{
	"id": "9c284053-0dbb-41c7-886b-d0760c499eff",
	"created_at": "2026-04-06T00:13:24.458353Z",
	"updated_at": "2026-04-10T03:21:47.727786Z",
	"deleted_at": null,
	"sha1_hash": "d1d0d0082cf327881c2276c9fdd3a0407df1b6dc",
	"title": "Threat Advisory: SolarWinds supply chain attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 91061,
	"plain_text": "Threat Advisory: SolarWinds supply chain attack\r\nBy Nick Biasini\r\nPublished: 2020-12-14 · Archived: 2026-04-05 18:31:24 UTC\r\nUpdate 12/21: IOC section updated to include new information and associated stage.\r\nUpdate 12/18: We have been able to verify the name server for the DGA domain was updated as far back as late\r\nFebruary. Compromised binaries appear to have been available on the SolarWinds website until very recently. The\r\nblog below has been amended with this informaiton. The IOC list has been modified.\r\nUpdate 12/17: Additional IOCs added related to teardrop secondary payload.\r\nUpdate 12/16: Based on the announcement from FireEye, Microsoft, and GoDaddy avsvmcloud[.]com has been\r\nunblocked as it is now functioning as a kill switch in an effort to help limit adversaries access. Please note that this\r\ndoes not imply that this is a complete protection from these attacks. Additional remediation steps will should and\r\nmust be taken. Additional details here.\r\nUpdate 12/14: We note there is a discrepancy in guidance coming from DHS and SolarWinds. The SolarWinds\r\nadvisory suggests users upgrade to the latest version, Orion Platform version 2020.2.1 HF 1, while DHS guidance\r\nsays 2020.2.1 HF1 is affected. However, we note that SolarWinds announced they will be releasing another hot-fix, 2020.2.1 HF 2, on December 15, which “replaces the compromised component and provides several\r\nadditional security enhancements.” Talos urges customers to follow DHS guidance at this time and install\r\n2020.2.1 HF 2 as soon as it becomes available.Cisco Talos is monitoring yesterday's announcements by FireEye\r\nand Microsoft that a likely state-sponsored actor compromised potentially thousands of high-value government\r\nand private organizations around the world via the SolarWinds Orion product. FireEye reported on Dec. 8 that it\r\nhad been compromised in a sophisticated attack in which state-sponsored actors stole sensitive red team tools.\r\nUpon investigating the breach further, FireEye and Microsoft discovered that the adversary gained access to\r\nvictims' networks via trojanized updates to SolarWinds' Orion software.\r\nThreat activity details\r\nIn another sophisticated supply-chain attack, adversaries compromised updates to the SolarWinds Orion IT\r\nmonitoring and management software, specifically a component called\r\n\"SolarWinds.Orion.Core.BusinessLayer.dll\" in versions 2019.4 HF 5 through 2020.2.1. The digitally signed\r\nupdates were posted on the SolarWinds website until recently. This backdoor is being tracked by FireEye as\r\nSUNBURST, and it can communicate to third-party servers using HTTP. The backdoor is loaded by the actual\r\nSolarWinds executable before the legitimate code, as not to alert the victim that anything is amiss.\r\nAfter a period of dormancy, which can last up to two weeks, the backdoor can execute commands to transfer and\r\nexecute files, profile the system, reboot the machine and disable system services. Note that a number of\r\nSUNBURST samples have been observed along with varying payloads, including a memory-only dropper dubbed\r\n\"Teardrop,\" which was then used to deploy Cobalt Strike beacons.\r\nhttps://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html\r\nPage 1 of 7\n\nThe adversaries leverage administrative privileges obtained during the on-premise compromise to access the\r\nvictim's global administrator account and/or trusted SAML token-signing certificate. The adversary can forge\r\nSAML tokens that impersonate any of the organization's existing users and accounts, including highly privileged\r\naccounts, allowing them to bypass multi-factor authentication for services such as Office365 suite. Security\r\nresearchers have observed that the targeted users are often key IT and security personnel. Because the SAML\r\ntokens are signed with their own trusted certificate, they can be used to log in to any on-premise resource or cloud\r\nenvironment, regardless of vendor.\r\nThe adversary also uses sophisticated techniquesfor communications. The backdoor identifies its command and\r\ncontrol (C2) server using a domain-generated algorithm (DGA) to construct and resolve a subdomain of\r\navsvmcloud[.]com, which it can use to deliver second-stage payloads and access or exfiltrate data. Network traffic\r\noriginating from the malware appears as legitimate Orion protocol traffic and the adversaries store information in\r\nlegitimate plugin configuration files, all causing it to look like normal SolarWind network traffic. The actor sets\r\nthe hostnames on their C2 infrastructure to match legitimate hostnames found within the victim's environment.\r\nThe adversary mainly relied on IP addresses originating from the same country as the victim — all of which are\r\ndesigned to evade detection.