The trojanized software acts as a powerful supply chain infiltration mechanism for delivery. SolarStorm threat actors created a legitimate digitally signed backdoor, SUNBURST, as a trojanized version of a SolarWinds Orion plug-in.
SolarWinds recently filed an SEC report indicating that, while they have over 300,000 customers, fewer than 18,000 customers were running the trojanized version of the Orion software.SolarStorm is a highly skilled threat actor, with a significant operational security mindset, as can be observed in its post-exploitation activity.SolarStorm specifically targeted supply chains during their attack on SolarWinds’ Orion IT performance and statistics monitoring software.What’s Known About SolarStorm and SUNBURST
#Palo alto ha monitoring orion solarwinds update
We will update this report with new details as they become available. The details of this attack and its impact continue to evolve. Palo Alto Networks has also launched SolarStorm Rapid Response Programs.
#Palo alto ha monitoring orion solarwinds how to
Instructions on how to perform these tasks using the Palo Alto Networks Next Generation Firewall, Cortex XDR and XSOAR are available in this report, as well as additional resources and indicators of compromise (IOCs). These organizations should immediately identify Orion systems in their network, determine if they are compromised with the SUNBURST backdoor and seek out further evidence of compromise. According to FireEye, SolarStorm has compromised organizations across the globe via a supply chain attack that consists of a trojanized update file for the SolarWinds Orion Platform.įireEye’s blog, “ Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST Backdoor,” contains a wealth of useful information, all of which has been analyzed by Unit 42 researchers to help ensure Palo Alto Networks customers are protected.Īny organization utilizing SolarWinds Orion IT management software is potentially at risk from this threat. Unit 42 tracks this and related activity as the group named SolarStorm, and has published an ATOM containing the observed techniques, IOCs and relevant courses of action in the Unit 42 ATOM Viewer. 13, FireEye released information related to a breach and data exfiltration originating from an unknown actor FireEye is calling UNC2452.