SolarWinds Cyberattack Update
NJCCIC Alert
Original Release Date: 1/14/2021
Summary
Cybersecurity firm Crowdstrike published their analysis of a malicious tool used by the threat actors responsible for the SolarWinds cyberattack that impacted thousands of organizations around the world. The implant, known as SUNSPOT, was used to inject the SUNBURST backdoor malware into the build environment of the Orion software. To evade detection, safeguards were added to SUNSPOT to prevent the builds from failing and alerting developers. Crowdstrike provides information on the tactics, techniques, and procedures (TTPs) used by the threat actors and indicators of compromise (IOCs), including YARA rules. SolarWinds also released new findings from their investigation into the cyberattack in a recent post.
Additionally, a website was recently launched claiming to be selling data stolen in SolarWinds hacks, including data from several major US companies. The company data is being sold for hundred of thousands of dollars, while various red team tools are being sold for tens of thousands of dollars. The legitimacy of this site and data for sale have not been determined. BleepingComputer provides additional details in their article
The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.
View our Privacy Policy here.
View our Site Index here.