Read on Twitter
So where are we with SolarWinds Orion and what have we learnt since the original disclosure. 
A thread to pull public information together...1/n
#SolarWinds #SolarWindsOrion
A good thread to get a grounding on the breach from the 14th December by @KimZetter. https://twitter.com/KimZetter/status/1338305089597964290
And an official @FireEye report: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
We can see some initial reverse engineering starting to look into the code which has been back-doored. Basic IP pass list has been detailed by @MalwareJake. https://twitter.com/MalwareJake/status/1338337358605905920
Colin @cybercdh has been looking at the binary and provided a decoding recipe using GCHQ's CyberChef. https://twitter.com/cybercdh/status/1338885244246765569
And he has also built a GO script to decode the process hash pass list providing a deeper insight into the mindset of the threat actors responsible. https://twitter.com/cybercdh/status/1338975171093336067
It is still unclear and unconfirmed how this breach occurred; however, we see some notable tweets from bug threat hunters who appear to have found weak passwords in the public domain for the platform dating back to 2019. https://twitter.com/vinodsparrow/status/1338431183588188160
GreyNoise ( @GreyNoiseIO) has started to see public scanning for the open port showing that threat actors are now interested in piggy backing compromised systems or threat researchers trying to understand the scale of compromised hosts. https://twitter.com/obsecurus/status/1338873777652953090
Experts at @RedDrip7 have spent time reversing the DGA used to allow greater visibility of the threat. This could also create a lot more noise for researchers investigating this campaign. https://twitter.com/RedDrip7/status/1339168187619790848
Here we have @DAlperovitch keeping people calm and bringin them back to reality.
Not all clients of Orion are targets. The majority received the 'killswitch' command. https://twitter.com/DAlperovitch/status/1338865470485622785?s=20
Not all clients of Orion are targets. The majority received the 'killswitch' command. https://twitter.com/DAlperovitch/status/1338865470485622785?s=20
Great run down by @SANSInstitute hosted by @MalwareJake and @robtlee giving an overview on the attack.
Again pulling public data and sources together to save you hours to hunting.
Note this was presented on the 13th so info is not the latest.
Again pulling public data and sources together to save you hours to hunting.
Note this was presented on the 13th so info is not the latest.
A kill switch has been found and activated by FireEye.
Note, this will remove the SUNBURST malware from networks infected but threat actors have likely created additional persistence techniques in target network.
Still this is a great result! https://twitter.com/FireEye/status/1339295983583244302?s=19
Note, this will remove the SUNBURST malware from networks infected but threat actors have likely created additional persistence techniques in target network.
Still this is a great result! https://twitter.com/FireEye/status/1339295983583244302?s=19
Confirmation that further networks were targeted and exploited with investigations ongoing. https://twitter.com/DAlperovitch/status/1339632267837251586?s=19
More confirmed victims - The Energy Department and National Nuclear Security Administration.
Not officially confirmed to be linked but it is highly likely these victims are from the #SolarWinds Orions attack. https://twitter.com/NatashaBertrand/status/1339669287846506496?s=19
Not officially confirmed to be linked but it is highly likely these victims are from the #SolarWinds Orions attack. https://twitter.com/NatashaBertrand/status/1339669287846506496?s=19
Data visualisation helps understand the threat to all levels of technical ability.
A graph shared by @gordoncorera clearly shows the global spread of the threat. https://twitter.com/gordoncorera/status/1339877966898225154?s=20
A graph shared by @gordoncorera clearly shows the global spread of the threat. https://twitter.com/gordoncorera/status/1339877966898225154?s=20
Confirmation of UK targets: The UK's National Cyber Security Centre ( @NCSC) - an arm of intelligence agency @GCHQ - is at the forefront of responding and is working with government and industry to investigate what might have been stolen. https://www.bbc.co.uk/news/technology-55368213
A Second Hacker Group May Have Also Breached SolarWinds, Microsoft Says. https://thehackernews.com/2020/12/a-second-hacker-group-may-have-also.html
A complete list of internal organisation names who were targeted by the SolarWinds Orion hack have been published https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/
This is also being run by @BleepinComputer - SolarWinds victims revealed after cracking the Sunburst malware DGA https://www.bleepingcomputer.com/news/security/solarwinds-victims-revealed-after-cracking-the-sunburst-malware-dga/
Some of the best technical write ups on this topic come from a victim of the cyber hack themselves. FireEye are world leading in terms of Cyber Threat Intelligence. https://twitter.com/FireEye/status/1342210634675597315?s=19
