Sunburst: The SolarWinds Hack, How You Could be Affected, and How Keysight Can Help

By Chuck Mcauley
Jan 7, 2021 10:00 AM ET

Keysight Blog

IMPACT

On December 13th, CISA issued directive 21-01, instructing all customers of SolarWinds that a breach had been detected in their supply chain of software. Using a variety of tactics, nation state hackers disrupted the digital supply chain of SolarWinds' software development and implanted a backdoor into their security event monitoring software. This backdoor has impacted at least 18,000 potential customers of SolarWinds, and will be a headache during this holiday period to remove and remediate. Many in the industry have already done fantastic detailed writeups, including MicrosoftFireEye, and Volextiy. Without a doubt, more information will be coming in the next few months.

KEYSIGHT HAS YOU COVERED TODAY

Simulation

Our leading cyber security solutions, BreakingPoint and Threat Simulator, are introducing new content this week designed to test your security controls capability to detect Sunburst activity on your network. FireEye released a set of IDS detection rules for Sunburst in Snort format on github, and using this along with reverse engineering, we've created traffic flows that simulate the same command and control traffic as seen by them and others. We are also releasing network traffic flows that download the same dangerous binaries highlighted in this week's news, designed to test network based malware detection systems. All said, we are adding 15 new command and control test audits, and 6 new malware downloads to both products.

Detection

Are you struggling to find out if SolarWinds' products are deployed in your environment? While software inventory management solutions provide excellent insight into what is installed on a host, sometimes they are unavailable or deployed incorrectly. Keysight's AppStack provides excellent coverage for over 1000 known network applications which currently includes SolarWinds' Network Performance Monitor (NPM) and Server and Application Monitor (SAM), both of which are part of the Orion platform. In the next release, we will include more elements of the Orion platform, including the Network Configuration Manager (NCM). These AppStack signatures will help you identify any installations of SolarWinds you might have missed, whether due to shadow IT, misconfiguration, or need an additional layer of verification.

THAT'S NOT ALL

As Mike talked about earlier this month, we already have the Red Team toolkit available for testing in both platforms. We've started down the path of endpoint testing, first with NJRat, then Trickbot, and now we're working on Sunburst. Expect more as we dig into both our own discoveries regarding this attack, and keeping up with the research from our peers.