Protect Against Russia-Ukraine Cyber Activity

Threat Brief: SolarStorm and SUNBURST Customer Coverage

By

Category: Unit 42

Tags: , , , , ,

Threat brief conceptual image, representing Unit 42 threat briefs such as this post, covering SolarStorm and SUNBURST

This post is also available in: 日本語 (Japanese)

SolarStorm Response With Next-Generation Firewall

It is possible to identify SolarWinds systems in a network using NGFW traffic monitoring. This section provides details of multiple queries and examples of their outputs. It is imperative for customers to employ the best practices for Palo Alto Networks products in order to ensure their appliances are configured in a manner best suited for their protection.

The following query filter will identify hosts contacting a server using the SolarWinds App-ID. 

 

 

Example query filter to identify hosts contacting a server using the SolarWinds App-ID.

URL Filtering can also help identify compromised servers. This query filter will identify systems connecting to the SolarWinds download server and specifically downloading the SUNBURST plugin update. 

 

 

Example of how URL Filtering can help identify systems connecting to the SolarWinds download server and specifically downloading the SUNBURST plug-in update.
Example of URL Filtering categorizing the download of the SUNBURST plug-in update as malware.

The following URL Filtering query will identify traffic to the known SUNBURST command and control domains: 

 

 

Example of how URL Filtering can identify traffic to the known SUNBURST command and control domains.

File Blocking will identify hosts that have downloaded the known filenames associated with the  SUNBURST plugin update. 

 

 

Example of how File Blocking will identify hosts that have downloaded the known filenames associated with the SUNBURST plug-in update.

Threat logs can expose DNS queries that indicate SUNBURST command and control traffic. The following filter identifies known domain names used by the backdoor. 

 

 

Threat logs can expose DNS queries that indicate SUNBURST command and control traffic.

The following v9.x query can also be used to expose relative DNS queries:

 

 

This example shows how to expose relative DNS queries signaling possible SolarStorm compromise.

WildFire and Threat Prevention identify the known SUNBURST backdoor files. The following filter will identify the specific threats associated with SUNBURST in the Threat log. 

 

 

This example shows how WildFire and Threat Prevention can identify the specific threats associated with SUNBURST in the Threat log.

The following filter will identify known SUNBURST and TEARDROP files submitted to WildFire in the WildFire submissions log: 

 

 

This example shows how known SUNBURST files submitted to WildFire in the WildFire submissions log can be identified.

Threat Prevention can detect command and control traffic from SUNBURST as well as the Cobalt Strike Beacon used by SolarStorm. The following filter will identify this command and control traffic in the Threat log.

 

 

Threat Prevention can detect command and control traffic from SUNBURST as well as the Cobalt Strike Beacon used by SolarStorm.

Continue reading: SolarStorm Response With Cortex XDR and/or Cortex XSOAR

Back to Top