This blog post was updated March 17 to include information on new Trustwave IDS updates.
This blog post was updated Jan. 26 to include more information about Trustwave product protections for the Raindrop malware.
This blog post was updated Jan. 15 to include more information about Trustwave product protections for the SUNSPOT malware and CVE-2020-10148.
This blog post was updated Dec. 31 to provide more information about the SUPERNOVA malware and Trustwave product protections.
This blog post was updated on Dec. 23 to provide more information about Trustwave’s response to the FireEye tools breach and SolarWinds Orion platform compromise, as well as additional clarifications to Trustwave’s non-use of affected versions of SolarWinds Orion.
We wanted to share the plans and procedures we've put in place in response to the FireEye breach that was made public on Dec. 8, 2020.
As you may be aware, FireEye has explicitly stated that malicious attackers have stolen red team tools, both open-source and FireEye developed, which are commonly utilized for ethical hacking engagements. We commend FireEye for being transparent in their disclosure of the breach and countermeasures in an effort to ensure the security of other organizations across the world.
At this time, there is no evidence or reason to believe that the FireEye breach or the theft of the red teaming tools has impacted any Trustwave customers or partners.
FireEye has also indicated that the attackers attempted to access information on internal systems related to "government customers" specifically, but there has been no evidence of data exfiltration from the affected systems. Additional investigation and adherence to responsible and legally required disclosure policies by FireEye will be required in order for a client-specific impact from these events to be further determined.The tactics, techniques and procedures (TTPs) of the threat actor(s) responsible for the breach and indicators of compromise (IOCs) are still being investigated.
We are diligently monitoring the situation, and when/if those additional details are released, we will immediately update our signatures and actively monitor and detect any indication of the threat actor(s) within our customers' assets.
More Security Actions Taking Place by Trustwave:
Trustwave will continue to be transparent, vigilant and collaborative with the security community to protect organizations from any malicious actors that may attempt to utilize these tools.
On Dec. 13, FireEye confirmed a SolarWinds supply chain attack as the cause of their breach via a malware-laced update for the SolarWinds Orion IT network monitoring software (affected SolarWinds Orion versions 2019.4 HF 5 and 2020.2 with no hotfix installed, and 2020.2 HF 1). The incident was reportedly the result of a highly sophisticated, targeted, and manual supply chain attack by an outside nation-state.
FireEye has named this malware SUNBURST and published a technical report with detection rules on GitHub.
According to FireEye, this newly discovered supply chain attack campaign is believed to be widespread, affecting public and private organizations that use SolarWinds Orion around the world.
SolarWinds has also published information on a separate malware reported by third parties that affects the Orion platform, referred to as SUPERNOVA.
"SUPERNOVA is not malicious code embedded within the builds of our Orion® Platform as a supply chain attack. It is malware that is separately placed on a server that requires unauthorized access to a customer's network and is designed to appear to be part of a SolarWinds product."
SolarWinds has provided immediate recommended actions for affected Orion platform users to protect against SUNBURST and SUPERNOVA – via the official security advisory – as of Dec. 29.
On Dec. 13, the US Cybersecurity and Infrastructure Agency (CISA) also issued an emergency directive with instructions on how government agencies can detect and analyze systems compromised with the SUNBURST malware.
According to CISA, "This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately."
The CISA directive for organizations under scope to disconnect or power down SolarWinds Orion products immediately is not optional.
According to CISA, "Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available." Please reference the CISA emergency directive for further updates and supplemental guidance.
Trustwave does not use the SolarWinds Orion platform versions currently known and named to be compromised by SolarWinds (2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1) and has not used these versions at any point in time. At this time, there is no evidence or reason to believe that the SolarWinds Orion compromise has impacted Trustwave.
Trustwave is continuing to conduct diligent investigations in order to further determine company, customer and partner impact.