The cybersec world has been shaken up in the last couple of days by the SolarWinds Supply Chain Attack as more and more annoucements are made of new breaches. Several major government agencies in the US (DHS, Treasury, NIH, Commerce, etc.) have publicly announced that they have been compromised. SolarWinds

What exactly is SolarWinds and what happened?

SolarWinds is one of the largest IT enterprise software companies in the world, with Fortune 500 companies and government agencies utilizing their platform. On Monday, SolarWinds confirmed that Orion (its flagship NMS) was unknowingly used to deploy malware that created a backdoor, called SUNBURST by FireEye, as part of a legitimate update from SolarWinds’ servers. It was even issued a certificate by Symantec with serial number 0fe973752022a606adf2a36e345dc0ed (sans.org). These updates pushed out to almost 18,000 (out of the 300,000) Orion customers and was active since March.

What was very interesting about this malware but that it did not do anything for up to 2 weeks and used “obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers” according to FireEye. They were able to copy existing SolarWinds protocols to hide their traffic and appear as legit SolarWinds activity.

This was a highly sophisticated attack that took a lot of planning, skill, and confidence.