CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Request a Demo

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Request a Demo
Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP
SpiderLabs Blog

Trustwave’s Action Response To the FireEye Data Breach & SolarWinds Orion Compromise

December 31, 2020 4 minutes read Trustwave SpiderLabs

UPDATES

This blog post was updated March 17 to include information on new Trustwave IDS updates.

This blog post was updated Jan. 26 to include more information about Trustwave product protections for the Raindrop malware.

This blog post was updated Jan. 15 to include more information about Trustwave product protections for the SUNSPOT malware and CVE-2020-10148.

This blog post was updated Dec. 31 to provide more information about the SUPERNOVA malware and Trustwave product protections.

This blog post was updated on Dec. 23 to provide more information about Trustwave’s response to the FireEye tools breach and SolarWinds Orion platform compromise, as well as additional clarifications to Trustwave’s non-use of affected versions of SolarWinds Orion.

 

FireEye Red Team Tools Breach

We wanted to share the plans and procedures we've put in place in response to the FireEye breach that was made public on Dec. 8, 2020.

As you may be aware, FireEye has explicitly stated that malicious attackers have stolen red team tools, both open-source and FireEye developed, which are commonly utilized for ethical hacking engagements. We commend FireEye for being transparent in their disclosure of the breach and countermeasures in an effort to ensure the security of other organizations across the world.

At this time, there is no evidence or reason to believe that the FireEye breach or the theft of the red teaming tools has impacted any Trustwave customers or partners.

FireEye has also indicated that the attackers attempted to access information on internal systems related to "government customers" specifically, but there has been no evidence of data exfiltration from the affected systems. Additional investigation and adherence to responsible and legally required disclosure policies by FireEye will be required in order for a client-specific impact from these events to be further determined.The tactics, techniques and procedures (TTPs) of the threat actor(s) responsible for the breach and indicators of compromise (IOCs) are still being investigated.

We are diligently monitoring the situation, and when/if those additional details are released, we will immediately update our signatures and actively monitor and detect any indication of the threat actor(s) within our customers' assets.

More Security Actions Taking Place by Trustwave:

  • Trustwave has implemented all FireEye-recommended countermeasures and updates in response to the FireEye red team tool breach.
  • Trustwave Secure Email Gateway (SEG) customers received an update Dec. 14 to detect the stolen red teaming tools, should they be sent over email. Trustwave SEG can also detect email-borne exploits that are used by the FireEye tools (CVE- 2017-11774).
  • SNORT signatures were added on Dec. 18 to Trustwave IDS devices for detecting typical traffic from these tools.
  • Trustwave is continuously monitoring for the unauthorized usage of the stolen FireEye toolsets within our managed customer environments across geographies.
  • Trustwave released a ModSecurity WAF update for the commercial rules that block web-based exploits used by the stolen FireEye tools.
  • Trustwave Security Testing for Networks released checks on Dec. 22 for our network scanner to detect most of the vulnerabilities that are used by the stolen FireEye tools and the VMware vulnerability that was also used in these attacks (CVE-2020-4006).

Trustwave will continue to be transparent, vigilant and collaborative with the security community to protect organizations from any malicious actors that may attempt to utilize these tools.

SolarWinds Orion Platform Compromise

On Dec. 13, FireEye confirmed a SolarWinds supply chain attack as the cause of their breach via a malware-laced update for the SolarWinds Orion IT network monitoring software (affected SolarWinds Orion versions 2019.4 HF 5 and 2020.2 with no hotfix installed, and 2020.2 HF 1). The incident was reportedly the result of a highly sophisticated, targeted, and manual supply chain attack by an outside nation-state.

FireEye has named this malware SUNBURST and published a technical report with detection rules on GitHub.

According to FireEye, this newly discovered supply chain attack campaign is believed to be widespread, affecting public and private organizations that use SolarWinds Orion around the world.

SolarWinds has also published information on a separate malware reported by third parties that affects the Orion platform, referred to as SUPERNOVA.

"SUPERNOVA is not malicious code embedded within the builds of our Orion® Platform as a supply chain attack. It is malware that is separately placed on a server that requires unauthorized access to a customer's network and is designed to appear to be part of a SolarWinds product."

SolarWinds has provided immediate recommended actions for affected Orion platform users to protect against SUNBURST and SUPERNOVA – via the official security advisory – as of Dec. 29.

On Dec. 13, the US Cybersecurity and Infrastructure Agency (CISA) also issued an emergency directive with instructions on how government agencies can detect and analyze systems compromised with the SUNBURST malware.

According to CISA, "This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately."

The CISA directive for organizations under scope to disconnect or power down SolarWinds Orion products immediately is not optional.

According to CISA, "Affected entities should expect further communications from CISA and await guidance before rebuilding from trusted sources utilizing the latest version of the product available." Please reference the CISA emergency directive for further updates and supplemental guidance.

Trustwave does not use the SolarWinds Orion platform versions currently known and named to be compromised by SolarWinds (2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1) and has not used these versions at any point in time. At this time, there is no evidence or reason to believe that the SolarWinds Orion compromise has impacted Trustwave.

Trustwave is continuing to conduct diligent investigations in order to further determine company, customer and partner impact.

More Security Actions Taking Place by Trustwave:

  • Trustwave technology and services teams across the globe are actively working with customers to discover and mitigate any threats as a result of the SolarWinds Orion platform compromise.
  • The Trustwave SpiderLabs threat hunting team is actively hunting across customers subscribed for hunt services for all known IOCs. For all other customers, Trustwave has run hunts using the Trustwave Fusion platform for the IP addresses associated with SUNBURST.
  • Trustwave Security Testing for Networks released checks on Dec. 17 for our network scanner to detect the known malicious versions of SolarWinds Orion.
  • Trustwave SpiderLabs global threat operations teams are taking action at the threat detection layer by adding new detection rules in the coming days for all customers based on intelligence provided.
  • Trustwave released an IDS device update on Dec. 24 to detect TLS, SSL and DNS traffic from the SUNBURST malware.
  • On Jan. 8, Trustwave released a ModSecurity WAF update for the commercial rules that protect against the exploits of the SolarWinds Orion API Authentication Bypass Vulnerability (CVE-2020-10148).
  • Trustwave Secure Email Gateway (SEG) and IDS device can detect the SUPERNOVA malware.
  • Trustwave Secure Email Gateway (SEG) customers received an update Jan. 15 to detect the SUNSPOT malware. The SUNSPOT malware is used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product, according to CrowdStrike.
  • Trustwave Secure Email Gateway (SEG) customers received an update on Jan. 21 to detect the Raindrop malware. Trustwave managed IDS/IPS devices also received an update on Jan. 22 to detect the Raindrop malware. Raindrop (Backdoor.Raindrop) is a loader which delivers a payload of Cobalt Strike, according to Symantec.
  • On March 11, Trustwave pushed an IDS release with the following signatures related to the SolarWind attacks:
    •  5 new SLR Rules for Nobelium/Goldmax (SolarWinds Nobelium)
      • All five signatures trigger on hard-coded and variable cookie values used during session key requests and C2 traffic
    • 1 new SLR Rule for Sunshuttle DNS Request (reyweb.com) (SolarWinds Nobelium)
      • Triggers on DNS requests for the known c2 domain reyweb.com

Latest SpiderLabs Blogs

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More