[ SB 20.32 ] SolarWinds Supply-Chain-Attack impact on multiple Customers (FireEye, US Treasury)

RMKS: information prsented in this advisory is mostly a collage from short twitter-messages; due to the urgency and information already available we skip the manual process of writing and summarizing the messages. all original tweets are linked back.

Timeline

On Dec 14, 2020, news broke that recent hacks of Fireeye and other are linked to a supply-chain-attack on SolarWind

tl1

tl2

tl3

Versions affected

tl2

Impact

dfir1

dfir1

dfir1

DFIR

from the advisory solarwinds.com/securityadvisory:

Additionally, we recommend customers scan their environment for the affected file: SolarWinds.Orion.Core.BusinessLayer.dll. If you locate this .dll, you should immediately upgrade to remove the affected file, and follow security protocols to protect your environment.

dfir1

Mubix released a PW-Dumper for SolarWinds: SolarFlare Release: Password Dumper for SolarWinds Orion


dfir1


IOCs

Domains from FireEye/Volexity
databasegalore[.]com
deftsecurity[.]com
digitalcollege[.]org
freescanonline[.]com
highdatabase[.]com
incomeupdate[.]com
lcomputers[.]com
panhardware[.]com
thedoccloud[.]com

CobaltStrike Beacon domains (Symantec)
ervsystem[.]com
infinitysoftwares[.]com

Subdomains

https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html

updates still compromised

as of Dec 14, Updates are still compromised

comprimised

comprimised

AttackWay

possibly

attackway





Fragen? Kontakt: info@zero.bs

taggy