SUNBURST detection

SUNBURST is a threat that uses SolarWinds software. The threat accesses the infrastructure via a fake software update. The malware was constructed so well that it went undetected for a long time. He disguises his communications very cleverly, pretending to be real connections. It even uses country-specific IP addresses to avoid being recognized as anomaly.

What is the risk? First of all, this calculated attack is aimed at transferring specific information, user logins and passwords, personal data, but also - insight into the secrets of the organization and intellectual property such as technologies and designs. Finally, SUNBURST allows unauthorized persons to take control of the system. The threat posed by this vulnerability is very serious.

At Energy Logserver, we have collected a large amount of information about this threat, and based on it, we have prepared a set of rules that allow us to detect the presence of SUNBURST in our environment.

While SUNBURST activity is well masked, it is not undetectable. The Threat Intelligence system built into Energy Logserver, when configured is able to easily observe traces of this vulnerability. After adding at least two monitoring objects, Agents can send key information that will help identify the threat.

Objects for monitoring can be as basic as the Windows Defender subsystem and TaskScheduler. Both Windows Defender and TaskScheduler can spot attempts specific to SUNBURST activity.

In addition, our Threat Intelligence database contains over 2,100 characteristic objects that are identified with SUNBURST activity or SolarWinds related malware. Their types concern, among others hashes of files, IP addresses, domains, etc.

Energy Logserver can be enriched with a package of predefined alerts related to SUNBURST detection. Additionally, using the methods available in Energy Logserver, we are able to improve parsers in order to precisely detect malware activity in SolarWinds environments.