\r\nInitial findings suggest that the campaign began in late February 2020 and lasted several months. SolarWinds and\r\nCISA issued security advisories warning of active exploitation of the SolarWinds Orion Platform software\r\nreleased between March and June, and Microsoft has been tracking the SUNBURST backdoor since March.\r\nImpact\r\nSolarWinds confirmed that less than 18,000 of its 300,000 customers have downloaded the compromised update.\r\nStill, the effects of this campaign are potentially staggering, with the company's products being used by several\r\nhigh-value entities. Victims reportedly include government agencies and consulting, technology, telecom, and oil\r\nand gas companies in North America, Europe, Asia and the Middle East, according to FireEye. Several reports\r\nalso indicate that the U.S. Treasury and Commerce departments were also targeted in what is likely related to the\r\nsame activity.\r\nResponse\r\nSolarWinds issued a security advisory recommending users upgrade to the latest version, Orion Platform version\r\n2020.2.1 HF 1, as soon as possible. In response to this activity, on Dec. 13, 2020 the U.S. Department of\r\nHomeland Security (DHS) and CISA issued an emergency alert calling on all U.S. federal civilian agencies to\r\nreview their networks for indicators of compromise (IOCs) and advising them to disconnect SolarWinds Orion\r\nproducts immediately. Microsoft has named this attack \"Solorigate\" in Windows Defender and, along with other\r\nindustry partners, has published guidance and timelines for this activity.\r\nCISA and DHS provided required actions and mitigations in their advisories:\r\nReimage system memory and/or host operating systems hosting all instances of SolarWinds Orion versions\r\n2019.4 through 2020.2.1 HF1, and analyze for new user or service accounts.\r\nhttps://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html\r\nPage 2 of 7\n\nDisconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their\r\nnetwork.\r\nIdentify the existence of \"SolarWinds.Orion.Core.BusinessLayer.dll\" and\r\n\"C:\\WINDOWS\\SysWOW64\\netsetupsvc.dll\".\r\nBlock all traffic to and from hosts where any version of SolarWinds Orion software has been installed.\r\nIdentify and remove threat-actor controlled accounts and persistence mechanisms.\r\nReset all credentials used by SolarWinds software and implement a rotation policy for these accounts.\r\nRequire long and complex passwords.\r\nSee Microsoft's guidance and documentation on kerberoasting. We urge all organizations that use the\r\nSolarWinds Orion IT monitoring and management software to carefully follow the guidance from DHS and\r\nCISA. We also note that Cobalt Strike was observed being leveraged in these attacks. Cisco Talos released\r\na research paper detailing the large amount of coverage for the Cobalt Strike framework. Our pre-existing\r\ncoverage is still applicable and can reliably detect FireEye red team beacons and other activity.\r\nIncident Response\r\nCisco Talos Incident Response (CTIR) is currently supporting retainer customers in regard to the SolarWinds\r\nOrion Sunburst backdoor. CTIR recommends organizations update incident response plans, playbooks, or a\r\ntabletop exercise (TTX) to test the organization's ability to respond to a supply-chain attack. Finally, once\r\nmitigation efforts have been successfully put in place, CTIR recommends a targeted threat hunt leveraging\r\nindicators and adversary TTPs.\r\nCoverage Ways our customers can detect and block this threat are listed below.\r\nSnort:\r\nSIDs 56660-56668\r\nAMP:\r\nTrojan.Sunburst.[A-Z]\r\nTrojan.Teardrop.[A-Z]\r\nClamAV:\r\nWin.Countermeasure.Sunburst-9816012-0\r\nWin.Countermeasure.Sunburst-9809153-0\r\nWin.Countermeasure.Sunburst-9816013-0\r\nWin.Countermeasure.Sunburst-9809152-0\r\nWin.Dropper.Teardrop-9808996-3\r\nPUA.Tool.Countermeasure.DropperRaw64TEARDROP-9808998-0\r\nhttps://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html\r\nPage 3 of 7\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this\r\npost. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), Cisco ISR, and Meraki MX can detect malicious activity associated with this threat.\r\nThreat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nSecure Cloud Analytics uses a variety of analytical processes to identify anomalous and malicious behavior\r\noccurring on the network. This particular threat can have some heuristic indicators to identify potential\r\nSolarWinds Orion servers, including SNMP traffic, scanning activity, and anomalous DNS traffic.\r\n“New SNMP sweep” alert will have fired if a server has been attempting to reach a large number of hosts\r\nusing SNMP. Start a search in Monitor-\u003e Alerts using the name of alert, and search over the last month\r\n(including closed alerts).\r\n“IP scanner” observation triggers when a device is seen on the network scanning a large number of entities.\r\nIt can be included in “New SNMP sweep” as evidence, among other alerts (like “Outbound SMB spike”or\r\n“NetBios connection spike”). Look for this type of observation in your network.