On the 8th of December 2020, one of the largest cybersecurity firm FireEye (FEYE) has been hacked.
If you have not heard of this story, do check out a summary on this incident HERE.
FireEye released an update on the 13th of December 2020, with new information on thier recent breach.
In this recent update, new evidence further suggests that the FireEye breach disclosed on the 8th of December 2020 is the work of state-sponsored threat actors.
FireEye identified "a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain".
Orion Platform, a widely-used IT infrastructure management software, offered by SolarWinds. Has been identified as one of the main areas of compromise in this supply chain attack campaign.
FireEye has noted on the similarity shared between their recent breach and campaign mentioned, based on the following key elements:
- Use of malicious SolarWinds update: Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment
- Light malware footprint: Using limited malware to accomplish the mission while avoiding detection
- Prioritization of stealth: Going to significant lengths to observe and blend into normal network activity
- High OPSEC: Patiently conducting reconnaissance, consistently covering their tracks, and using difficult-to-attribute tools
FireEye is now working closely with SolarWinds, the Federal Bureau of Investigation, and other key partners.
As this activity is the subject of an ongoing FBI investigation, there are also limits to the information that is available for sharing at this time.
Am I affected?
SolarWinds have since publish an advisory in light of the situation.
The software firm said that Orion update versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, have been tainted with malware.
SolarWinds Orion holds credentials, such as Domain Admin, Cisco/Router/SW root/enable creds, ESXi/vCenter Credentials, AWS/Azure/Cloud root API keys. and so much more. Consider these credentials compromised if you see other IOCs.
What are the countermeasures?
Included in FireEye new "Mandiant SunBurst Countermeasures" Github repository are rules that can help detect for these newfound threats.
FireEye Mandiant SunBurst Countermeasures
These rules are provided freely to the community without warranty.
In this GitHub repository you will find rules in multiple languages:
The rules are categorized and labeled into two release states:
- Production: rules that are expected to perform with minimal tuning.
- Supplemental: rules that are known to require further environment-specific tuning and tweaking to perform, and are often used for hunting workflows.
Please check back to this GitHub for updates to these rules.
FireEye customers can refer to the FireEye Community (community.fireeye.com) for information on how FireEye products detect these threats.
The entire risk as to quality and performance of these rules is with the users.
Please review the FireEye blog for additional details on this threat.
VX-Underground, a place with one of the largest collection of malware source code, samples, and papers on the internet posted a tweet regarding the malware.
We got our hands on a sample from APT UNC2452 - the Threat Actor(s) who compromised the SolarWinds supply chain, using this to exfiltrate FireEye & United States Treasury.
You can view the FireEye paper + download the sample here: cutt.ly/ZhAFTuc04:03 AM - 14 Dec 2020
The "SUNBURST" / "Solorigate" malware sample can be obtain HERE.
Caution: Download at your own risk!
FireEye has released new information on the recent breach that occurred on the 8 of December 2020.
The scale of the attack might be larger than just FireEye alone. A whole supply chain attack campaign, with attack methodologies similar to the recent FireEye breach, has been identified.
If you have any resources that can help the community, do post them in the comment section.
As the saying goes "it's not a matter if, its a matter of when. Stay Safe and keep up with the news for the latest update.
Like this post?
You can find more by:
Following me on Twitter: K0p1_
Thanks for reading!