On December 12, 2020 cyber security company FireEye provided detailed information on a widespread attack campaign. The campaign uses a backdoored component of the SolarWinds Orion component SUNBURST. SolarWinds has issued a security advisory for the incident. Microsoft identifies the threat as “Solorigate”.
As many other cyber security companies do, FireEye conducts offensive security testing and have therefore attack tools to conduct these operations. FireEye is one of the victims of the SUNBURST attacks and their attack tools were stolen, creating a threat for companies with vulnerable software that their tools are exploiting.
This community post explains how F-Secure products and services detect and remove this threat.
Is my company at risk?
If your company is not using SolarWinds Sunburst, you are not affected directly by this. However, as this incident shows, pure endpoint protection is not enough to tackle modern threats. With a layered approach to protection, vulnerability management, and endpoint detection & response, your company can improve the security posture of your company.
If your company is using SolarWinds Sunburst, your company is at risk and you should act now by isolating and patching the affected SolarWinds environments. Having visibility into your cyber security posture is a starting point for understanding and defining your risk level. In order to get a clear picture of the state of your cyber security, regular vulnerability assessment and patching is key.
In addition, it is strongly advised to keep your cyber security software updated to the latest versions for full defense capabilities.
What is F-Secure doing in order to mitigate the risks
What customers of F-Secure Protection Service for Business & F-Secure Business Suite need to know:
F-Secure Endpoint Protection clients such as FSecure Computer Protection and F-Secure Client Security detects the compromised installers and prevents installers that contain files with the following Sunburst Backdoor DLLs from being installed on the system:
- Trojan:W32/Sunburst.A
(019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134) - Trojan:W32/Sunburst.C
(ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6) - Trojan:W32/Sunburst.D
(32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77)
In summary, we have done the following:
- We have revoked the digital certificate for SolarWinds.
- We have detections for the DLLs (stated above) and those are triggered if the DLLs are found in the installer package.
- We already have blocking in place for our network protection for the domains found here: https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv
We are monitoring the situation and will assess our detections as new information is gathered. In addition, we are improving our generic detections for this. F-Secure customers will get all updates automatically.
What customers of F-Secure Rapid Detection & Response need to know:
Our Endpoint Detection and Response product detects and generates detections of the attack with the following rules:
- RDSRULES-1686 - [windows] solarwind_suspicious_child_process – HIGH
- (This rule will detect any suspicious child process spawned from "solarwinds.businesslayerhost.exe".)
- RDSRULES-1689 - [windows] solarwind_suspicious_file_access - HIGH
- (This rule is created to detect suspicious file write activities from "solarwinds.businesslayerhost.exe".)
In addition, the product generates a detection if the attack tries to disable our Endpoint Protection product or Microsoft Defender.
What customers of F-Secure Radar need to know:
F-Secure Radar does not directly help with the SUNBURST supply chain attack, but it helps to maintain a good security posture for your company. In this particular case, Radar helps your company find the vulnerabilities used by the stolen FireEye tools. Some of the vulnerabilities used by the tools are quite old, showing the difficulties that companies face in keeping up with vulnerability management and patching.
F-Secure Radar detects (and has detected for some time already) the following CVE numbers that the offensive tools stolen from FireEye attempt to exploit:
- CVE-2020-1472
- CVE-2018-13379
- CVE-2018-15961
- CVE-2019-0604
- CVE-2019-0708
- CVE-2019-11580
- CVE-2019-19781
- CVE-2020-10189
- CVE-2014-1812
- CVE-2019-3398
- CVE-2020-0688
- CVE-2016-0167
- CVE-2017-11774
- CVE-2018-8581
- CVE-2019-8394
In the scope of the exposed breach, no new detection plugins were added to Radar, as we had full coverage already.