One Article Review
| Source |  Anomali |
|---|---|
| Identifiant | 2134713 |
| Date de publication | 2020-12-29 21:22:00 (vue: 2020-12-29 22:05:12) |
| Titre | Actionable Threat Intelligence Available for Sunburst Cyber Attacks on SolarWinds |
| Texte | On Dec. 13, FireEye published a detailed analysis about the attack carried out against SolarWinds, which appears to have compromised its Orion IT monitoring and management platform to spread the Sunburst Backdoor malware. As part of the attack, which started in March, the Orion platform started sending out the digitally-signed trojanized malware via regular updates. According to SolarWinds, the compromised update may have been installed by fewer than 18,000 of its customers, including many U.S. federal agencies and Fortune 500 firms that use Orion to monitor the health of their IT networks. In a related blog post, FireEye also announced that a highly sophisticated state-sponsored adversary penetrated its network and stole FireEye Red Team tools used to test customers’ security. In response to the attacks, Anomali has collected, curated, and distributed clear and concise open-source intelligence (OSINT) to help organizations determine if they have been impacted. Two key resources released include a SolarWinds Breach Threat Bulletin and a FireEye Red Team Tools Breach Threat Bulletin. These continually updated resources, for use inside Anomali ThreatStream, include threat analysis, signature threat models, and over 2,000 operationalized indicators of compromise (IOCs) for automated distribution to security controls. Both are available now to Anomali’s 1,500 customers. What Can I Do with This Threat Intelligence?...and How to Do It Our intent in aggregating and curating this threat intelligence is to provide organizations with high-fidelity IOCs that can immediately be pushed into their security stacks for rapid, proactive blocking and alerting. Security products that can take advantage of this actionable threat intelligence include security information and event management (SIEM), endpoint detection and response platforms, firewalls, domain name system (DNS) servers, security orchestration, automation, and response (SOAR) platforms, and other operational security products. These Anomali threat bulletins are designed to be used in conjunction with Anomali ThreatStream, a threat intelligence platform that allows organizations to aggregate, curate, analyze, and distribute multiple sources of threat intelligence to their operational security systems. Inside of the SolarWinds Breach Threat Bulletin, all of these IOCs have been tagged with “solarwinds”, “sunburst backdoor”, “unc2452”, or “avsvmcloud.com.” This enables ThreatStream users to create a simple rule to automatically push IOCs to their security systems, enabling real-time defense against both attacks. For example, if a compromised server inside the organization attempts to connect to a command and control (C2) server outside of the organization, Anomali customers that have activated this research will automatically block the C2 URL, avoiding risk of further compromise and data exfiltration. How Can I Get This Intelligence? The Anomali SolarWinds and FireEye Threat Bulletins are automatically available to Anomali’s ThreatStream customers, and all organizations participating in Anomali-powered threat intelligence sharing communities (ISACs). Anomali Threat Research also created a |
| Notes | |
| Envoyé | Oui |
| Condensat | “avsvmcloud “sunburst 000 500 about according across actionable activated advantage adversary against agencies aggregate aggregating ahead alerting all allows also analysis analyze announced anomali anomali’s appears are aren’t attack attacks attempts automated automatically automation available avoiding backdoor backdoor” been block blocking blog both breach bulletin bulletins can carried clear collected collection com command communicate communities compromise compromised concise conjunction connect continually control controls create created curate curated curating custom customers customers’ cyber dashboard data dec defense defenses designed detailed detect detection determine digitally distribute distributed distribution dns domain download downloads dynamically empowers enables enabling endpoint environments event ever example exfiltration federal fewer fidelity fireeye firewalls firms fortune further get goal has have health help here high highly how immediately impacted important improve include including indicators information infrastructures inside installed intelligence intent iocs isacs its key let’s leveraged leveraging made malware management many march massive may models monitor monitoring more multiple name network networks now only open operational operationalize operationalized orchestration organization organizations orion osint other out outside over part participating penetrated platform platforms post powered present proactive produce products provide published push pushed quickly rapid real red regular related released research resources response risk rule secure security sending server servers sharing siem signature signed simple soar solarwinds sophisticated source sources sponsored spread stacks stakeholders started state static stay stole sunburst system systems tagged take team test than these threat threats threatstream through time today tools trojanized two update updated updates url use used users valuable versions what which will within won’t work world |
| Tags | Malware Threat Mobile |
| Stories | Solardwinds Solardwinds |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.