SolarWinds: Threat hunt to contain and eradicate

As the cyberattack story continues to unfold around the SUNBURST and SUPERNOVA malware distributed through a compromised SolarWinds software update, more private and public sector organizations from around the world are coming forward to disclose how they were affected by the breach. In response, cybersecurity experts are simply recommending that all SolarWinds customers presume they were breached, and launch a threat hunt to contain and eradicate.

On December 13^th, FireEye released information about a supply chain attack using a trojanized Orion, a Solarwinds IT monitoring and management software. The malware was delivered through updates to the SSolarWinds.Orion.Core.BusinessLayer.dll in versions 2019.4 through 2020.2, a digitally-signed component of the software and tracked by FireEye as SUNBURST. The attack could have begun as early as Spring 2020.

And, over the holiday break, a new malware SUPERNOVA was discovered being distributed through the same software platform, another backdoor that is likely from a second threat actor.

Recent US Cybersecurity and Infrastructure Security Agency (CISA) bulletins suggest that attackers may be using multiple attack vectors to infiltrate targeted networks. CISA has directed federal agencies to isolate (or simply power down, after having forensically imaged system memory and host operating systems) SolarWinds servers, and to launch an investigation into compromises on their network.

SANS Institute recommends Threat Hunts in your network prioritizing Discovery COA (looking backward).

Why a Threat Hunt?

When responding to a breach, best practices indicate that you must preserve the digital evidence and conduct a full investigation. Responding to the compromise is not as simple as removing Sunburst and SUPERNOVA malware. With any Advanced Persistent Threat (APT), attackers may have been in your network gaining administrative permissions or forging SAML tokens to impersonate any users. Attackers will be retooling and setting the stage for further compromises. SUPERNOVA demonstrates the risk of these additional attack vectors. Offensive tactics assuming an attacker is inside your organization is the best way to contain and eradicate.

A threat hunt involves a proactive use of manual or machine-assisted techniques by a cybersecurity analyst, often part of an Incident Response Team, to detect security breaches that may elude the grasp of automated systems like antivirus, firewalls, scanners, etc. The analyst runs through the intelligence gathered from servers and networks to look for threatening activity and identify security issues to remediate cyberattacks.

Assistance for your Response

OpenText issued a customer advisory providing EnCase^TM Endpoint Security customers with detection rules for SUNBURST. These can be downloaded from MySupport portal.

For advice, guidance, and assistance with your SolarWinds compromise, our Professional Services team is available to:

• Conduct an advanced threat hunt looking for the SUNBURST infection
• Search the network for Indicator of Compromise (IoC) running in your environment
• Digital Forensics and Incident Response of the infected systems
• Develop preventive cyberattack measures to alert on IoC, and Tactics, Techniques and Procedures (TTPs)

To learn more about our Security Services, visit our website. To request your Threat Hunt or obtain assistance with an Incident Response urgently, email securityservices@opentext.com.