UPDATE 1/8/21
The intent of this analysis is to aggregate the wide distribution of information being shared, provide insights and recommendations.
As we continue to learn more about the recent SolarWinds supply chain attack, GuidePoint Security continues to gather and distill the information for consumption. Currently our team is tracking the group as defined by FireEye as UNC2452 which is linked to the actor being tracked by the Volexity team as Dark Halo.
THREAT ADVISORY
The recently announced supply-chain compromise of SolarWinds and FireEye illustrated many of the threats observed during that investigation, with particular focus being placed on the SUNBURST SolarWinds Orion implant, the memory-resident TEARDROP malware dropper, and usage of Cobalt Strike’s BEACON module. However, in the IOCs listed by FireEye as part of this investigation, a .NET webshell named SUPERNOVA was identified with no supplemental analysis as to its method of operation or any behavioral indications of this webshell being present in an environment.
We’ve developed tactical information and recommendations based on details collected from FireEye, Microsoft and SolarWinds reports. This information can be used agnostic of any specific toolset while vendors continue to develop product-specific detection capabilities.
We have developed a detailed list of product-agnostic behavioral and atomic indicators that can be integrated into your existing solutions to perform hunting and validation of potential impact to these SolarWinds-related threats.
Our Digital Forensics and Incident Response team is tracking this breach to ensure we continue to provide the most useful and timely insights and analysis.
Threat Hunting and Discovery Analysis
We hunt your environment to identify anomalous and suspicious behaviors and determine if there are any ongoing threats present, including targeted threat actor activities that are potentially unnoticed or unidentified.
IR Retainer
Our team of incident responders are readily available to address escalations for potential security incidents, assist with investigative analysis and conduct forensic investigations involving the potential compromise of sensitive data or critical information assets.
IR Services
We can help you quickly investigate and understand the full scope of an incident to develop a comprehensive remediation strategy that effectively addresses both the current threat and future incidents.
Incident Response Enablement
We ensure that your incident responders, threat hunters and other SOC personnel have exposure to real-world threats and are equipped with the necessary capabilities to identify and effectively respond to incidents.
Certifications