[ SB 20.32 ] SolarWinds Supply-Chain-Attack impact on multiple Customers (FireEye, US Treasury)

RMKS: information prsented in this advisory is mostly a collage from short twitter-messages; due to the urgency and information already available we skip the manual process of writing and summarizing the messages. all original tweets are linked back.

Timeline

On Dec 14, 2020, news broke that recent hacks of Fireeye and other are linked to a supply-chain-attack on SolarWind

[tl1

link

](https://twitter.com/campuscodi/status/1338346046896939008)

[tl2

link

](https://twitter.com/campuscodi/status/1338346046896939008)

[tl3

CISA-Advisory

](https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network)

Versions affected

[tl2

link

](https://twitter.com/SwitHak/status/1338269888796905474)

Impact

[dfir1

Impact

](https://twitter.com/mubix/status/1338502543635329028)

[dfir1

Thread on Impact

](https://twitter.com/KimZetter/status/1338389130951061504)

[dfir1

Thread on Impact

](https://twitter.com/iblametom/status/1338430669534490631)

DFIR

from the advisory solarwinds.com/securityadvisory:

Additionally, we recommend customers scan their environment for the affected file: SolarWinds.Orion.Core.BusinessLayer.dll. If you locate this .dll, you should immediately upgrade to remove the affected file, and follow security protocols to protect your environment.

[dfir1

link

](https://twitter.com/mubix/status/1338775856408367104)

Mubix released a PW-Dumper for SolarWinds: SolarFlare Release: Password Dumper for SolarWinds Orion


[dfir1

link

](https://twitter.com/ffforward/status/1338785034375999491)

Article by NetReSec on [Finding Targeted SUNBURST Victims with pDNS]https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS


IOCs

Domains from FireEye/Volexity
databasegalore[.]com
deftsecurity[.]com
digitalcollege[.]org
freescanonline[.]com
highdatabase[.]com
incomeupdate[.]com
lcomputers[.]com
panhardware[.]com
thedoccloud[.]com

CobaltStrike Beacon domains (Symantec)
ervsystem[.]com
infinitysoftwares[.]com

Subdomains

https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html

updates still compromised

as of Dec 14, Updates are still compromised

[comprimised

link

](https://twitter.com/craiu/status/1338400603769348096)

[comprimised

link

](https://twitter.com/Andrew___Morris/status/1338614208905302021)

AttackWay

possibly

[attackway

link

](https://twitter.com/vinodsparrow/status/1338431183588188160)





Fragen? Kontakt: info@zero.bs

taggy