On Dec 13, 2020, FireEye published additional details regarding the breach involving SolarWinds Orion supply chain attack where multiple other organizations were also impacted. FireEye also published countermeasures to detect the campaign at various stages here.
Zscaler leveraged the details on the countermeasures provided, verified that there is existing protection and enhanced the coverage wherever required across the multiple layers of Zscaler security platform. Below is the list of threat names through which Zscaler products detect this campaign.
Advanced Threat Protection
Details regarding these threat signatures can be found in the Zscaler Threat Library.
Advanced Cloud Sandbox
We have ensured that Zscaler Cloud Sandbox flags the Sunburst Backdoor. As always, Cloud Sandbox plays a critical role in blocking any unknown variants of the malware.
Zscaler ThreatLabZ team is also actively monitoring this campaign and any activity around Sunburst Backdoor and will ensure coverage for newer IOCs as they are discovered.
What is the impact?
According to SolarWinds, 18,000 of its customers downloaded the backdoored version of the Orion software during March 2020 through June 2020 including many large enterprises and government agencies.
Is Zscaler affected?
Zscaler utilizes SolarWinds software and verified that none of our services are affected by this campaign. We published a trust advisory here: https://trust.zscaler.com/posts/6896
What can you do to protect yourself?
If you are using SolarWinds Orion framework in your environment, then check if the software version running is vulnerable (2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1) and update it to the latest version, according to the advisory here. Also, check if you are running any other affected SolarWinds products as listed in their advisory.
Zscaler Platform Best Practices:
Zscaler has your back. Engage with our security experts to gain insight into the SolarWinds attacks and get hands-on best practices guidance to better protect your users, applications, and systems: zscaler.com/solarwinds-cyberattack
[-- End of Update --]
On Dec 8, 2020, FireEye released a public disclosure that the company had suffered a data breach involving a nation-state actor. More details about this disclosure can be found here and here. The adversary was able to steal several red team tools developed by FireEye during this attack. As part of the disclosure, FireEye also released IOCs and signatures for detecting abuse of these red team tools in the wild. In this coverage advisory, we will provide details about Zscaler’s coverage for these IOCs.
The red team tools that were stolen as part of this breach were internally developed by FireEye to test its customers’ security. These tools exhibit behavior similar to many known cyberthreat actors and do not contain any zero-day exploits or unknown techniques. According to FireEye, these tools utilize well-known/documented methods that are used by other red teams and they do not assist in greatly advancing an attacker’s overall capabilities. Many of these tools are exploiting several known Remote Code Execution (RCE) vulnerabilities across different products commonly found in enterprise networks such as legacy VPN products and several Microsoft applications. A full list of CVEs can be found here.
Regardless of whether these tools may or not be abused by an adversary in the future, it is important to ensure detection for any usage of these tools and minimize the potential damage.
Zscaler leveraged the details on the countermeasures published by FireEye and validated that protection is already available for the majority of the vulnerabilities listed. Enhanced protection has been added wherever necessary across multiple layers of the Zscaler security platform. Below are the threat names of the existing detections:
Full list of threat names to detect FireEye's Red Team Tools abuse can be seen here.
Details related to these threat signatures can be found in the Zscaler Threat Library.
We have ensured that Zscaler Cloud Sandbox flags these red team tools. As always, Cloud Sandbox plays a critical role in blocking any custom variants that may be developed from these stolen tools.
The Zscaler ThreatLabZ team is also actively monitoring abuse attempts involving these red team tools and will ensure coverage for newer IOCs as they are discovered.