SUNBURST: A Deep Dive into the Scariest Supply Chain Attack Yet

SolarWinds.Orion.Core.BusinessLayer.dll is a file name that shall live in infamy. A highly sophisticated attacker apparently compromised the SolarWinds build process and inserted a backdoor into this DLL upstream from it being digitally signed with SolarWinds code-signing certificate. Then it was distributed as part of the Orion product to up to potentially 18,000 customers. Orion was an attractive target for this supply chain attack because systems monitoring software often communicates with and potentially has privileged access to every system on a network worth monitoring.

In this real training for a free event, we will take you on a deep dive into SUNBURST and share everything we know including how:

  • The attackers compromised the Orion build process to trojanize SolarWinds.Orion.Core.BusinessLayer.dll.
  • The malware works once it is deployed by a customer
  • SUNBURST sits tight for a few weeks and then attempts to stealthily make contact with its controllers.
  • If directed, it then proceeds to move laterally through the network using a number of credential theft and impersonation techniques

Bring two tanks for this dive because senior security researcher, Chad Anderson from DomainTools, will then take over and dissect SUNBURST’s C2 network traffic. You will learn how SUNBURST tries to quietly find its C2 server using DNS infrastructure and communicate with it. We will explore how SUNBURST attempts to blend in by appropriating Orion Improvement Program protocol for its own use as a “cover” protocol for encapsulating its C2 traffic.

Please join us for this real training for a free event. DomainTools will finish by conducting further analysis of the SolarWinds supply chain incident within the Iris investigation platform.