BlackBerry’s internal security teams, along with many of you, are tracking in real-time the evolution of the SolarWinds/FireEye incident that has unfolded since December 8, when FireEye disclosed a sophisticated attack that led to the “unauthorized access of their red team tools.”
On December 13, FireEye publicly disclosed that SolarWind’s software had allegedly been leveraged by advanced attackers to infiltrate numerous organizations, including FireEye. According to FireEye’s security advisory, an update to SolarWind’s Orion software solution was Trojanized and a backdoor was distributed by this update, ultimately used to distribute malware known as SUNBURST.
What We Are Doing
Since the news broke of this attack, BlackBerry has taken swift action to ensure that all known hashes related to this attack have either been convicted by our BlackBerry® Protect model, or added to the Global Black List (GBL). BlackBerry has also classified all known samples as malicious and created layered defense mechanisms, starting with a global blacklist and progressing through the creation of centroids and BlackBerry® Optics rules to combat these threats (See the references section below).
We continue to remain vigilant and proactive in monitoring our environment and those of our customers as the situation progresses.
BlackBerry Guard and Incident Response Team
In addition to the product enhancements mentioned above, the BlackBerry® Guard managed detection and response (MDR) service continues to sweep managed environments for a new indicators of compromise 24/7.
The required actions outlined by the U.S. Department of Homeland Security (DHS) provide excellent guidance for those organizations who have the expertise to accomplish those tasks. If you would like expert guidance, BlackBerry® Security Services also offers Incident Response (IR) and Compromise Assessment (CA) services to assist organizations in determining if they have been breached and evicting threat actors if required.
Our Incident Response team can work with organizations, of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity and resilience of their network infrastructure. For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form which is monitored around the clock.
A Final Word…
BlackBerry commends FireEye for their transparency and co-operative approach in publicly disclosing and exposing this threat. This is a threat that will continue to unfold and will need to be faced by a united and informed cybersecurity community.
References and Indicators of Compromise
The following links provide a description of the breach and some indicators/remediation steps you can use to mitigate this situation:
- https://isc.sans.edu/forums/diary/SolarWinds+Breach+Used+to+Infiltrate+Customer+Networks+Solarigate/26884/
- https://cyber.dhs.gov/ed/21-01/
- https://www.solarwinds.com/securityadvisory
- https://github.com/fireeye/sunburst_countermeasures/
Overview and Remediation:
- https://cyber.dhs.gov/ed/21-01/
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
Indicators of Compromise (IoCs):
- https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- https://github.com/fireeye/sunburst_countermeasures/
BlackBerry Knowledge Base (KB):
- KB Article Title: Sunburst Malware Optics Rules
- KB Article Number: 000072364
- KB Article Link: https://support.blackberry.com/kb/articleDetail?articleNumber=000072364
- KB Article Title: FireEye Optics Rules
- KB Article Number: 000072316
- KB Article Link: http://support.blackberry.com/kb/articleDetail?articleNumber=000072316
