Check Point response to SolarWinds supply chain attack

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk171000
Technical Level
Product	Anti-Bot, Anti-Virus, Threat Emulation, IPS, Harmony Endpoint
Version	All
Date Created	14-Dec-2020
Last Modified	24-Mar-2021

Symptoms

On December 13th FireEye disclosed that the breach into their systems (sk170918), was a result of a supply chain attack into the software provider SolarWinds.
Additional information can be found here:
- https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
On March 4, 2021, FireEye released a publication on SUNSHUTTLE malware, which have been linked to be possibly leveraged by SUNBURST threat actor.
Additional information can be found here:
- https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

Solution

As a first step, it is recommended to reset the passwords of local SolarWinds users and follow all updates released from SolarWinds.

Relevant Snort\Yara rules have been published regarding the attack. Following analysis conducted on them and on the nature of the attack, Check Point covers this threat with the following Threat Prevention products:

Anti-Virus:

Trojan.Win32.SUNBURST.TC.XXX

Trojan.Win32.Goldmax.xx

Sunburst.TC.x

Threat Emulation:

HackTool.Wins.FE_RT.A<XX>

HackTool.Wins.FE_RT.F

HackTool.Wins.FE_RT.G

Anti-Bot:

Backdoor.Win32.SUNBURST.XX

Backdoor.Win32.Beacon.<A-H>

IPS:

Sunburst Backdoor Suspicious Traffic

SolarWinds SUPERNOVA .NET Webshell Traffic

In addition, this is the list of relevant protections for SUNSHUTTLE malware, in Anti-Bot, Threat Emulation, SandBlast Agent and Anti-Virus products:

Anti-Bot:

Trojan.Win32.SUNSHUTTLE.D

Trojan.Win32.SUNSHUTTLE.H

Trojan.Win32.SUNSHUTTLE.I

Trojan.Win32.SUNSHUTTLE.J

Trojan.Win32.SUNSHUTTLE.K

Trojan.Win32.SUNSHUTTLE.L

Trojan.Win32.SUNSHUTTLE.O

Trojan.Win32.SUNSHUTTLE.P

Trojan.Win32.SUNSHUTTLE.N

Trojan.Win32.SUNSHUTTLE.Q

Trojan.Win32.SUNSHUTTLE.M

Trojan.Win32.SUNSHUTTLE.G

Threat Emulation:

Backdoor.Win.Sunshuttle.A

SandBlast Agent:

Backdoor.Win.Sunshuttle.B

Backdoor.Win.Sunshuttle.C

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating