Information regarding The SolarWinds Orion SUNBURST backdoor attack was released on December 13th. It is a sophisticated attack that leverages many different techniques.
There are a large number of IoCs (Indicators of Compromise) reported already publicly, indicating the advanced and complicated nature of the threat.
Even through information as to how the attacker has managed to infiltrate its malicious code into SolarWinds clients is still limited the identified behaviours following the execution of the malware are in line with Command and Control actions.
Elastic has acted quickly to provide multiple additional protections, free of charge, covering the full scope of the attack as far as is currently known. This scope will continue to grow as further analysis of compromised systems takes place. Elastic has given its commitment to continue updating as further details come to light.
First and foremost it has deployed an update to its machine learning powered malware detection scoring algorithm and added known comprised SolarWinds software hashes to its blocklists
Elastic Security detection rules deployed as standard already provide protections for a number of identified behavioural tactics:
- User Added as Owner for Azure Service Principal
- Multi-Factor Authentication Disabled for an Azure User
- Attempts to Brute Force a Microsoft 365 User Account
- Potential Password Spraying of Microsoft 365 User Accounts
- Possible Consent Grant Attack via Azure-Registered Application
- Azure Key Vault Modified
- Process Termination followed by Deletion
- Clearing Windows Event Logs
In addition Elastic is releasing a number of additional rules to combat specific SUNBURST identified behaviours
Sofecta is also reacting by releasing SUNBURST related IP and hostname blocklists which we have collected for inclusion in our SAAS customers’ Indicator Detection rules. Furthermore we are offering to our customers an ‘early warning rule’ to alert based on installed SolarWinds clients, in the event that staff have installed the software outside of a broader installation policy or consent.
Contact us for more information
Written by: Alex Hutchinson Certified Elastic Engineer and Software Architect