As a first step, it is recommended to reset the passwords of local SolarWinds users and follow all updates released from SolarWinds.
Relevant Snort\Yara rules have been published regarding the attack. Following analysis conducted on them and on the nature of the attack, Check Point covers this threat with the following Threat Prevention products:
Anti-Virus:
Trojan.Win32.SUNBURST.TC.XXX
Trojan.Win32.Goldmax.xx
Sunburst.TC.x
Threat Emulation: HackTool.Wins.FE_RT.A<XX>
HackTool.Wins.FE_RT.F
HackTool.Wins.FE_RT.G
Anti-Bot:Backdoor.Win32.SUNBURST.XX
Backdoor.Win32.Beacon.<A-H>
IPS: Sunburst Backdoor Suspicious Traffic
SolarWinds SUPERNOVA .NET Webshell Traffic
In addition, this is the list of relevant protections for SUNSHUTTLE malware, in Anti-Bot, Threat Emulation, SandBlast Agent and Anti-Virus products:
Anti-Bot:Trojan.Win32.SUNSHUTTLE.D
Trojan.Win32.SUNSHUTTLE.H
Trojan.Win32.SUNSHUTTLE.I
Trojan.Win32.SUNSHUTTLE.J
Trojan.Win32.SUNSHUTTLE.K
Trojan.Win32.SUNSHUTTLE.L
Trojan.Win32.SUNSHUTTLE.O
Trojan.Win32.SUNSHUTTLE.P
Trojan.Win32.SUNSHUTTLE.N
Trojan.Win32.SUNSHUTTLE.Q
Trojan.Win32.SUNSHUTTLE.M
Trojan.Win32.SUNSHUTTLE.G
Threat Emulation:Backdoor.Win.Sunshuttle.A
SandBlast Agent:Backdoor.Win.Sunshuttle.B
Backdoor.Win.Sunshuttle.C
|
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
|