![]() 12:40 UTC Updated to state that Orion Platform version 2020.2.1 HF 2 is now available ![]() 14:03 UTC Added Troj/SunBurst-A to anti-malware detections 16:28 UTC Updated “Sophos EDR customers” section with new malicious DLL SHA256 hashes. 22:35 UTC Updated “Sophos and SolarWinds” section In addition to incident response measures, we have now also undertaken precautionary forensics on our SolarWinds infrastructure, and our current assessment is that Sophos was not targeted in this attack. We have undertaken incident response steps, which we also published at in the context of recommendations to other threat responders. Upon receiving notification from SolarWinds, Sophos initiated incident response. We have also revoked trust on the compromised SolarWinds certificate used in these attacks. We have blocked all associated IP and domain indicators. If you see one or more of these IPS detections, you are likely a victim of targeted attack and should take additional remediation actions. 56661 – MALWARE-CNC outbound connection attempt.56665 – MALWARE-CNC outbound connection attempt.56660 – MALWARE-CNC outbound connection attempt.56662 – MALWARE-CNC inbound connection attempt.The list of IPS signatures to monitor on Sophos XG Firewall is: SophosLabs is in the process of releasing IPS signatures that identify Command-and-Control traffic from the active exploitation stages of the attack. Warning: check your configuration for scan exclusions. If you see one or more of these detections, you are likely a victim of targeted attack and should take additional remediation actions. SophosLabs has published the following anti-malware detections for the compromised SolarWinds components: If you not running Sophos Central, activate a free trial from our website.Under ‘MORE PRODUCTS’ in the main navigation select ‘Free Trials’ and then select Intercept X Advanced with EDR, Intercept X Advanced for Server with EDR, or both. If you are already running Sophos Central, activate the free trial directly within your console.0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589Īnyone not using Sophos EDR can activate a 30-day free trial and run the query across your estate:.The MTR team is actively monitoring all protected customer environments and has already contacted affected customers directly to discuss remedial action.ĮDR customers can run the dedicated query below to hunt for affected versions (u pdates will be posted here ) : SELECTįROM programs where name like 'SolarWinds Orion%2020.2' or name like 'SolarWinds Orion%2020.2.1%' or name like 'SolarWinds Orion%2019.4%' Īdditionally, EDR customers can look for the following malicious DLL SHA256 hashes: Sophos customers can identify whether they are running a vulnerable version in multiple ways: How to identify if you are running an impacted SolarWinds Orion version? The compromised products are SolarWinds Orion versions 2019.4 through 2020.2.1. SolarWinds, an IT monitoring specialist, reported last Sunday that it had fallen victim to a “highly-sophisticated, manual supply chain attack … likely by a nation state.” ![]() We have also published a playbook to guide any security team that has SolarWinds in their environment and is looking to initiate incident response. ** We will update this article with additional information as it becomes available.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |