A new zero-day vulnerability has been identified for SolarWinds Orion Platform customers. If you are running SolarWinds versions 2019.4 HF 5 through 2020.2.1 and are utilizing the Orion Platform, you are vulnerable to the SUNBURST Trojan.
The vulnerability is delivered via a normal SolarWinds update which at the time of this bulletin appears to be targeted for any Orion Platform subscribers.
It may be possible that some or all hosts monitored by the SolarWinds Orion monitoring software may be compromised by threat actors and further persistence mechanisms may have been deployed. Analyze stored network traffic for indications of compromise, including new external DNS domains to which hosts (e.g., SolarWinds systems) have had connections.
Look for the following IOCs on the SolarWinds instance
[SolarWinds.Orion.Core.BusinessLayer.dll] with a file hash of [b91ce2fa41029f6955bff20079468448]
[C:\WINDOWS\SysWOW64\netsetupsvc.dll]
CONTAINMENT (REQUIRED)
Block outbound internet access from the SolarWinds system to all external (Internet) destinations except for needed destinations for business functionality.
Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.
REMEDIATION
After all threat actor-controlled accounts and identified persistence mechanisms have been identified and removed:
Any SolarWinds Orion systems identified as compromised should be rebuilt.
Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.
Take actions to remediate kerberoasting, including, as necessary or appropriate, engaging with a 3rd party with experience eradicating APTs from enterprise networks. For Windows environments, refer to the following:
Require use of long and complex passwords (greater than 25 characters) for service principal accounts and implement a good rotation policy for these passwords.
HALOCK Breach Bulletins Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.