This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Create Post
alankar.srivastava
Level 12
Tuesday

SUNSPOT: An Implant in the Build Process

Jump to solution

Another malware discovered called SUNSPOT in Orion Build.

Can someone from solarwinds confirm whether the version 2020.2.1 HF2 is affected by this ? Any actions need to take?

Thanks,

Alankar

0 Kudos
Reply
1 Solution
sturdyerde
MVP
MVP
Tuesday

Jump to solution

No, the name "SUNSPOT" refers to the specific malware that was used in the initial targeted attack against SolarWinds. "SUNSPOT" itself was not found in the code, but was used as the means of compromising the code. You can read a detailed analysis directly from Crowdstrike's blog: SUNSPOT Malware: A Technical Analysis | CrowdStrike

The key points that they made, quoted directly: 

  • SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
  • SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
  • Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.

Hope that info helps!

View solution in original post

Reply
3 Replies
sturdyerde
MVP
MVP
Wednesday

Jump to solution
Those articles are correct. Read them closely. This analysis is describing how the company itself was targeted over time. The attackers used several different pieces of malware to attack the company's servers. All of this was done to then inject the compromised code in Orion itself. The update to 2020.2.1 HF2 is still the latest clean version of Orion, as of January 12, 2021.

There are a lot of articles out there, and the information about the multi-layered attack is complex. Unfortunately some (not all) of the stories make it worse with poor writing and sensationalist (click-bait) headings to their posts. Information provided directly from SolarWinds, Crowd strike, FireEye, and CISA should really provide everything that you need to know.

https://www.solarwinds.com/securityadvisory
0 Kudos
Reply
sturdyerde
MVP
MVP
Tuesday

Jump to solution

No, the name "SUNSPOT" refers to the specific malware that was used in the initial targeted attack against SolarWinds. "SUNSPOT" itself was not found in the code, but was used as the means of compromising the code. You can read a detailed analysis directly from Crowdstrike's blog: SUNSPOT Malware: A Technical Analysis | CrowdStrike

The key points that they made, quoted directly: 

  • SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
  • SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
  • Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.

Hope that info helps!

View solution in original post

Reply
alankar.srivastava
Level 12
In response to sturdyerde
Tuesday

Jump to solution

Hi,

Thanks @sturdyerde for information .

There are many articles showing it's a new malware discovered by crowdstrike. 

https://cps-vo.org/node/72790

https://www.bleepingcomputer.com/news/security/new-sunspot-malware-found-while-investigating-solarwi...

 

Thanks,

Alankar

 

0 Kudos
Reply

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification SolarWinds Lab
About THWACK Blogs Federal & Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
© 2021 SolarWinds Worldwide, LLC. All Rights Reserved.