Earlier this week, Volexity published a blog post providing details observed from multiple incident response efforts involving Dark Halo, the group tied to the SolarWinds breach. Since publication, Volexity has fielded and observed countless inquiries from organizations and individuals attempting to determine if they have been compromised. As a result of widespread confusion and concern, Volexity has written this guide to address some common questions and misconceptions, and to provide additional guidance. This guide is also available as a PDF which can be downloaded here. Have I Been Breached? This is the big question people want to answer with regard to their SolarWinds Orion installations. In order to figure this out, you first need to determine if you are, or were running, a compromised version of the software. If you know for a fact that your organization was regularly updating your SolarWinds Orion software, you should assume you were running a compromised […]
solarwinds
-
Responding to the SolarWinds Breach: Detect, Prevent, and Remediate the Dark Halo Supply Chain Attack
December 16, 2020
by Volexity Threat Research
-
Dark Halo Leverages SolarWinds Compromise to Breach Organizations
December 14, 2020
by Damien Cash, Matthew Meltzer, Sean Koessel, Steven Adair, Tom Lancaster, Volexity Threat Research
Volexity is releasing additional research and indicators associated with compromises impacting customers of the SolarWinds Orion software platform. Volexity has also published a guide for responding to the SolarWinds breach, and how to detect, prevent, and remediate this supply chain attack. On Sunday, December 13, 2020, FireEye released a blog detailing an alleged compromise to the company SolarWinds. This compromise involved a backdoor being distributed through an update to SolarWind’s Orion software product. FireEye attributed this activity to an unknown threat actor it tracks as UNC2452. Volexity has subsequently been able to tie these attacks to multiple incidents it worked in late 2019 and 2020 at a US-based think tank. Volexity tracks this threat actor under the name Dark Halo. At one particular think tank, Volexity worked three separate incidents involving Dark Halo. In the initial incident, Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for […]