Protect Against Russia-Ukraine Cyber Activity

Threat Brief: SolarStorm and SUNBURST Customer Coverage

By

Category: Unit 42

Tags: , , , , ,

Threat brief conceptual image, representing Unit 42 threat briefs such as this post, covering SolarStorm and SUNBURST

This post is also available in: 日本語 (Japanese)

Conclusion

The protections in place for our customers are continually being updated for this related threat activity and for all threats that are identified in the wild. Customers should know that Unit 42 researchers are working diligently to ensure protections are in place for our entire product ecosystem.

While Palo Alto Networks has deployed effective countermeasures to help protect customers, there are some additional safeguards organizations leveraging SolarWinds can take:

  • Identify all SolarWinds servers inside your organization, isolate them from the rest of the network and block internet-facing traffic from them.
  • Search for indicators of the SUNBURST, TEARDROP and BEACON malware in network and endpoint logs.
  • Evaluate SolarWinds’ Guidelines for future system updates, found in the Additional Resources section

There’s been a litany of press surrounding this event, with several sources releasing information, including SolarWinds. A selection of key information is listed in the section below.

Appendix

Additional Resources

Indicators of Compromise (IOCs)

freescanonline[.]com

deftsecurity[.]com

thedoccloud[.]com

websitetheme[.]com

highdatabase[.]com

incomeupdate[.]com

databasegalore[.]com

panhardware[.]com

zupertech[.]com

Virtualwebdata[.]com

virtualdataserver[.]com

digitalcollege[.]org

lcomputers[.]com

webcodez[.]com

deftsecurity[.]com

globalnetworkissues[.]com

kubecloud[.]com

seobundlekit[.]com

solartrackingsystem[.]net

a7240d8a7aee872c08b915a58976a1ddee2ff5a8a679f78ec1c7cf528f40deed

5fabe36fb1da700a1c418e184c2e5332fe2f8c575c6148bdac360f69f91be6c2

e9e646a9dba31a8e3debf4202ed34b0b22c483f1aca75ffa43e684cb417837fa

b9cf6fbde82839e15413595a50aeb1044a8f4e3be180c42436e11675c22cf914

02f47b88caa73d607d820d258cd9f167ed266af99a62e10c9220a7e0228cf53e

c0fc006ffa92d0111197f8e3a1d2ba06a326eddc3d0b28111727df8e52805cf8

b05640e8f35761435e3cf22524136808a891304f10ec9f354eb9decc43cb617e

32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77

ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6

019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134

ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c

c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

6e4050c6a2d2e5e49606d96dd2922da480f2e0c70082cc7e54449a7dc0d20f8d

118189f90da3788362fe85eafa555298423e21ec37f147f3bf88c61d4cd46c51

Updated Jan. 15, 2021, at 4:45 p.m. PT.

Back to Top