SolarWinds supply chain attack: What to do about Sunburst malware security threats

Posted on December 22, 2020

The recent supply chain security attack on SolarWinds deployments dubbed “Sunburst” will have a ripple effect around the world for many months to come. The success of this malware attack gave threat actors wide-ranging access to both corporate and governmental information systems. The attack was very sophisticated and utilized many advanced techniques to gain a foothold and remain persistent within the compromised environment by deploying other backdoors yet to be uncovered.

Masergy’s advice: Assume the worst and diligently monitor. Due to the nature of this attack and its ability to fully compromise Active Directory, which includes exposure to stored/cached passwords of these systems, organizations should assume they were compromised. It is imperative that steps are taken to actively monitor for the existence of the “Sunburst” indications of compromise (IOCs), even when no compromise has been confirmed. This should be performed as a precaution. It is very possible this threat actor has gained a foothold within a given environment before the threat was detected. Since then, the threat has become persistent within the network and its tracks have been hidden along the way.

The IT environments of all Masergy security customers are being actively monitored for all known activity associated with the “Sunburst” attack, which includes monitoring for the use of all file hash IOCs. This includes monitoring for the existence of the backdoor payloads deployed with this attack called “TEARDROP” and “CobaltStrike BEACON.”

Additional suggested recommendations
In addition to monitoring for Sunburst, Masergy recommends that organizations take a number of steps that go above and beyond basic security architecture best practices to help reduce future risks going forward, including:

  1. Utilizing advanced protection and prevention technologies for both server infrastructure and users such as MDR (managed detection and response) tools that are monitored 24/7
  2. Implementing an advanced EDR (endpoint detection and response) solution as this is viewed within the context of the Zero Trust Network Access (ZTNA) protection.
  3. The use of active threat hunting tools that include active global threat intelligence updates.

Defense in depth is still a critical piece of the security puzzle. Ensuring multiple protections operate in parallel and have the ability to work together to identify and prevent attacks in real-time is essential. Masergy stands ready to help companies strengthen their security posture at this critical time.

Existing clients with questions or concerns should contact their account managers or Masergy’s security support center at 972-980-1932 or scc@masergy.com.

Not a Masergy client? You can learn more about Masergy’s Managed Security Services here and contact us for a free consultation.

References and suggested reading

Solarwinds:
https://www.solarwinds.com/securityadvisory

DHS:

https://us-cert.cisa.gov/ncas/alerts/aa20-352a
https://cyber.dhs.gov/ed/21-01/

FireEye:
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://github.com/fireeye/sunburst_countermeasures

Microsoft:
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/
https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

Trevor Parks

Trevor Parks is the director for security solutions at Masergy. He is responsible for guiding the development, evolution and implementation of Masergy's Unified Enterprise Security services platform. Trevor contributed to the development of the patented Network Behavioral Analysis technology at the core of the Masergy’s security solutions aimed at detecting APTs and other advanced threats effecting customer networks.

Related Content