cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

SUNSPOT: An Implant in the Build Process

Jump to solution

Another malware discovered called SUNSPOT in Orion Build.

Can someone from solarwinds confirm whether the version 2020.2.1 HF2 is affected by this ? Any actions need to take?

Thanks,

Alankar

0 Kudos
1 Solution

No, the name "SUNSPOT" refers to the specific malware that was used in the initial targeted attack against SolarWinds. "SUNSPOT" itself was not found in the code, but was used as the means of compromising the code. You can read a detailed analysis directly from Crowdstrike's blog: SUNSPOT Malware: A Technical Analysis | CrowdStrike

The key points that they made, quoted directly: 

  • SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
  • SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
  • Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.

Hope that info helps!

View solution in original post

3 Replies
Those articles are correct. Read them closely. This analysis is describing how the company itself was targeted over time. The attackers used several different pieces of malware to attack the company's servers. All of this was done to then inject the compromised code in Orion itself. The update to 2020.2.1 HF2 is still the latest clean version of Orion, as of January 12, 2021.

There are a lot of articles out there, and the information about the multi-layered attack is complex. Unfortunately some (not all) of the stories make it worse with poor writing and sensationalist (click-bait) headings to their posts. Information provided directly from SolarWinds, Crowd strike, FireEye, and CISA should really provide everything that you need to know.

https://www.solarwinds.com/securityadvisory
0 Kudos

No, the name "SUNSPOT" refers to the specific malware that was used in the initial targeted attack against SolarWinds. "SUNSPOT" itself was not found in the code, but was used as the means of compromising the code. You can read a detailed analysis directly from Crowdstrike's blog: SUNSPOT Malware: A Technical Analysis | CrowdStrike

The key points that they made, quoted directly: 

  • SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
  • SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
  • Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.

Hope that info helps!

View solution in original post

Hi,

Thanks @sturdyerde for information .

There are many articles showing it's a new malware discovered by crowdstrike. 

https://cps-vo.org/node/72790

https://www.bleepingcomputer.com/news/security/new-sunspot-malware-found-while-investigating-solarwi...

 

Thanks,

Alankar

 

0 Kudos