December 8, 2020
March/2020
Pre-March/2020
Supply Chain Attack
Distribution
Discovery
SolarWinds was the victim of a complex & targeted supply chain cyber attack, with the primary goal of inserting a malicious backdoor into trusted (signed) software, which could later be exploited in end-customer installations of the SolarWinds Orion platform. As reported by SolarWinds, the earliest visible account of the attacker shows test code inserted in the October, 2019 software release.  


It’s been claimed the attackers first gained access to SolarWinds infrastructure by exploiting an Authentication Service vulnerability. They were then able to persist and monitor emails & files, to identify the developers they needed to target.  

Once identified, the targets were infiltrated using Spear Phishing techniques to infect their local compute instances trusted to check-in source code  
Starting in March, 2020, SolarWinds began distributing infected patches via its website (as regular software patches) to unsuspecting SolarWinds Orion customers.  The impacted versions are 2019.4 HF 5, 2020.2 unpatched, and 2020.2 HF 1.

Once upgraded to the vulnerable version, the initial foothold is obtained to the end customer’s SolarWinds Development Server, and the malware can then target desired endpoints to install the infiltration malware to those systems.  

Post-installation to the victim, it may download subsequent malware and eventually make connection to the C&C server.
On December 8, 2020, FireEye announced it was the victim of a cyber attack, disclosing that some of its advanced “red team” tools had been stolen.  Within the following week, they determined the breach was due to the SolarWinds vulnerability.


On December 13, 2020, CERT issued Emergency Directive 21-01 regarding this issue.


SolarWinds subsequently released a detailed announcement here:
https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html
https://www.solarwinds.com/securityadvisory#anchor1
https://www.solarwinds.com/securityadvisory#anchor1
SolarWinds
In the Wild since March/2020
Solarwinds [signed] software containing a planted vulnerability released in March 2020 as a regular (trusted) software patch.  The backdoor was not discovered until the FireEye breach became public 9 months later.
https://us-cert.cisa.gov/ncas/alerts/aa20-352a
https://www.solarwinds.com/securityadvisory/faq
https://www.solarwinds.com/securityadvisory
SolarWinds
Reconnaissance
Weaponization
Delivery
Today, many Fortinet products powered by FortiGuard Services block the delivery of this malicious software, including FortiGate, FortiSandbox, FortiClient, FortiEDR, FortiAI, etc.
Exploitation
Multiple products & services including FortiGuard IPS and FortiDeceptor detect & prevent lateral movement within the Enterprise network.
Installation
With FortiGuard AV & Web Filtering, multiple products including FortiClient, FortiGate and FortiEDR can block installation of the known malware.
C2
Multiple products leverage the FortiGuard Botnet IP / FQDN database for protection against callbacks to C&C systems.
Action
For customers concerned about vulnerable SolarWinds versions running in their network, and want to monitor or hunt for threats, several updates are released by the Fortinet SOC teams for FortiAnalyzer, FortiEDR, FortiSOAR, FortiClient EMS and others.
FortiGate App Control Database Update
Version Info:
16.989
Link: https://www.fortiguard.com/appcontrol/49721
FortiGuard Anti-Virus Database Update
Version Info:
82.548
Link: https://www.fortiguard.com/encyclopedia/virus/8279742/w32-sunburst-a-tr
Other Info: Was released as MSIL/Agent.XXXX!tr and later renamed as W32/Sunburst.A!tr
Block Network Download
Block/Detect App Communication
Block Exploit
Block Lateral Movement
FortiGate IPS Database Update
Version Info:
16.981
Link: https://www.fortiguard.com/encyclopedia/ips/49692/solarwinds-sunburst-backdoor
Other Info: Was released as Fireeye.Red.Team.Tool and later renamed as SolarWinds.SUNBURST.Backdoor
FortiGate IPS Database Update
Version Info: 16.981

