistent state data within legitimate plugin configuration files for continued access.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The SUNBURST attack compromised numerous organizations across various sectors, including government, technology, and telecommunications. Successful attacks resulted in the exfiltration of sensitive data, potential intellectual property theft, and disruption of critical services. The compromise affected over 18,000 SolarWinds customers who installed the trojanized Orion software updates. The financial impact of the SUNBURST attack is estimated to be in the tens of millions of dollars due to incident response, remediation, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detect SUNBURST C2 Activity via HTTP Body&quot; to your SIEM to identify suspicious network connections mimicking the OIP protocol (references: rule).</li>
<li>Deploy the Sigma rule &quot;Detect SUNBURST related processes&quot; to identify SolarWinds processes involved in suspicious network activity (references: rule).</li>
<li>Review and harden SolarWinds Orion installations, ensuring they are updated to the latest versions to prevent reinfection (references: references).</li>
<li>Monitor network traffic for connections to non-standard SolarWinds domains and IPs, investigating any anomalies (references: references).</li>
<li>Examine process execution chains for SolarWinds processes to identify any unknown or unexpected parent processes (references: references).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>solarwinds</category><category>sunburst</category><category>supply-chain</category><category>command-and-control</category></item></channel></rss>