The still-unfolding breach at SolarWinds could potentially affect more than 18,000 of its customers. On December 13th, SolarWinds announced that hackers had inserted malware into a service that provides software updates for its Orion platform which is used across the U.S. government and Fortune 500 firms to monitor the health of their networks.
The cyber research team from Expanse, a leading attack surface management company recently acquired by Palo Alto Networks, has leveraged capabilities in its Expander and Behavior products to identify instances of SolarWinds Orion visible on the perimeters of an organization. Additionally, Expanse is able to reveal communications from customers’ networks to infrastructure associated with the SUNBURST campaign.
Internet-Facing SolarWinds Orion Installations
Expanse developed an HTTP fingerprint of the Orion login page to automatically detect Internet-facing SolarWinds Orion installations running affected versions 2019.4 HF5, 2020.2, and 2020.2 HF 1.
In Expander’s Issues module, organizations can see instances of these publicly exposed SolarWinds Orion devices with additional details about the servers so they can rapidly triage and remediate the exposures.
Communications to Infrastructure Associated with the SUNBURST Campaign
Expanse also developed an automated method to detect flows from organizations’ networks to infrastructure associated with the SUNBURST campaign. Expanse’s Behavior offering uses global netflow data to monitor communications to and from organizations’ perimeters.
This new capability enables Behavior to flag flows from organizations’ network to infrastructure associated with the SUNBURST campaign using an Indicators of Compromise (IOC) list compiled from open sources.
With Expanse’s Behavior product, organizations can determine if their network has communicated with SUNBURST campaign IOCs for further investigation.