The SolarWinds supply chain attack, named SUNBURST by FireEye and Solorigate by Microsoft, has affected a large number of companies such as FireEye, Google, and Microsoft. The attack involved an APT group which compromised an update server for the SolarWinds Orion product line, inserting a malicious backdoor.
As our contribution in responding to this attack, we used Elemendar’s AI analyst to process three cyber threat intelligence (CTI) reports from multiple security vendors.
This report focuses on indicators of compromise (IOCs) due to the need for these IOCs to be processed rapidly to detect and mitigate potential network breaches within a company. The results output by Elemendar are posted at the end of this report.
One observation is that no single CTI report has a complete listing of IOCs, with some listing malicious C2 domains while others listing malicious file hashes. Therefore, for a human security analyst to gain a full listing of IOCs, multiple reports must be manually processed, in detail, and without mistakes. While we selected three reports for this exercise to avoid a large data dump, ideally a larger number of reports would be used to ensure that all IOCs were collected.
With a human analyst, this takes time, while Elemendar’s AI can analyse multiple reports simultaneously and tag all relevant information in a fraction of the time a human analyst could process the same reports. Human analysts are also prone to mistakes. It is all too easy for a file hash to be labelled as a filename or to mistype a value, especially when time is of the essence.
The analysis of the CTI reports listed was conducted using only results output by the Elemendar trial. It took less than 30 seconds to receive all outputted reports via email.
The advantage of being able to quickly ingest a large number of CTI reports quickly is that the results of these reports can easily be cross-referenced against each other to ensure the accuracy of data within the reports. Even with the very small sample size given in this report, four of the five SHA1 hashes within the Trend Micro report can be seen in the Reversing Labs report and similar with the malicious domains in the Trend Micro and McAfee reports.
Many thanks to Reversing labs, Trend Micro and McAfee for their prompt publishing of essential security research. We hope that this meta-report will help defenders implement these actionable insights even faster.
Lee Jones – CTI Analyst – Elemendar
Elemendar CTI report analysis
Reversing labs report
STIX2 Report: https://trial.elemendar.com/stix/bundle–2a844dad-f1f4-4bf9-a499-8ec500388326
SHA1 file hashes
Windows processes used
Trend Micro report
CTI Report: https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html
STIX2 Report: https://trial.elemendar.com/stix/bundle–91490614-27ca-4074-9f1e-5f866b6dae98
SHA256 file hashes
SHA1 file hashes
CTI Report: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/
STIX2 Report: https://trial.elemendar.com/stix/bundle–ede93a93-872b-404d-bde1-439b46a8facb