F5 SIRT FireEye / SolarWinds Guidance Update
We published guidance for F5 customers concerned about protecting themselves from the red-team tools stolen from FireEye (https://devcentral.f5.com/s/articles/F5-SIRT-FireEye-Breach-Guidance) on December 11th, since that date more details have been released by various parties, but this post will concentrate on the details released by SolarWinds and FireEye regarding malware inserted into specific releases of the SolarWinds Orion network management software.
The information available at the present time indicates that a sophisticated attacker was able to plant malware (dubbed SUNBURST by FireEye) into SolarWinds Orion with the intent of compromising organisations using the software .
Microsoft have also published an excellent blog with guidance and recommendations and we are publishing additional guidance here.
F5 Specific Recommendations
As in our previous blog, BIG-IP AFM Protocol Inspection can be used to detect compromised hosts and restrict attackers by alarming and blocking potentially malicious traffic.
We would recommend taking the additional SUNBURST Snort rules published by FireEye and converting them to AFM Protocol Inspection rules applied to all outbound traffic from your organisation. These rules can be used to alert and/or block outbound traffic from the SUNBURST malware and prevent it from reaching C2 servers which may prevent the malware from being controlled by a malicious actor but, at the very least, should help identify any compromised hosts within your network.
For your convenience, F5 has already converted the Snort rules into AFM Protocol Inspection rules on AskF5 in article K17541376
General Recommendations
You should ensure your antivirus or EDR signatures are up to date and that you are able to detect the compromised SolarWinds binaries. Consider deploying the ClamAV and/or Yara rules provided by FireEye if your antivirus vendor has not updated their own rules.
Limit outbound access from your management network and management software to only the access strictly needed in order for it to operate within your network.
Ensure you adequately limit inbound access to your management network in the same way, ideally the management network should only be accessible from trusted networks and/or over secure VPN links.
If you cannot use the AFM Protocol Inspection rules and/or Snort rules, ensure that your management network (ideally your entire network) cannot perform DNS resolution for the avsvmcloud[.]com domain as the SUNBURST backdoor uses DNS resolution of a subdomain of this domain to identify the C2 channel in use.
Consider following any guidance from DHS Emergency Directive 21-01 that is relevant to your organisation.
Glossary of Links
F5 SIRT’s original FireEye Breach Guidance: https://devcentral.f5.com/s/articles/F5-SIRT-FireEye-Breach-Guidance
SolarWinds Security Advisory: https://www.solarwinds.com/securityadvisory
FireEye Threat Research on SUNBURST: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
FireEye SUNBURST Countermeasures: https://github.com/fireeye/sunburst_countermeasures
Microsoft guidance on SolarWinds Orion: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
US Department of Homeland Security Emergency Directive 21-01: https://cyber.dhs.gov/ed/21-01/