News > Secutec News

McAfee – Threat Intelligence Update | SUNBURST Malware and SolarWinds Software Supply Chain Compromise

Situation

In a blog post last evening, FireEye disclosed that threat actors compromised SolarWinds’s Orion IT monitoring and management software with a trojanized version of SoalrWinds.Orion.Core.BusinessLayer.dll delivered as part of a digitally-signed Windows Installer Patch. The trojanized file delivers the SUNBURST backdoor. Use of a Compromised Software Supply Chain (T1195.002) as an Initial Access technique is particularly critical as it can go undetected for a long period. FireEye released countermeasures that can identify the SUNBURST malware. If you are using SolarWinds software, please refer to the company guidance here to check for vulnerable versions and patch information. McAfee has evaluated the countermeasures and will continue to analyze further attack indicators as discovered. McAfee mitigation guidance is below.

 

McAfee Defensive Guidance

PROTECTION SUMMARY

For the latest information see KB93861 and subscribe to receive updates. Below is protection summary to date.

  • GTI Cloud has coverage for known file indicators and C2 domains
  • Today’s DAT release has coverage for known indicators
  • McAfee Web Gateway will block known C2 domains
  • McAfee is continuing to review other detection approaches

 

THREAT INTELLIGENCE

MVISION Insights is tracking the campaign as SolarWinds Supply Chain Attack Affecting Multiple Global Victims with SUNBURST Backdoor

Attack Summary

Campaign Indicators

Mitre Tactics and Techniques

 

HUNTING FOR INDICATORS

You can use MVISION EDR or MAR to search endpoints for SUNBURST indicators as provided by Microsoft and FireEye. See the search syntax below. If you are licensed for MVISION Insights this query will take place automatically.

Begin MVEDR Query Syntax…

Files name, full_name, md5, sha256, created_at, create_user_name, create_user_domain and HostInfo hostname, ip_address, os and LoggedInUsers username, userdomain where Files sha256 equals “ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c” or Files sha256 equals “c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77” or Files sha256 equals “eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed” or Files sha256 equals “dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b” or Files sha256 equals “32519685c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77” or Files sha256 equals “d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600” or Files sha256 equals “53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7” or Files sha256 equals “019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134” or Files sha256 equals “ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6” or Files sha256 equals “32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77” or Files sha256 equals “292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712” or Files sha256 equals “c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71”

…End MVEDR Query Syntax

 

You should also search McAfee Web Gateway logs (or other network and SIEM logs) for communication to command and control domains or IP addresses, particularly those categorized as “Malicious Sites” below.

 

What’s Next

It’s important to note that ongoing analysis will be critical to understand how the attackers will adapt and what additional mitigation is required. This will be a continuous process and we expect to add multiple updates to KB93861. Additionally, customers should follow McAfee Labs posts, check the Insights Preview Dashboard for latest threat intelligence, and continually check the Knowledge Center for latest product guidance.

 

External Resources

FireEye Blog

 

Additional McAfee Threat Intel Resources

Insights Trending Campaigns

Every week Insights Preview highlights the top emerging threats and campaigns based on ATR Operational Intelligence collection and analysis.

Atlas Dashboard

Follow the latest COVID Threat statistics on the public Atlas Dashboard.  For more information about how a customer can utilize Atlas and Intelligence as a Service from APG, speak to your McAfee Account Manager for a Threat Intel Briefing and Workshop.

Threat Research

McAfee Labs and Advanced Threat Research teams produce regular research reports with the latest threat intelligence statistics and trends. Please share the reports with customers.

McAfee Threat Intelligence Blogs

Review and Share our external blogs that feature deeper malware analysis and explanations on emerging threats and attack campaigns.

TechUpdate

Get all the new tech-updates in your mailbox.

  • This field is for validation purposes and should be left unchanged.