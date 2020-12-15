SUNBURST backdoor vulnerability found in SolarWinds Orion IT monitoring

December 2020 by Jesse Rothstein, CTO and co-founder, ExtraHop

"ExtraHop researchers have analyzed the SUNBURST command-and-control domains published by FireEye on Sunday. Using a combination of Open-Source Intelligence (OSINT) and proprietary tools, we’ve been able to expand the indicators of compromise to a list of over 500 IP addresses that were used by the attackers during the campaign. While many of these IPs are no longer active, we recommend that organizations query their network logs over a long time interval and search for activity to these IPs. The SUNBURST trojan is dormant for long periods of time and might only occasionally perform DNS resolutions. We believe that the full extent of this attack is yet to be determined and are sharing these IOCs with the broader security community with the hope that it can help some of the impacted organizations who do not yet realize that they were compromised."