Webcheck Security has access to several Ex-NSA analysts in its managed threat hunting department. The following advice concerning the recent Solarwinds attack has been given from one of these key analysts. We recommend reaching out to us to set up a time to discuss the implications for your organization.
First, we recommend quarantining any vulnerable SolarWinds product from your network and if possible, take a forensic image to investigate for any indication of compromise before updating to the latest version. Reimaging all OS’s hosting instances of SolarWinds is recommended.
Second: Reset all credentials used by the SolarWinds software and make sure there is a rotation policy for these accounts and enforce long, complex passwords.
After quarantining and/or re-imaging, search through your network logs for any device that has called out to specific domains used as command and control servers:
zupertech[.]com
panhardware[.]com
databasegalore[.]com
incomeupdate[.]com
highdatabase[.]com
websitetheme[.]com
freescanonline[.]com
virtualdataserver[.]com
deftsecurity[.]com
thedoccloud[.]com
digitalcollege[.]org
globalnetworkissues[.]com
seobundlekit[.]com
virtualwebdata[.]com
kubecloud[.]com
lcomputers[.]com
solartrackingsystem[.]net
virtualdatacenter[.]com
webcodez[.]com
ervsystem[.]com (teardrop)
infinitysoftwares[.]com (teardrop)
Moving forward, we strongly recommend using an Intrusion Detection System(IDS) with the latest snort/suricata signatures that can detect this threat actor and others. FireEye has published these detection signatures here: https://github.com/fireeye/sunburst_countermeasures/blob/main/all-snort.rules
There are also excellent Endpoint Detection and Response(EDR) software solutions that can detect and block these SolarWinds exploits as well as thousands of other signatures and signature-less attacks based on malicious behavior.
To set up a time to discuss enhancing your cyber security posture, please reach out to us at getintouch@WebcheckSecurity.com
תגובות