General IT

SolarWinds Sunburst Detection and Response to Indicators of Compromise

This post will be brief and to the point, but I wanted to share some resources that I found helpful when learning how to respond to this incident.

Table of Contents:

  • FireEye’s Blog
  • FireEye’s Detection Opportunities
  • FireEye’s Github Resources
  • Sophos Github Resources
  • Implementing Detection and Firewall Rules

FireEye’s Blog

Reviewing FireEye’s blog post on this topic is critical to understanding the behavior of the threat actors.

Key Takeaways for Response:

Detection Opportunity

“The attacker infrastructure leaks its configured hostname in RDP SSL certificates, which is identifiable in internet-wide scan data. This presents a detection opportunity for defenders — querying internet-wide scan data sources for an organization’s hostnames can uncover malicious IP addresses that may be masquerading as the organization. (Note: IP Scan history often shows IPs switching between default (WIN-*) hostnames and victim’s hostnames) Cross-referencing the list of IPs identified in internet scan data with remote access logs may identify evidence of this actor in an environment. There is likely to be a single account per IP address.”

Detection Opportunity

“This also presents some detection opportunities, as geolocating IP addresses used for remote access may show an impossible rate of travel if a compromised account is being used by the legitimate user and the attacker from disparate IP addresses. The attacker used multiple IP addresses per VPS provider, so once a malicious login from an unusual ASN is identified, looking at all logins from that ASN can help detect additional malicious activity. This can be done alongside baselining and normalization of ASN’s used for legitimate remote access to help identify suspicious activity.”

Detection Opportunity

“Organizations can use HX’s LogonTracker module to graph all logon activity and analyze systems displaying a one-to-many relationship between source systems and accounts. This will uncover any single system authenticating to multiple systems with multiple accounts, a relatively uncommon occurrence during normal business operations.”

Detection Opportunity

“Defenders can examine logs for SMB sessions that show access to legitimate directories and follow a delete-create-execute-delete-create pattern in a short amount of time. Additionally, defenders can monitor existing scheduled tasks for temporary updates, using frequency analysis to identify anomalous modification of tasks. Tasks can also be monitored to watch for legitimate Windows tasks executing new or unknown binaries.”

Leverage their GitHub Page

FireEye has released some awesome SIEM rules that you can implement to detect IoC’s.

Sophos Indicators of Compromise

Sophos has also compiled a Github repo that contains a list of known bad hashes, IP addresses, and domains.

Using the information above, I would recommend implementing the following:

  • Configure firewall egress rules that block outbound connections to the known bad IP addresses and domain names.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s