RMKS: information prsented in this advisory is mostly a collage from short
twitter-messages; due to the urgency and information already available
we skip the manual process of writing and summarizing the messages.
all original tweets are linked back.
Timeline
On Dec 14, 2020, news broke that recent hacks of Fireeye and other are linked to a supply-chain-attack on SolarWind
Versions affected
Impact
DFIR
from the advisory solarwinds.com/securityadvisory:
Additionally, we recommend customers scan their environment for the affected file: SolarWinds.Orion.Core.BusinessLayer.dll.
If you locate this .dll, you should immediately upgrade to remove the affected file, and follow security
protocols to protect your environment.
Mubix released a PW-Dumper for SolarWinds: SolarFlare Release: Password Dumper for SolarWinds Orion
IOCs
Domains from FireEye/Volexity
databasegalore[.]com
deftsecurity[.]com
digitalcollege[.]org
freescanonline[.]com
highdatabase[.]com
incomeupdate[.]com
lcomputers[.]com
panhardware[.]com
thedoccloud[.]com
CobaltStrike Beacon domains (Symantec)
ervsystem[.]com
infinitysoftwares[.]com
Subdomains
https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html
updates still compromised
as of Dec 14, Updates are still compromised
AttackWay
possibly
Fragen? Kontakt: info@zero.bs