close
close
Your Network of Tomorrow
Your Network of Tomorrow
Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.
          Experience Netskope
          Get Hands-on With the Netskope Platform
          Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            Netskope debuts as a Leader in the Gartner® Magic Quadrant™ for Single-Vendor SASE
              Securing Generative AI for Dummies
              Securing Generative AI for Dummies
              Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
                Modern data loss prevention (DLP) for Dummies eBook
                Modern Data Loss Prevention (DLP) for Dummies
                Get tips and tricks for transitioning to a cloud-delivered DLP.
                  Modern SD-WAN for SASE Dummies Book
                  Modern SD-WAN for SASE Dummies
                  Stop playing catch up with your networking architecture
                    Understanding where the risk lies
                    Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        Netskope One Private Access is the only solution that allows you to retire your VPN for good.
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                            Netskope GovCloud
                            Netskope achieves FedRAMP High Authorization
                            Choose Netskope GovCloud to accelerate your agency’s transformation.
                              Let's Do Great Things Together
                              Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.
                                Netskope solutions
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.
                                  Netskope Technical Support
                                  Netskope Technical Support
                                  Our qualified support engineers are located worldwide and have diverse backgrounds in cloud security, networking, virtualization, content delivery, and software development, ensuring timely and quality technical assistance
                                    Netskope video
                                    Netskope Training
                                    Netskope training will help you become a cloud security expert. We are here to help you secure your digital transformation journey and make the most of your cloud, web, and private applications.

                                      Netskope Threat Coverage: SUNBURST & FireEye Red Team (Offensive Security) Tools

                                      Dec 15 2020

                                      Summary

                                      On Dec 8, 2020, the cybersecurity company FireEye reported that there had been a cyber attack on their systems. As part of this attack, their inventory of Red Team tools was stolen. These tools could potentially be used by a threat actor against unsuspecting victims. On Dec 13, 2020, after further investigation of this attack, FireEye reported that the initial vector came through SolarWinds, an upstream vendor, as a malicious trojanized update of SolarWinds’ Orion IT platform. 

                                      FireEye has identified and published the indicators of compromise (IOCs) for both their red team tools and the trojanized update. NSIQ, Netskope’s threat intelligence platform, includes the IOCs published by FireEye, protecting our customers from SUNBURST and the FireEye Red Team tools.

                                      Protection

                                      SolarWinds.Orion.Core.BusinessLayer.dll is the digitally signed component of the Orion framework that contains the backdoor. This plugin was delivered in multiple updates on the SolarWinds website, including:

                                      • hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp

                                      FireEye has labeled this trojanized version of the plug-in SUNBURST. According to the FireEye report, the threat group responsible for this, SolarStorm (UNC 2452), has successfully used this attack on many companies worldwide. SolarWinds reported that of its 300,000 customers, no more than 18,000 have downloaded the malicious update.

                                      FireEye has shared the countermeasures including Snort, Yara, and ClamAV rules. We are implementing the following updates to incorporate the FireEye countermeasures:

                                      1. Increasing coverage in our CTEP (IPS) engine for Snort rules
                                      2. Pushing updated intel based on the published rules for expanded coverage in our threat protection platform

                                      Netskope has ensured coverage for all known threat indicators and payloads shown below and future countermeasures will be implemented as ongoing emergency updates as they become available and will be pushed to production independent of release cycles. Netskope Threat Labs will provide updates as they become available.

                                      SUNBURST IOCs

                                      Domains

                                      As reported by FireEye here 

                                      • freescanonline[.]com
                                      • deftsecurity[.]com
                                      • thedoccloud[.]com
                                      • avsvmcloud[.]com
                                      • zupertech[.]com
                                      • panhardware[.]com
                                      • databasegalore[.]com
                                      • incomeupdate[.]com
                                      • highdatabase[.]com
                                      • websitetheme[.]com
                                      • virtualdataserver[.]com
                                      • digitalcollege[.]org
                                      • globalnetworkissues[.]com
                                      • seobundlekit[.]com
                                      • virtualwebdata[.]com

                                      Hashes (MD5)

                                      SUNBURST samples from here 

                                      • 2c4a910a1299cdae2a4e55988a2f102e (SolarWinds.Orion.Core.BusinessLayer.dll)
                                      • 846e27a652a5e1bfbd0ddd38a16dc865 (SolarWinds.Orion.Core.BusinessLayer.dll)
                                      • b91ce2fa41029f6955bff20079468448    (SolarWinds.Orion.Core.BusinessLayer.dll)
                                      • 56ceb6d0011d87b6e4d7023d7ef85676 (app_web_logoimagehandler.ashx.b6031896.dll)
                                      • 4f2eb62fa529c0283b28d05ddd311fae   (OrionImprovementBusinessLayer.2.cs)
                                      • 02af7cec58b9a5da1c542b5a32151ba1(CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp)

                                      FireEye Red Team tool IOCs

                                      The Red Team tools IOCs can be found in the FireEye GitHub Repository.

                                      author image
                                      Dagmawi Mulugeta
                                      Dagmawi Mulugeta is a security researcher with interests in cloud security, incident analysis & prediction, exploit development, and large-scale data analysis.
                                      Dagmawi Mulugeta is a security researcher with interests in cloud security, incident analysis & prediction, exploit development, and large-scale data analysis.

                                      Stay informed!

                                      Subscribe for the latest from the Netskope Blog