Netskope Threat Coverage: SUNBURST & FireEye Red Team (Offensive Security) Tools

Summary

On Dec 8, 2020, the cybersecurity company FireEye reported that there had been a cyber attack on their systems. As part of this attack, their inventory of Red Team tools was stolen. These tools could potentially be used by a threat actor against unsuspecting victims. On Dec 13, 2020, after further investigation of this attack, FireEye reported that the initial vector came through SolarWinds, an upstream vendor, as a malicious trojanized update of SolarWinds’ Orion IT platform. 

FireEye has identified and published the indicators of compromise (IOCs) for both their red team tools and the trojanized update. NSIQ, Netskope’s threat intelligence platform, includes the IOCs published by FireEye, protecting our customers from SUNBURST and the FireEye Red Team tools.

Protection

SolarWinds.Orion.Core.BusinessLayer.dll is the digitally signed component of the Orion framework that contains the backdoor. This plugin was delivered in multiple updates on the SolarWinds website, including:

• hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp

FireEye has labeled this trojanized version of the plug-in SUNBURST. According to the FireEye report, the threat group responsible for this, SolarStorm (UNC 2452), has successfully used this attack on many companies worldwide. SolarWinds reported that of its 300,000 customers, no more than 18,000 have downloaded the malicious update.

FireEye has shared the countermeasures including Snort, Yara, and ClamAV rules. We are implementing the following updates to incorporate the FireEye countermeasures:

1. Increasing coverage in our CTEP (IPS) engine for Snort rules
2. Pushing updated intel based on the published rules for expanded coverage in our threat protection platform

Netskope has ensured coverage for all known threat indicators and payloads shown below and future countermeasures will be implemented as ongoing emergency updates as they become available and will be pushed to production independent of release cycles. Netskope Threat Labs will provide updates as they become available.

SUNBURST IOCs

Domains

As reported by FireEye here 

• freescanonline[.]com
• deftsecurity[.]com
• thedoccloud[.]com
• avsvmcloud[.]com
• zupertech[.]com
• panhardware[.]com
• databasegalore[.]com
• incomeupdate[.]com
• highdatabase[.]com
• websitetheme[.]com
• virtualdataserver[.]com
• digitalcollege[.]org
• globalnetworkissues[.]com
• seobundlekit[.]com
• virtualwebdata[.]com

Hashes (MD5)

SUNBURST samples from here 

• 2c4a910a1299cdae2a4e55988a2f102e (SolarWinds.Orion.Core.BusinessLayer.dll)
• 846e27a652a5e1bfbd0ddd38a16dc865 (SolarWinds.Orion.Core.BusinessLayer.dll)
• b91ce2fa41029f6955bff20079468448    (SolarWinds.Orion.Core.BusinessLayer.dll)
• 56ceb6d0011d87b6e4d7023d7ef85676 (app_web_logoimagehandler.ashx.b6031896.dll)
• 4f2eb62fa529c0283b28d05ddd311fae   (OrionImprovementBusinessLayer.2.cs)
• 02af7cec58b9a5da1c542b5a32151ba1(CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp)

FireEye Red Team tool IOCs

The Red Team tools IOCs can be found in the FireEye GitHub Repository.