The Art of Defense

[ SB 20.32 ] SolarWinds Supply-Chain-Attack impact on multiple Customers (FireEye, US Treasury)

RMKS: information prsented in this advisory is mostly a collage from short twitter-messages; due to the urgency and information already available we skip the manual process of writing and summarizing the messages. all original tweets are linked back.

Timeline

On Dec 14, 2020, news broke that recent hacks of Fireeye and other are linked to a supply-chain-attack on SolarWind

tl1

link

tl2

link

tl3

CISA-Advisory

Versions affected

tl2

link

Impact

dfir1

Impact

dfir1

Thread on Impact

dfir1

Thread on Impact

DFIR

from the advisory solarwinds.com/securityadvisory:

Additionally, we recommend customers scan their environment for the affected file: SolarWinds.Orion.Core.BusinessLayer.dll. If you locate this .dll, you should immediately upgrade to remove the affected file, and follow security protocols to protect your environment.

dfir1

link

Mubix released a PW-Dumper for SolarWinds: SolarFlare Release: Password Dumper for SolarWinds Orion

dfir1

link

IOCs

Domains from FireEye/Volexity
databasegalore[.]com
deftsecurity[.]com
digitalcollege[.]org
freescanonline[.]com
highdatabase[.]com
incomeupdate[.]com
lcomputers[.]com
panhardware[.]com
thedoccloud[.]com

CobaltStrike Beacon domains (Symantec)
ervsystem[.]com
infinitysoftwares[.]com

Subdomains

https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html

updates still compromised

as of Dec 14, Updates are still compromised

comprimised

link

comprimised

link

AttackWay

possibly

attackway

link




Fragen? Kontakt: info@zero.bs
Filed: Mon 14 December 2020 | Security Bulletin | Tags: sb attack hacker

taggy


Main-Links

Blog

OSS & Projects



(c) copyright 2020 zeroBS GmbH, all rights reserved
info@zero.bs