Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

SUNSPOT

SUNSPOT is an implant that injected the SUNBURST backdoor into the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.(Citation: CrowdStrike SUNSPOT Implant January 2021)
ID: S0562
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 12 Jan 2021
Last Modified: 27 Mar 2023

Techniques Used

Domain ID Name Use
Enterprise T1565 .001 Data Manipulation: Stored Data Manipulation

SUNSPOT created a copy of the SolarWinds Orion software source file with a .bk extension to backup the original content, wrote SUNBURST using the same filename but with a .tmp extension, and then moved SUNBURST using MoveFileEx to the original filename with a .cs extension so it could be compiled within Orion software.(Citation: CrowdStrike SUNSPOT Implant January 2021)

Enterprise T1480 .002 Execution Guardrails: Mutual Exclusion

SUNSPOT creates a mutex using the hard-coded value ` {12d61a41-4b74-7610-a4d8-3028d2f56395}` to ensure that only one instance of itself is running.(Citation: CrowdStrike SUNSPOT Implant January 2021)

Enterprise T1070 .004 Indicator Removal: File Deletion

Following the successful injection of SUNBURST, SUNSPOT deleted a temporary file it created named InventoryManager.bk after restoring the original SolarWinds Orion source code to the software library.(Citation: CrowdStrike SUNSPOT Implant January 2021)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

SUNSPOT was identified on disk with a filename of taskhostsvc.exe and it created an encrypted log file at C:\Windows\Temp\vmware-vmdmp.log.(Citation: CrowdStrike SUNSPOT Implant January 2021)

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

SUNSPOT malware was designed and used to insert SUNBURST into software builds of the SolarWinds Orion IT management product.(Citation: CrowdStrike SUNSPOT Implant January 2021)

Groups That Use This Software

ID Name References
G0118 UNC2452

(Citation: CrowdStrike SUNSPOT Implant January 2021)

(Citation: CrowdStrike SUNSPOT Implant January 2021)

G0016 APT29

(Citation: CrowdStrike SUNSPOT Implant January 2021) (Citation: MSTIC Nobelium Toolset May 2021)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.