Skip to content
ransomwares
Products and Services PRODUCTS & SERVICES

SolarWinds breach: how to identify if you have been affected

** We will update this article with additional information as it becomes available. We have also published a playbook to guide any security team that has SolarWinds in their environment and is looking to initiate incident response. **

Last updated: [2020-12-18  22:35 UTC] – view changelog

SolarWinds, an IT monitoring specialist, reported last Sunday that it had fallen victim to a “highly-sophisticated, manual supply chain attack … likely by a nation state.”

The compromised products are SolarWinds Orion versions 2019.4 through 2020.2.1.

How to identify if you are running an impacted SolarWinds Orion version?

Sophos customers can identify whether they are running a vulnerable version in multiple ways:

Sophos MTR customers

The MTR team is actively monitoring all protected customer environments and has already contacted affected customers directly to discuss remedial action.

Sophos EDR customers

EDR customers can run the dedicated query below to hunt for affected versions (updates will be posted here):

SELECT
name,
version,
install_location,
publisher,
uninstall_string,
install_date
FROM programs where name like 'SolarWinds Orion%2020.2' or name like 'SolarWinds Orion%2020.2.1%' or name like 'SolarWinds Orion%2019.4%';

Additionally, EDR customers can look for the following malicious DLL SHA256 hashes:·

  • 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
  • dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
  • eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
  • c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
  • ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
  • 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
  • ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
  • a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
  • d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
  • c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
  • d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
  • 53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7
  • 292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712
  • abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417
  • 2ade1ac8911ad6a23498230a5e119516db47f6e76687f804e2512cc9bcfda2b0
  • db9e63337dacf0c0f1baa06145fd5f1007002c63124f99180f520ac11d551420
  • 0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589

Anyone not using Sophos EDR can activate a 30-day free trial and run the query across your estate:

  • If you are already running Sophos Central, activate the free trial directly within your console. Under ‘MORE PRODUCTS’ in the main navigation select ‘Free Trials’ and then select Intercept X Advanced with EDR, Intercept X Advanced for Server with EDR, or both.
  • If you not running Sophos Central, activate a free trial from our website.

All Sophos customers

SophosLabs has published the following anti-malware detections for the compromised SolarWinds components:

  • Mal/Sunburst-A
  • Troj/SunBurst-A
  • Troj/Agent-BGGA
  • Troj/Agent-BGGB
  • Troj/Agent-BGFZ

If you see one or more of these detections, you are exposed to potential attack.

SophosLabs has also published the following detections for the known second-stage backdoor components:

  • Mal/Sunburst-B
  • Troj/Agent-BGGC

If you see one or more of these detections, you are likely a victim of targeted attack and should take additional remediation actions.

Warning: check your configuration for scan exclusions. See https://twitter.com/ffforward/status/1338785034375999491 

SophosLabs is in the process of releasing IPS signatures that identify Command-and-Control traffic from the active exploitation stages of the attack. The list of IPS signatures to monitor on Sophos XG Firewall is:

  • 56662 – MALWARE-CNC Win.Backdoor.Sunburst inbound connection attempt
  • 56660 – MALWARE-CNC Win.Backdoor.Sunburst outbound connection attempt
  • 56665 – MALWARE-CNC Win.Backdoor.Sunburst outbound connection attempt
  • 56661 – MALWARE-CNC Win.Backdoor.Sunburst outbound connection attempt

If you see one or more of these IPS detections, you are likely a victim of targeted attack and should take additional remediation actions.

We have blocked all associated IP and domain indicators.

We have also revoked trust on the compromised SolarWinds certificate used in these attacks.

Sophos Application Control detects all versions of SolarWinds Orion as “SolarWinds MSP Agent”. Application Control is an optional setting – read the Help Guide for instructions on how to enable it, and add SolarWinds to the list of apps you want to block.

SophosLabs is continuing to investigate the attack and will be providing additional protection as necessary. Please monitor this location for further updates.

What do to if you are impacted

If you are running a compromised version, we recommend that you isolate the affected SolarWinds servers from the network.

We also recommend rebuilding all impacted SolarWinds servers and installing Orion Platform version 2020.2.1 HF 2 which is now available. See https://www.solarwinds.com/securityadvisory for more details.

We will be releasing further incident response guidance shortly. Contact your security team or partner for advice and support where needed.

Sophos and SolarWinds

Sophos is a SolarWinds Orion Customer. Upon receiving notification from SolarWinds, Sophos initiated incident response. We have undertaken incident response steps, which we also published at https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/ in the context of recommendations to other threat responders. In addition to incident response measures, we have now also undertaken precautionary forensics on our SolarWinds infrastructure, and our current assessment is that Sophos was not targeted in this attack.

Change log

2020-12-18 22:35 UTC Updated “Sophos and SolarWinds” section

2020-12-18 16:28 UTC Updated “Sophos EDR customers” section with new malicious DLL SHA256 hashes.

2020-12-16 14:03 UTC Added Troj/SunBurst-A to anti-malware detections

2020-12-16 12:40 UTC Updated to state that Orion Platform version 2020.2.1 HF 2 is now available

2020-12-16 12:27 UTC Updated to advise that the Sophos MTR team has now contacted all affected MTR customers

2020-12-15 22:04 UTC Added Sophos detection names for second-stage backdoor components and XG IPS signatures for command and control traffic

2020-12-15 21:00 UTC Added additional Sophos detections; add an additional Hash; add signatures to monitor for

2020-12-15 12:24 UTC Added warning to check your configuration for exclusions

2020-12-15 12:06 UTC Added link to Application Control help guide, and to advise that Application Control is an optional setting that needs to be enabled.

2020-12-15 09:30 UTC Updated to add Mal/Sunburst-A to the list of Sophos detections; provide the Sophos AppControl detection; advise that we have blocked all associated IPs and domain indicators; add three further Hashes; and provide link to the playbook.

2020-12-14 18:54 UTC Updated to advise that SophosLabs has revoked trust on the compromised SolarWinds certificate used in these attacks

8 Comments

If you are going to copy and paste the above then don’t forget to replace the ‘ ‘ quote marks as copy and paste will not put the correct marks in and the SQL will fail.

Reply

Thanks, great comment. We recommend using the queries directly from Github to avoid any copy-paste errors: https://github.com/sophos-cybersecurity/solarwinds-threathunt

Reply

Where should we run the query for EDR customers? Is there a special tool in EDR for running a query or just with powershell?

Reply

Hi there – you can use the Live Discover tool to run the query: https://central.sophos.com/manage/threat-analysis-center/live-query

More info here as well: https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/

We also have a video demo showing additional things you can do – it starts at the 17-minute mark of this video:

Reply

Leave a Reply to Patrick Cancel reply

Your email address will not be published.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!