Link: https://www.fortiguard.com/encyclopedia/ips/49692/solarwinds-sunburst-backdoor
Other Info: Internal Segmentation - detect lateral movement
FortiGate Web Filtering
Version Info:
Latest
Link: https://www.fortiguard.com/webfilter?q=avsvmcloud.com&version=8
Block Web Communication & Downloads
FortiEDR
Version Info:
v4, v5
Link: https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack
IOC Database Update (FAZ, FSM)
Version Info: 0.01727
Link:
 https://ioc.fortiguard.com/search?query=Sunburst&filter=tags
FortiAnalyzer Event Handler & Report
Version Info:
6.2, 6.4
Link: https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD50871
FortiSOAR Playbook
Version Info:
n/a
Link: https://fusecommunity.fortinet.com/viewdocument/solarwinds-backdoor-sunburst-inci
Defuse Compromised Endpoint
IOC Threat Hunting
Event Handlers & Threat Hunting Report
SOAR Playbook
FortiClient & FortiEDR
Version Info: 82.548

Link: https://www.fortiguard.com/encyclopedia/virus/8279742/w32-sunburst-a-tr
Other Info: Was released as MSIL/Agent.XXXX!tr and later renamed as W32/Sunburst.A!tr
Block Endpoint Installations
FortiGate Botnet C&C Database
Version Info:
16.981
Link: https://www.fortiguard.com/encyclopedia/ips/49692/solarwinds-sunburst-backdoor
Block C&C Communication
Analyzer / SIEM / SOAR Threat Hunting & Playbooks
Endpoint Threat Hunting
Vulnerability & Endpoint Threat Hunting
ZTNA Auto Tagging
FortiClient Endpoint Search (Threat Hunting)
Version Info:
n/a
Link: https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD50877
FortiClient ZTNA Tags & Quarantine Rules
Version Info:
n/a
Link: https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD50882
FortiGate, FortiClient, FortiEDR, FortiSandbox
FortiSIEM Rules & Reports
Version Info:
5.x. 6.x
Link:  https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD51637
SIEM Rules & Threat Hunting Report
Fortinet Products Summary
FortiGate
FortiEDR
FortiClient
FortiAnalyzer
FortiSIEM
IPS
AV
EDR
Vuln. Detection
IOC
IOC
16.981
Blocks Exploit & lateral movement
Blocks trojan payload
82.548
v4, v5
1.229
0.01727
0.01727
Services
Version
Other info
Defuses compromised host behaviours & callbacks (zero day protection)
Identifies vulnerable host
Detect IOC / C&C communications
Detect IOC / C&C communications
App Control
Block/Detect communication to the attack surface (Orion Platform)
16.989
Web Filter
Blocks known IOC
SaaS
Botnet C&C
Blocks known C&C
16.981
FortiSOAR
Playbook
6.4.3+
Playbook for Solarwinds detections
Reports & Event Handlers
6.2, 6.4
Detects indicators attributed to Solarwinds detections across fabric
Reports & Rules
5.x, 6.x
Detects indicators attributed to Solarwinds detections across fabric
Detect Vulnerable Host
Endpoint Vulnerability Database Update
Version Info:
1.229
Link: https://www.fortiguard.com/updates/epvuln?version=1.229
Incident Response (Security Operations)
Cyber Kill Chain
Threat Hunting
6.2, 6.4
Detects vulnerable hosts
ZTNA Tag
6.4
Auto tagging of vulnerable endpoints, can be used in fabric automation
FortiAI ANN
Version Info:
1.057
Link: https://filestore.fortinet.com/fortiguard/downloads/FortiAI_Solarwind_846e27a652a5e1bfbd0ddd38a16dc865.pdf
Other Info: Was released as MSIL/Agent.XXXX!tr and later renamed as W32/Sunburst.A!tr
Block Network Download
FortiAI
ANN
1.057
FortiAI detects sample as Backdoor please see FortiAI VSA.