SOC Incident Toolkit
Back to Campaigns
SolarWinds

SolarWinds

SolarWindsGovernmentMicrosoftUSAVMWare

Austin, Texas-based SolarWinds sells software that lets an organization see what's happening on its computer networks. Hackers inserted malicious code into an update of that software, which is called Orion. Around 18,000 SolarWinds customers installed the tainted update onto their systems

Indicators of Compromise

Domains (17)

avsvmcloud.comhighdatabase.comdigitalcollege.orgthedoccloud.comlcomputers.comwebcodez.comvirtualdataserver.comseobundlekit.comzupertech.comincomeupdate.comervsystem.comdeftsecurity.cominfinitysoftwares.companhardware.comfreescanonline.comdatabasegalore.comwebsitetheme.com

Hashes (13)

019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71db9e63337dacf0c0f1baa06145fd5f1007002c63124f99180f520ac11d5514201817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730cd0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e0753f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c732519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c770f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead65575892ade1ac8911ad6a23498230a5e119516db47f6e76687f804e2512cc9bcfda2b0abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712

IPv4 (10)

139.99.115.204167.114.213.1995.252.177.2113.59.205.6651.89.125.1854.193.127.66204.188.205.1765.252.177.2534.203.203.2354.215.192.52

Notes

<h3>Exchange Management Shell Powershell cmdlets</h3><p><br></p><p> </p><p> </p><pre>Get-AcceptedDomain Get-CASMailbox Get-Mailbox Get-ManagementRoleAssignment Get-OrganizationConfig Get-OwaVirtualDirectory Get-Process Get-WebServicesVirtualDirectory New-MailboxExportRequest Remove-MailboxExportRequest Set-CASMailbox</pre>

Mitigation

<p>Look for traffic to any of the related malicious domains identified in Notes Section. </p><p><br></p><p>Follow the advice from SolarWinds in their response to this incident. Use the signatures provided by FireEye to identify related activity. </p><p><br></p><p>Ensure that all secret keys associated with MFA or other sensitive integrations are reset following a breach. </p><p><br></p><p>Make sure all credentials in an organization, including service accounts, are reset following a breach and that default passwords or those similar to previous passwords are not used. </p><p><br></p><p>If you run an on-premise Exchange environment, consider adding alerting mechanisms to any EDR solutions for processes using the Exchange Management Shell PowerShell cmdlets listed in IOCs. This may or may not be a valid detection approach depending on how frequently this is used within your organization. More generally, if the Exchange Management Shell is rarely used in a legitimate Administrative context, it may be worth investigating any historical use of this shell.</p>