What is the SUNBURST Backdoor Intrusion and How Can I detect it?

What is the SUNBURST Backdoor Intrusion and How Can I detect it?

Overview

What is the SUNBURST backdoor intrusion and how can I detect it?


FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware called SUNBURST. This intrusion campaign is called UNC2452 and is described in detail in this blog post.
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html


Procedure

To detect this intrusion, the Uptycs security team added the bad domain/IP IOCs to Uptycs Threat Intelligence functionality on 2020-12-14 in the malware category and are now available for real-time alert as well as manual historical scan.

Uptycs provides both memory and file-based Yara scan functionality. Fireye provided Yara rules that can be added to the Uptycs platform.

Yara rule:
Yara rules provided by Fireye (https://github.com/fireeye/sunburst_countermeasures/blob/main/all-yara.yar)

To add Yara rules (memory scan), create a Yara rule group using the Yara rule provided above and apply it to assets or tags.
Check the below articles for the Yara rules specific details with screenshots:

How to Setup YARA Group Rules
https://i18ndesk.zoho.com/portal/uptycs/kb/articles/how-to-setup-yara-group-rules

How to Setup YARA Process Monitoring on an Asset?
https://i18ndesk.zoho.com/portal/uptycs/kb/articles/how-to-setup-yara-process-monitoring-on-an-asset

How to Setup YARA Process Monitoring on a Tag?
https://i18ndesk.zoho.com/portal/uptycs/kb/articles/how-to-setup-yara-process-monitoring-on-a-tag


To add file-based detection, create a File Integrity Monitor (FIM) profile for the following location:
c:\\windows\\syswow64\\%%

Check the below articles for FIM specific details with screenshots:

How to Setup File Integrity Monitoring (FIM)?
https://i18ndesk.zoho.com/portal/uptycs/kb/articles/how-to-setup-file-integrity-monitoring-fim

How to setup YARA scanning on an existing File Integrity Monitoring profile
https://i18ndesk.zoho.com/portal/uptycs/kb/articles/how-to-setup-yara-scanning-on-an-existing-file-integrity-monitoring-profile


Once the configuration is already applied then check for infection using the following query from the "Investigate" query console:
select * from process_file_events where path like '%syswow64\netsetupsvc.dll'

This will show any related events.


    • Related Articles

    • How to obtain an API Key

      Overview An API key & secret are used to authenticate API clients to access Uptycs related resources. An API key / secret is unique to individual users. The document describes the process to obtain the same on Uptycs eco-system. Procedure Login into ...

    • Draft-Kal-Difference between Disabling / Deleting an Asset

      Disabling an asset is used to temporarily disable collection of an asset's data on the portal. Deletion of an asset is intended for deletion of an asset permanently. Procedure for deletion of an asset calls for deletion of osquery agent on the ...

    • eBPF

      To enable seamless auditing capabilities for Linux endpoints and containers, Uptycs has implemented Extended Berkeley Packet Filter (eBPF) based auditing techniques. eBPF is a powerful auditing system to monitor suspicious activities by tracing ...