Mitigation and Protection

First and foremost, it is highly recommended that all customers follow the guidance from SolarWinds and other agencies such as CISA to isolate and/or disconnect affected products until the necessary hotfixes are applied and the systems are certified safe..

In addition to the vendor patch that should be applied, Trend Micro has released several detection patterns, rules and filters that can provide protection and detection against malicious components associated with this attack. Please note that more information is continually being released and we will update as necessary.
 

Trend Micro Solutions

The following hashes associated with this campaign are detected by all Trend Micro products using anti-malware pattern detection technology (VSAPI) - including, but not limited to endpoints (Apex One, OfficeScan, Worry-Free Business Security), server protection (Cloud One and Deep Security with Anti-malware module and ServerProtect), Deep Discovery, mail and gateway protection. 

Indicators of Compromise (IOCs)
 
There have been some reports of additional IOCs associated with this threat and Trend Micro will continue to investigate these.  Please note, there are at least two IOCs that some vendors have reported as malicious, but based upon Trend Micro (and others') own analysis, do not believe believe they are malicious in themselves.  

Blocked Domains

The following domain names associated with this campaign are also blocked at the Web Reputation (WRS) and web gateway protection levels for all products that support the technology:

• avsvmcloud[.]com
• databasegalore[.]com
• deftsecurity[.]com
• highdatabase[.]com
• incomeupdate[.]com>/li>
• panhardware[.]com
• thedoccloud[.]com
• zupertech[.]com
• seobundlekit[.]com
• deftsecurity[.]com
• solartrackingsystem[.]net
• freescanonline[.]com
• kubecloud[.]com
• thedoccloud[.]com
• globalnetworkissues[.]com
• digitalcollege[.]org
• lcomputers[.]com
• webcodez[.]com
• virtualwebdata[.]com

Please note that additional domains will continued to be added as they are found/reported.

Trend Micro XDR

Trend Micro XDR customers benefit from all detection capabilities of the underlying products such as Apex One.  In addition, depending on their data collection time range, XDR customers may be able to sweep for IOCs retroactively if there was potential activity in this range to help in investigation.  Some auto-sweeping rules related to this incident have already been enabled for XDR customers.


Trend Micro Cloud One - Workload Security and Deep Security Rules

In addition to the anti-malware patterns listed above (for customers that utilize the anti-malware module), Trend Micro has released the following rules that helps to block some of the known domains and malicious traffic: 

• Rule 1010669 - Identified Malicious Domain – SolarWinds
• Rule 1010675 - Identified HTTP Backdoor Win32.Beaconsolar.A Runtime Detection
• Rule 1010676 - Identified HTTP Trojan.MSIL.Sunburst.A Traffic Request
• Rule 1010691 - SolarWinds Orion Remote Code Execution Vulnerability (CVE-2020-14005)
• Rule 1010693 - Identified HTTP Trojan.MSIL.Sunburst.A Traffice Request -1

TippingPoint / Trend Micro Cloud One - Network Security

Customers that use Trend Micro TippingPoint or Cloud One Network Security technologies also can utilize the following ThreatDV filters:

• 38626 : HTTP: Trojan.MSIL.Sunburst.A Runtime Detection
• 38627 : HTTP: Backdoor.Win32.Beaconsolar.A Runtime Detection

Trend Micro Deep Discovery 

The following Deep Discovery Inspector (DDI) rule has been released for this threat in the latest pattern:

• 4491: DNS_SUNBURST_RESPONSE_SB
• 4492: HTTP_SUPERNOVA_WEBSHELL_RESPONSE

Customers utilizing Deep Discovery technologies such as DDI and Deep Discovery Analyzer (DDAN) may find it useful to use the capabilities of the platform to help investigate potential lateral movement and other detections within the environment.


Trend Micro is continuing to aggressively look into other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official SolarWinds patch as soon as possible. We will continue to update this article and our customers if/when additional layers of protection are found since information about this attack is still very fluid.
 

References

• Trend Micro Blog: Overview of Recent Sunburst Targeted Attacks
• Trend Micro Blog:  Managing Risk While Your ITSM Is Down
• Trend Micro Blog:  Backdoors Hard to Spot
• CISA's Emergency Directive 21-01 for the US Government
• SolarWinds' official advisory