Was posed with a cringe-worthy question today. Has anyone heard anything about sunburst making its way into other VM guests that share a host with SolarWinds server or worse, into the hypervisor layer?
Do some googling around Dark Halo APT, that's what they've been calling some of the previous hacks that have now been traced back to the Solarburst compromise. None of what I have seen specifically mentioned hypervisors, but they have said the culprits are extremely capable of gaining access and switching the accounts they use. Notably a lot of what they were doing apparently was around compromising Exchange and snooping emails.
TBH it's unknown at present. But as someone has said dark halo has been traced to use this tactic and tool. It is also dependent upon the box having internet access, so it can contact the C2 server then download additional payloads.
In all likelihood, the target was the US government, and other affected parties were likely collateral damage, but , there will still be value in their information, be it for disinformation program, selling it on the dark web, or blackmailing purposes.
I've seen many people talking about shutting servers down, building new environments, and whilst this is great, if they've gained persistence, or access to other parts of the environment, then all of this will be too late. Again it's a matter of wait and see atm, but, if your box had internet access, then consider yourself compromised. Get a forensic audit completed immediately, and try and mitigate as best as you can any potential threats.
