SolarWinds: Threat hunt to contain and eradicate

As the cyberattack story continues to unfold around the SUNBURST and SUPERNOVA malware distributed through a compromised SolarWinds software update, more private and public sector…

Marc St-Pierre profile picture

Marc St-Pierre

January 4, 20213 minutes read

A close-up on an abstract design of a display, which is warning about a cyber attack. Multiple rows of hexadecimal code are interrupted by red glowing warning text. Part of the display is reflected on a shiny surface. The image can represent a variety of threats in the digital world: data theft, data leak, security breach, intrusion, etc…

As the cyberattack story continues to unfold around the SUNBURST and SUPERNOVA malware distributed through a compromised SolarWinds software update, more private and public sector organizations from around the world are coming forward to disclose how they were affected by the breach. In response, cybersecurity experts are simply recommending that all SolarWinds customers presume they were breached, and launch a threat hunt to contain and eradicate.

On December 13th, FireEye released information about a supply chain attack using a trojanized Orion, a Solarwinds IT monitoring and management software. The malware was delivered through updates to the SSolarWinds.Orion.Core.BusinessLayer.dll in versions 2019.4 through 2020.2, a digitally-signed component of the software and tracked by FireEye as SUNBURST. The attack could have begun as early as Spring 2020.

And, over the holiday break, a new malware SUPERNOVA was discovered being distributed through the same software platform, another backdoor that is likely from a second threat actor.

Recent US Cybersecurity and Infrastructure Security Agency (CISA) bulletins suggest that attackers may be using multiple attack vectors to infiltrate targeted networks. CISA has directed federal agencies to isolate (or simply power down, after having forensically imaged system memory and host operating systems) SolarWinds servers, and to launch an investigation into compromises on their network.

SANS Institute recommends Threat Hunts in your network prioritizing Discovery COA (looking backward).

Why a Threat Hunt?

When responding to a breach, best practices indicate that you must preserve the digital evidence and conduct a full investigation. Responding to the compromise is not as simple as removing Sunburst and SUPERNOVA malware. With any Advanced Persistent Threat (APT), attackers may have been in your network gaining administrative permissions or forging SAML tokens to impersonate any users. Attackers will be retooling and setting the stage for further compromises. SUPERNOVA demonstrates the risk of these additional attack vectors. Offensive tactics assuming an attacker is inside your organization is the best way to contain and eradicate.

A threat hunt involves a proactive use of manual or machine-assisted techniques by a cybersecurity analyst, often part of an Incident Response Team, to detect security breaches that may elude the grasp of automated systems like antivirus, firewalls, scanners, etc. The analyst runs through the intelligence gathered from servers and networks to look for threatening activity and identify security issues to remediate cyberattacks.

Assistance for your Response

OpenText issued a customer advisory providing EnCaseTM Endpoint Security customers with detection rules for SUNBURST. These can be downloaded from MySupport portal.

For advice, guidance, and assistance with your SolarWinds compromise, our Professional Services team is available to:

  • Conduct an advanced threat hunt looking for the SUNBURST infection
  • Search the network for Indicator of Compromise (IoC) running in your environment
  • Digital Forensics and Incident Response of the infected systems
  • Develop preventive cyberattack measures to alert on IoC, and Tactics, Techniques and Procedures (TTPs)

To learn more about our Security Services, visit our website. To request your Threat Hunt or obtain assistance with an Incident Response urgently, email securityservices@opentext.com.

Share this post

Share this post to x. Share to linkedin. Mail to
Marc St-Pierre avatar image

Marc St-Pierre

Marc is VP of Consulting Services for the Security + Artificial Intelligence + Linguistics & Translation practice. For more than 15 years, Marc has led services groups specialized in advanced and emerging technologies. He has lectured on semantic technologies and lead solution development such as Ai-Augmented Voice of the Customer and Magellan Search+.

See all posts

More from the author

Cybersecurity Services combat an APT with NDR

Cybersecurity Services combat an APT with NDR

Attackers linked to Iran and China are actively targeting critical infrastructure.  Both the U.S. Environmental Protection Agency and National Security Agency have requested that each…

March 28, 2024 4 minutes read
Strengthening Higher Education Institutions against evolving cyberthreats

Strengthening Higher Education Institutions against evolving cyberthreats

As cyberthreats continue to evolve, it is crucial for higher education institutions and universities to be vigilant.  Enforcing security strategies prudently designed to safeguard digital…

January 24, 2024 4 minutes read
Strengthening cyber resilience

Strengthening cyber resilience

Cyberattacks are on track to cause $10.5 trillion a year in damage by 2025. That’s a 300 percent increase from 2015 levels. A robust cybersecurity…

December 19, 2023 4 minutes read

Stay in the loop!

Get our most popular content delivered monthly to your inbox.