Castra actively investigated for deeper, specific information from our sources about how FireEye detected such a sophisticated, persistent, nation-state backed novel attack on their network and systems. This likely was the most frightening and impactful breach that we have seen happen all year.
We are always looking for ways to bring the knowledge we gain to your systems and environment in the days and weeks ahead.
While FireEye is not a direct peer of ours, we certainly respect their systems and capabilities, and recognize that threats persist at all levels.
FireEye has released additional information about it's breach. The attack vector, now called "SUNBURST", was a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware.
In addition to identifying the affected software versions, FireEye has released multiple Indicators of Compromise (IoC) and signatures to identify this attack, and activity by the threat actor behind the attack. It is obvious there will be more revelations as FireEye and other agencies investigate the scope and scale of these seemingly related attacks.
Note Open Source available IoC at time of writing: OTX values here.
If you use SolarWinds Orion, SolarWinds recommends you "upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment". Affected versions of SolarWinds Orion were 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.
We do expect some of our customers have SolarWinds Orion installed and in-use within their internal network, and we are performing proactive searches to look for signs of this tool on all networks we protect. We can prioritize and deepen our efforts on your behalf once we determine you have SolarWinds Orion.
Our team is grateful to FireEye for their full and timely disclosures, allowing Castra to remain vigilant. If you would like to schedule a conversation with our security experts about what we can do for your environment to help better detect persistent network threats, please reach out to us as we welcome a conversation like this any time.