Beginning on December 13, 2020, public information began to circulate about a massive sophisticated attack via supply chain that affected the popular SolarWinds Orion and associated products. Many of the malicious components found as part of the attack have been dubbed "Sunburst."
This article will cover various Trend Micro product detection and protection patterns, rules and filters that have been deployed to help organizations investigate and mitigate additional risk against threats associated with this campaign as well as highlighting Trend Micro technology that can assist in investigation.
Specific technical information on the Sunburst threat itself can be found in the following Trend Micro blog: Overview of Recent Sunburst Targeted Attacks.
In addition, it is highly recommended that affected customers also closely follow SolarWinds' official advisory and also reference CISA's Emergency Directive 21-01 for the US Government for more specific information.
Mitigation and Protection
First and foremost, it is highly recommended that all customers follow the guidance from SolarWinds and other agencies such as CISA to isolate and/or disconnect affected products until the necessary hotfixes are applied and the systems are certified safe..
In addition to the vendor patch that should be applied, Trend Micro has released several detection patterns, rules and filters that can provide protection and detection against malicious components associated with this attack. Please note that more information is continually being released and we will update as necessary.
Trend Micro Solutions
The following hashes associated with this campaign are detected by all Trend Micro products using anti-malware pattern detection technology (VSAPI) - including, but not limited to endpoints (Apex One, OfficeScan, Worry-Free Business Security), server protection (Cloud One and Deep Security with Anti-malware module and ServerProtect), Deep Discovery, mail and gateway protection.
Indicators of Compromise (IOCs)
SHA256 | SHA1 | Trend Micro Detection |
---|---|---|
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 | 2f1a5a7411d015d01aaee4535835400191645023 | Backdoor.MSIL.SUNBURST.A |
c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 | 75af292f34789a1c782ea36c7127bf6106f595e8 | Trojan.MSIL.SUPERNOVA.A |
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 | d130bd75645c2433f88ac03e73395fba172ef676 | Backdoor.MSIL.SUNBURST.A |
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 | 76640508b1e7759e548771a5359eaed353bf1eec | Backdoor.MSIL.SUNBURST.A |
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 | 1b476f58ca366b54f34d714ffce3fd73cc30db1a | Backdoor.MSIL.SUNBURST.A |
abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417 | b485953ed77caefe81bff0d9b349a33c5cea4cde | Backdoor.MSIL.SUNBURST.A |
There have been some reports of additional IOCs associated with this threat and Trend Micro will continue to investigate these. Please note, there are at least two IOCs that some vendors have reported as malicious, but based upon Trend Micro (and others') own analysis, do not believe believe they are malicious in themselves.
Blocked Domains
The following domain names associated with this campaign are also blocked at the Web Reputation (WRS) and web gateway protection levels for all products that support the technology:
- avsvmcloud[.]com
- databasegalore[.]com
- deftsecurity[.]com
- highdatabase[.]com
- incomeupdate[.]com>/li>
- panhardware[.]com
- thedoccloud[.]com
- zupertech[.]com
- seobundlekit[.]com
- deftsecurity[.]com
- solartrackingsystem[.]net
- freescanonline[.]com
- kubecloud[.]com
- thedoccloud[.]com
- globalnetworkissues[.]com
- digitalcollege[.]org
- lcomputers[.]com
- webcodez[.]com
- virtualwebdata[.]com
Trend Micro XDR
Trend Micro XDR customers benefit from all detection capabilities of the underlying products such as Apex One. In addition, depending on their data collection time range, XDR customers may be able to sweep for IOCs retroactively if there was potential activity in this range to help in investigation. Some auto-sweeping rules related to this incident have already been enabled for XDR customers.
Trend Micro Cloud One - Workload Security and Deep Security Rules
In addition to the anti-malware patterns listed above (for customers that utilize the anti-malware module), Trend Micro has released the following rules that helps to block some of the known domains and malicious traffic:
- Rule 1010669 - Identified Malicious Domain – SolarWinds
- Rule 1010675 - Identified HTTP Backdoor Win32.Beaconsolar.A Runtime Detection
- Rule 1010676 - Identified HTTP Trojan.MSIL.Sunburst.A Traffic Request
- Rule 1010691 - SolarWinds Orion Remote Code Execution Vulnerability (CVE-2020-14005)
- Rule 1010693 - Identified HTTP Trojan.MSIL.Sunburst.A Traffice Request -1
TippingPoint / Trend Micro Cloud One - Network Security
Customers that use Trend Micro TippingPoint or Cloud One Network Security technologies also can utilize the following ThreatDV filters:
- 38626 : HTTP: Trojan.MSIL.Sunburst.A Runtime Detection
- 38627 : HTTP: Backdoor.Win32.Beaconsolar.A Runtime Detection
Trend Micro Deep Discovery
The following Deep Discovery Inspector (DDI) rule has been released for this threat in the latest pattern:
- 4491: DNS_SUNBURST_RESPONSE_SB
- 4492: HTTP_SUPERNOVA_WEBSHELL_RESPONSE
Trend Micro is continuing to aggressively look into other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official SolarWinds patch as soon as possible. We will continue to update this article and our customers if/when additional layers of protection are found since information about this attack is still very fluid.
References
- Trend Micro Blog: Overview of Recent Sunburst Targeted Attacks
- Trend Micro Blog: Managing Risk While Your ITSM Is Down
- Trend Micro Blog: Backdoors Hard to Spot
- CISA's Emergency Directive 21-01 for the US Government
- SolarWinds' official advisory