Dec 22, 2020

SolarWinds Orion/SUNBURST


Armis Can See Impacted Devices & Attacks

Last week I wrote about the SolarWinds Orion breach and how Armis can identify anomalous traffic indicative of the presence of the SUNBURST malicious code that was inserted into affected Orion builds. And as more information comes to light about this breach, I wanted to share how Armis is able to provide complete visibility to compromised and potentially compromised systems, the activity history of those systems, and the attacks themselves.

Armis Can Identify Anomalous Behavior And Device Details 

To recap, identifying the presence of the malicious SUNBURST code requires that you can identify the vulnerable version of SolarWinds in your environment. Additionally, to see if the exploit is active, you want the ability to look for anomalous behavior such as traffic going to known command and control (C2) servers. Armis can alert you when it sees traffic going to the already identified domains and IP addresses associated with the malware.

Armis identifies vulnerable systems down to the precise version of Orion software running on the device and assigns a Risk Factor to aid in prioritization of remediation efforts. We provide 3 specific descriptions and severities:

  • Vulnerable to SUNBURST – This detects SolarWinds Orion version 2020.2. These devices receive the highest risk score as they are vulnerable and haven’t been patched.
  • Potentially Vulnerable to SUNBURST 1 – This detects SolarWinds Orion version 2019.4, and these devices receive the next highest risk score as the device is potentially vulnerable. Security team needs to ensure they are patched with Hotfix 6
  • Potentially Vulnerable to SUNBURST 2 – This detects any devices running SolarWinds Orion other than the versions above.

Risk Scores Assigned to Vulnerable Devices

How to Find Exposed Devices

Using Armis Standard Query (ASQ), Armis has the ability to query for and identify vulnerable and potentially vulnerable devices, providing  risk scores, and the ability to drill into each device.


Example of Armis ASQ Query to find SUNBURST


Results of an ASQ Query to find SUNBURST

As I mentioned last week, for the latest updates on IOCs regarding the SUNBURST malware, please refer to the CISA advisory. Also note that SolarWinds has provided a security advisory and hot fixes, and is asking customers with any affected versions of the Orion platform to upgrade as soon as possible to ensure the security of their environment.

Moving Forward

We are learning more about this breach every day and Armis will continue to provide you with updates on how to leverage Armis to find and remediate vulnerable devices. Armis has 100% visibility to everything here – the compromised product, the activity history of the compromised product, and the attacks themselves. 

From visibility to detection, investigation and remediation. We can identify / see Orion, we can see if it’s vulnerable and we can see if there was an attack / there is an attack / any future attack.

Armis threat research teams are constantly tracking emerging attacks, and are specifically focused on monitoring threats to network infrastructure, telecommunication systems, and any other benign-looking, unmanaged device, that might be targeted by SUNBURST, or any future malware.

SolarWinds/SUNBURST Risk Assessment

Armis offers a risk assessment to aid in the identification of devices vulnerable to the SolarWinds/SUNBURST malicious code. This risk assessment provides access to Armis platform features including device inventory, classification, and device risk assessment as well as a report on the number of vulnerable devices and their overall risk.

Get Updates!

Sign up to receive the latest news