SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: State-sponsored actors behind massive SolarWinds attacks, full breadth yet to be discovered
Description: In a sophisticated supply-chain attack, adversaries compromised updates to the widely used SolarWinds Orion IT monitoring and management software. The digitally signed updates were posted on the SolarWinds website from March to May 2020. This backdoor is loaded by the actual SolarWinds executable before the legitimate code, as not to alert the victim that anything is amiss. Reports indicate that some of the largest companies in the world use this software, so it is still unclear if the backdoor has led to any major cyber attacks or data breaches. At least two American government agencies are also affected: the Treasury and Commerce departments. The U.S. Department of Homeland Security (DHS) and CISA issued an emergency alert calling on all U.S. federal civilian agencies to review their networks for indicators of compromise (IOCs) and advising them to disconnect SolarWinds Orion products immediately.
Snort SIDs: 56660 - 56668
Title: Red-teaming security tools stolen as part of broad attack
Description: In an attack related to the vulnerabilities in SolarWindws products, security vendor FireEye had some red-teaming tools stolen by a state-sponsored actor. Some of these tools appear to be based on well-known offensive frameworks like Cobalt Strike. It has been reported that none of the tools target zero-day vulnerabilities. It's currently unknown why a state-sponsored actor would want to target these tools. Typically, these types of actors target high-value data possessed by victims. As part of this disclosure, FireEye also released a repository of signatures/rules designed to detect the use of these tools across a variety of detection technologies.
Snort SIDs: 8068, 8422, 38491, 38492, 48359, 49100, 49171, 49861, 50137, 50168 - 50170, 50275 - 50278, 51288 - 51289, 51368, 51370 - 51372, 51390, 51966, 52512, 52513, 52603, 52620, 53433, 53435, 53346 - 53351, 53380 - 53383, 55703, 55704, 55802, 55862, 56290, 56436, 56586
ClamAV signature: W32.FindstrSearchForKeyWords