Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

SUNSPOT: An Implant in the Build Process

alankar.srivastava

Another malware discovered called SUNSPOT in Orion Build.

Can someone from solarwinds confirm whether the version 2020.2.1 HF2 is affected by this ? Any actions need to take?

Thanks,

Alankar

Find more posts tagged with

Accepted answers

sturdyerde

No, the name "SUNSPOT" refers to the specific malware that was used in the initial targeted attack against SolarWinds. "SUNSPOT" itself was not found in the code, but was used as the means of compromising the code. You can read a detailed analysis directly from Crowdstrike's blog: SUNSPOT Malware: A Technical Analysis | CrowdStrike.

The key points that they made, quoted directly:

SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.

Hope that info helps!

All comments

sturdyerde

The key points that they made, quoted directly:

SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.

Hope that info helps!

alankar.srivastava

Hi,

Thanks @sturdyerde for information .

There are many articles showing it's a new malware discovered by crowdstrike.

https://cps-vo.org/node/72790

https://www.bleepingcomputer.com/news/security/new-sunspot-malware-found-while-investigating-solarwinds-hack/

Thanks,

Alankar

sturdyerde

Those articles are correct. Read them closely. This analysis is describing how the company itself was targeted over time. The attackers used several different pieces of malware to attack the company's servers. All of this was done to then inject the compromised code in Orion itself. The update to 2020.2.1 HF2 is still the latest clean version of Orion, as of January 12, 2021.

There are a lot of articles out there, and the information about the multi-layered attack is complex. Unfortunately some (not all) of the stories make it worse with poor writing and sensationalist (click-bait) headings to their posts. Information provided directly from SolarWinds, Crowd strike, FireEye, and CISA should really provide everything that you need to know.

https://www.solarwinds.com/securityadvisory