Detecting Sunburst (AKA the SolarWinds Compromise) With RITA and AI-Hunter

Intro

By now you’ve seen multiple news reports that FireEye, NASA, the Pentagon, the Treasury and Commerce departments, and possibly even the White House, was compromised via an attack against a common network management package called SolarWinds. Both FireEye and SolarWinds have a very good write up on the attack. In short, if you or your MSP is a SolarWinds customer, there is a likelihood that your network has been compromised, permitting the attackers to take control of hosts inside your network. Most organizations are playing catch up to identify if they have been impacted.

 

Sunburst Command and Control Traffic

The attack modified the code that gets distributed as part of the SolarWinds Orion package. This modification included code that sets up a beacon command and control (C2) channel that calls back to a C2 server. Attackers can then queue up commands on the C2 server which will be executed when the infected system checks in.

Typically, Sunburst uses the HTTP protocol to connect out to the Internet, but this can be changed. Further, the C2 connection typically calls home at 60-second intervals, but this can also be changed. The IP addresses of the C2 servers can obviously be changed as well. The software has the ability to jitter the C2 beacon signal, neutralizing all beacon detection tools that rely on K-Means clustering.

Impact on RITA and AI-Hunter Customers

If you are using our open-source tool RITA, or our commercial product AI-Hunter, no changes are required to detect Sunburst activity on your network. Prior to this announcement, our customers were already capable of detecting this type of traffic. No patches or updates are required. If you have analyzed all beacon traffic detected on your network, you should be all set.

 

 

Interested in threat hunting tools? Check out AC-Hunter

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!

Share this:
AC-Hunter Datasheet
AC-Hunter Personal Demo
Subscribe to Our Blog
Archives

Sign up for email notifications of our new blog posts, threat hunting training, webcasts and other relevant information.

We are not spammy and you can unsubscribe at any time :)

* indicates required