\r\n“Domain Generation Algorithm Successful Lookup” is an alert that will trigger when a device succeeds in\r\nresolving an algorithmically generated domain (e.g., rgkte-hdvj.cc) to an IP address. This alert uses the\r\nDomain Generation Algorithm Success observation and may indicate a malware infection or botnet\r\nactivity.\r\nhttps://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html\r\nPage 4 of 7\n\nOnce you have identified the mentioned alert or observation, you can investigate all the servers related to them, as\r\nthey are potentially SolarWinds Orion servers.\r\nThese types of detections and others can be applied to a variety of different threats through Secure Cloud\r\nAnalytics to identify behavior not directly associated with existing IOCs or TTPs, like: C\u0026C connections, lateral\r\nmovement and data exfiltration.\r\nSecure Workload can be used to identify compromised or affected assets and can be leveraged to apply primary\r\nmitigations as recommended by CISA including restricting network traffic to least privilege.\r\nAdditional protections with context to your specific environment and threat data are available from the Firepower\r\nManagement Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nFor Cisco customers that are concerned about potential impacts to Cisco products, please see the PSIRT advisory\r\navailable here.\r\nIndicators of compromise (IOCs) Domains:\r\navsvmcloud[.]com (SUNBURST) - Killswitch domain/currently unblocked\r\nzupertech[.]com (SUNBURST)\r\npanhardware[.]com (SUNBURST)\r\ndatabasegalore[.]com (SUNBURST)\r\nincomeupdate[.]com (SUNBURST)\r\nhighdatabase[.]com (SUNBURST)\r\nwebsitetheme[.]com (SUNBURST)\r\nfreescanonline[.]com (SUNBURST)\r\nvirtualdataserver[.]com (SUNBURST)\r\ndeftsecurity[.]com (SUNBURST)\r\nthedoccloud[.]com (SUNBURST)\r\ndigitalcollege[.]org (SUNBURST)\r\nglobalnetworkissues[.]com (SUNBURST)\r\nseobundlekit[.]com (SUNBURST)\r\nvirtualwebdata[.]com (SUNBURST)\r\nhttps://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html\r\nPage 5 of 7\n\nkubecloud[.]com (BEACON)\r\nlcomputers[.]com (BEACON)\r\nsolartrackingsystem[.]net (BEACON)\r\nwebcodez[.]com (BEACON)\r\nervsystem[.]com (TEARDROP)\r\ninfinitysoftwares[.]com (TEARDROP)\r\nIP Addresses:\r\n13.59.205[.]66 (SUNBURST)\r\n54.193.127[.]66 (SUNBURST)\r\n3.87.182[.]149 (BEACON)\r\n3.16.81[.]254 (SUNBURST)\r\n54.215.192[.]52 (SUNBURST)\r\n18.253.52[.]187 (SUNBURST)\r\n34.203.203[.]23 (SUNBURST)\r\n54.215.192[.]52 (SUNBURST)\r\n18.220.219[.]143 (SUNBURST)\r\n139.99.115[.]204 (SUNBURST)\r\n13.57.184[.]217 (SUNBURST)\r\n34.219.234[.]134 (BEACON)\r\n5.252.177[.]25 (SUNBURST)\r\n5.252.177[.]21 (SUNBURST)\r\n204.188.205[.]176 (SUNBURST)\r\n51.89.125[.]18 (SUNBURST)\r\n162.223.31[.]184 (BEACON)\r\n173.237.190[.]2 (BEACON)\r\n45.141.152[.]18 (BEACON)\r\nhttps://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html\r\nPage 6 of 7\n\n019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 (SUNBURST)\r\n32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 (SUNBURST)\r\nac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c (SUNBURST)\r\nc09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 (SUNBURST)\r\nc15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 (SUPERNOVA)\r\nce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 (SUNBURST)\r\nd0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 (SUNBURST)\r\ndab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b (SUNBURST)\r\n1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c (TEARDROP)\r\nb820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07 (TEARDROP)\r\n0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589 (SUNBURST)\r\ndb9e63337dacf0c0f1baa06145fd5f1007002c63124f99180f520ac11d551420 (SUNBURST)\r\n118189f90da3788362fe85eafa555298423e21ec37f147f3bf88c61d4cd46c51 (TEARDROP)\r\neb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed (SUNBURST)\r\nabe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417 (SUNBURST)\r\n20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9 (SUNBURST)\r\n2ade1ac8911ad6a23498230a5e119516db47f6e76687f804e2512cc9bcfda2b0 (SUNBURST)\r\n6e4050c6a2d2e5e49606d96dd2922da480f2e0c70082cc7e54449a7dc0d20f8d (TEARDROP)\r\nThe follow hashes reference files that contain incomplete portions of modified code - not enough to permit remote\r\ncode execution. As a result we are not convicting the files as removing them may create additional issues by\r\nbreaking existing SolarWinds installations.\r\na25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc\r\nd3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af\r\nSource: https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html\r\nhttps://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html"
	],
	"report_names": [
		"solarwinds-supplychain-coverage.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434404,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d1d0d0082cf327881c2276c9fdd3a0407df1b6dc.pdf",
		"text": "https://archive.orkl.eu/d1d0d0082cf327881c2276c9fdd3a0407df1b6dc.txt",
		"img": "https://archive.orkl.eu/d1d0d0082cf327881c2276c9fdd3a0407df1b6dc.jpg"
	}
}