A brief thread on the @CrowdStrike blog on SUNSPOT...as I read it. This confirms CrowdStrike was one of SolarWinds' IR firms, which we'd heard rumblings of before.
Why do I talk about naming things so much? This is why! CrowdStrike DOES NOT CALL THE ADVERSARY A BEAR. They call this an activity cluster named StellarParticle. This is important. It's also important to note that this is a different name than Solorigate...
Choosing their own name was a good analytic decision by CrowdStrike because they control what is defined as StellarParticle. So what I would say is that StellarParticle and Solorigate overlap, but they are clusters tracked by two different companies. (see )
This is super important. This, and other details, tell us that SUNSPOT itself was specifically used in the SolarWinds environment. This means that SUNSPOT itself should really only be in SolarWinds' threat model. (However, orgs who could be part of a supply chain compromise...
...should look at the behaviors used in this blog and consider how they could detect them in their own environment.
Internal names not matching file names could be an interesting point for hunting/detection
A classic persistence technique.
Looking for "weird things" in temp is always a good detection/hunting strategy
Again, showing pretty clearly that SUNSPOT was targeted at SolarWinds. It injects SUNBURST only if Orion software is being built. This is VERY TARGETED.
Interesting tidbit here, they found some similarity to this blog: blog.xpnsec.com/how-to-argue-l… - to me this is a great example of why threat intel analysts need to work closely with researchers, because today's research is tomorrow's adversary tradecraft.
Key takeaway from this section is "they were careful to sanitize the code." Honestly, I had to ask friends and do a bit of Googling on this section (not a computer scientist or developer...and that's okay).
I had to look up pragma statements: en.wikipedia.org/wiki/Directive… - as a friend said, they're basically hints to the compiler, and in this case the hint is "stop putting out warnings for a bit". I understand this, because as I try to code stuff, I get very annoyed with warnings.😂
This is a BEAUTIFUL summary. This is such a well-written blog. Nice work, @CrowdStrike!
And hashes for the "hashes or it didn't happen" people. But like...unless you're SolarWinds...you shouldn't expect to see these.
Yayyy YARA rules! Who's going to run them and post any VT links so we don't all have to burn retro hunts? 🙂
LOOK AT HOW THEY ADDED OBSERVABLES!!!! They didn't just list techniques!!!! I'm so happy I could cry. Plus the new @MITREattack tactics are in here!
I need to eat dinner, but you should go read this too: orangematter.solarwinds.com/2021/01/11/new…
So much 🤦‍♀️. Here's the actual blog post. Sorry, I thought I put it in the first tweet!!! crowdstrike.com/blog/sunspot-m…
Adding on this well-phrased tweet from @KimZetter to highlight what's so fascinating about this technique. SUNBURST was injected during the build process - that's really clever.
Also wanted to highlight this important reply from @Adam_Cyber. While the specific hashes may not be widely useful beyond SolarWinds, the YARA rules certainly are, and the same techniques used by SUNSPOT could be used elsewhere in build processes.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Katie Nickels

Katie Nickels Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @likethecoins

10 Jan
I've been trying to process the Capitol riots for days. @nytdavidbrooks' Friday commentary helped me work through what I feel. He noted how the Capitol is usually treated with reverence. That's how I acted when I was there. I spoke quietly and took time to reflect...
...on what the building and our democracy mean. To see rioters completely disregard and disrespect that disturbs me on a deep level. It felt like the low point of a slow decline of our democracy over the past 4 years. It felt surreal and like it wasn't the country I know & love.
I mourn the lives lost and wish their loved ones peace. I also mourn how far our democracy has fallen. We've all watched as it's happened, little by little, and I personally have felt helpless, even as I tried to take small actions.
Read 5 tweets
10 Jan
Organizing thread! As I clean up my office, my latest project has been organizing stickers. Several got ruined because they were so disorganized. ☹️ I started with some drawer organizers I had, thinking they'd work...then I realized there was so much wasted space on the shelf! Image
I've been on a "drawer" kick, so I ordered another set of small drawers that I previously got to organize hardware/screws. Viola! So much better! I like to use dry erase markers first, then live with it for a bit before making permanent labels. Oversized stickers go on top. Image
Of course, my methodology (h/t @thehomeedit) was to take all my stickers out and then categorize them. I quickly discovered I have a "reserve" collection of special stickers I want to hold on to. Image
Read 8 tweets
23 Dec 20
I'm generally a pretty positive person, but it's Festivus, so let's blow off some steam and air our #threatintel grievances. Threat intel feeds are just data feeds, they're not threat intel. Please stop naming groups after malware, it's confusing AF.
Nation states are not countries. CC @cnoanalysis en.wikipedia.org/wiki/Nation_st…
If you use fear, uncertainty, and doubt to sell things, you are a GRINCH and please stop.
Read 19 tweets
18 Dec 20
A threat of thoughts + actionable detection ideas from the latest Microsoft #Solorigate post...microsoft.com/security/blog/… ... this is a sweet diagram and hopefully helps make clear the different ways you could be impacted. Not every victim makes it past initial C2.
I think a lot of this we already knew, but lmk if there are nuggets in here that popped out.
Another super helpful explanation of the DGA C2 domains. I love the MS graphics people.
Read 14 tweets
16 Dec 20
Happening NOW! You can still join us here, and I'll be live-tweeting what @Robert_Lipovsky and @adorais share. sans.org/webcasts/star-… Image
.@Robert_Lipovsky kicking off with something I believe as well...crimeware is a greater threat to most orgs than state-sponsored threats. Even this week!
Many cyber crimes involve different jurisdictions - rarely is adversary infrastructure all in the same country, so law enforcement and private industry have to cooperate globally.
Read 28 tweets
28 Oct 20
I'll attempt to live tweet this awesome webcast from @Wanna_VanTa and @x04steve on Ryuk and UNCs behind them! Roughly 1/5 ransomware intrusions have been related to Ryuk. @Mandiant @sansforensics
Tracking Time to RYUK! This is a good metric to track as much as you can.
So what's an UNC? UNC = "uncategorized" - a way to cluster unique activity that is fundamentally related. They're "labels" or "buckets". UNCs might become FINs or APTs someday, but that requires time.
Read 19 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!