Netskope named a Leader in the 2022 Gartner® Magic Quadrant™ for Security Service Edge. Get the Report.

  • Platform

    Unrivaled visibility and real-time data and threat protection on the world's largest security private cloud.

  • Products

    Netskope products are built on the Netskope Security Cloud.

Netskope delivers a modern cloud security stack, with unified capabilities for data and threat protection, plus secure private access.

Explore our platform

Netskope Named a Leader in the 2022 Gartner Magic Quadrant™ for SSE Report

Get the report

Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn more

Prevent threats that often evade other security solutions using a single-pass SSE framework.

Learn more

Zero trust solutions for SSE and SASE deployments

Learn more

Netskope enables a safe, cloud-smart, and fast journey to adopt cloud services, apps, and public cloud infrastructure.

Learn more
  • Customer Success

    Secure your digital transformation journey and make the most of your cloud, web, and private applications.

  • Customer Support

    Proactive support and engagement to optimize your Netskope environment and accelerate your success.

  • Training and Certification

    Netskope training will help you become a cloud security expert.

Trust Netskope to help you address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements.

Learn more

We have qualified engineers worldwide, with diverse backgrounds in cloud security, networking, virtualization, content delivery, and software development, ready to give you timely, high-quality technical assistance.

Learn more

Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn more
  • Resources

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog

    Learn how Netskope enables security and networking transformation through security service edge (SSE).

  • Events & Workshops

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

Bonus Episode: The Importance of Security Service Edge (SSE)

Play the podcast

Read the latest on how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog

Netskope at RSA 2022

Meet and speak with Netskope security specialists at RSA.

Learn more

What is Security Service Edge?

Explore the security side of SASE, the future of network and protection in the cloud.

Learn more
  • Company

    We help you stay ahead of cloud, data, and network security challenges.

  • Why Netskope

    Cloud transformation and work from anywhere have changed how security needs to work.

  • Leadership

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Partners

    We partner with security leaders to help you secure your journey to the cloud.

Netskope enables the future of work.

Find out more

Netskope is redefining cloud, data, and network security to help organizations apply Zero Trust principles to protect data.

Learn more

Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team

Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn more
Blog Threat Labs Netskope Threat Coverage: SUNBURST & FireEye Red Team (Offensive Security) Tools
Dec 15 2020

Netskope Threat Coverage: SUNBURST & FireEye Red Team (Offensive Security) Tools

Summary

On Dec 8, 2020, the cybersecurity company FireEye reported that there had been a cyber attack on their systems. As part of this attack, their inventory of Red Team tools was stolen. These tools could potentially be used by a threat actor against unsuspecting victims. On Dec 13, 2020, after further investigation of this attack, FireEye reported that the initial vector came through SolarWinds, an upstream vendor, as a malicious trojanized update of SolarWinds’ Orion IT platform. 

FireEye has identified and published the indicators of compromise (IOCs) for both their red team tools and the trojanized update. NSIQ, Netskope’s threat intelligence platform, includes the IOCs published by FireEye, protecting our customers from SUNBURST and the FireEye Red Team tools.

Protection

SolarWinds.Orion.Core.BusinessLayer.dll is the digitally signed component of the Orion framework that contains the backdoor. This plugin was delivered in multiple updates on the SolarWinds website, including:

  • hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp

FireEye has labeled this trojanized version of the plug-in SUNBURST. According to the FireEye report, the threat group responsible for this, SolarStorm (UNC 2452), has successfully used this attack on many companies worldwide. SolarWinds reported that of its 300,000 customers, no more than 18,000 have downloaded the malicious update.

FireEye has shared the countermeasures including Snort, Yara, and ClamAV rules. We are implementing the following updates to incorporate the FireEye countermeasures:

  1. Increasing coverage in our CTEP (IPS) engine for Snort rules
  2. Pushing updated intel based on the published rules for expanded coverage in our threat protection platform

Netskope has ensured coverage for all known threat indicators and payloads shown below and future countermeasures will be implemented as ongoing emergency updates as they become available and will be pushed to production independent of release cycles. Netskope Threat Labs will provide updates as they become available.

SUNBURST IOCs

Domains

As reported by FireEye here 

  • freescanonline[.]com
  • deftsecurity[.]com
  • thedoccloud[.]com
  • avsvmcloud[.]com
  • zupertech[.]com
  • panhardware[.]com
  • databasegalore[.]com
  • incomeupdate[.]com
  • highdatabase[.]com
  • websitetheme[.]com
  • virtualdataserver[.]com
  • digitalcollege[.]org
  • globalnetworkissues[.]com
  • seobundlekit[.]com
  • virtualwebdata[.]com

Hashes (MD5)

SUNBURST samples from here 

  • 2c4a910a1299cdae2a4e55988a2f102e (SolarWinds.Orion.Core.BusinessLayer.dll)
  • 846e27a652a5e1bfbd0ddd38a16dc865 (SolarWinds.Orion.Core.BusinessLayer.dll)
  • b91ce2fa41029f6955bff20079468448    (SolarWinds.Orion.Core.BusinessLayer.dll)
  • 56ceb6d0011d87b6e4d7023d7ef85676 (app_web_logoimagehandler.ashx.b6031896.dll)
  • 4f2eb62fa529c0283b28d05ddd311fae   (OrionImprovementBusinessLayer.2.cs)
  • 02af7cec58b9a5da1c542b5a32151ba1(CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp)

FireEye Red Team tool IOCs

The Red Team tools IOCs can be found in the FireEye GitHub Repository.

author image
About the author
Dagmawi Mulugeta is a security researcher with interests in cloud security, incident analysis & prediction, exploit development, and large-scale data analysis. He currently focuses on the abuse of cloud apps and analysis of threat actors in the cloud.
Dagmawi Mulugeta is a security researcher with interests in cloud security, incident analysis & prediction, exploit development, and large-scale data analysis. He currently focuses on the abuse of cloud apps and analysis of threat actors in the cloud.