Solorigate

Malware updated a month ago (2024-11-29T13:46:41.353Z)
Download STIX
Preview STIX
Solorigate, also known as SUNBURST, is a sophisticated malware that was used in a series of cyberattacks in 2021. The malware was discovered to have been implanted into the SolarWinds Orion software through a supply-chain compromise, which Microsoft initially dubbed as "Solorigate". This allowed the attackers to breach government agencies and high-profile companies by exploiting misconfigurations in Microsoft's Active Directory Federation Services among other methods for espionage purposes. The complex attack chain involved a handover from the Solorigate DLL backdoor to the Cobalt Strike loader, a component yet to be fully understood. Microsoft has published multiple reports detailing the activity related to this attack campaign, including an analysis of the compromised DLL file that initiated the cyberattack. In addition, Microsoft has provided guidance for their customers on protecting themselves against such attacks. Advanced Hunting Queries (AHQ) related to Solorigate were made available in Microsoft's AHQ repository on GitHub to help locate possible exploitation activity. Recommendations for hardening networks against Solorigate and similar sophisticated cyberattacks have also been outlined. The disclosure of the Solorigate attack led to extensive investigations, providing more details and intelligence that were used to improve existing detections and build new ones. Security operations teams can refer to Microsoft's comprehensive guide on detecting and investigating Solorigate. Alerts were raised by Microsoft Defender for Endpoint on Solorigate-related malicious activity as early as June 2020. Forensic analysis of known cases with malicious activity occurring between May and November 2020 revealed relevant alerts generated by Microsoft Defender for Endpoint and Microsoft Defender for Identity.
Description last updated: 2024-05-04T18:41:04.263Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
SUNBURST is a possible alias for Solorigate. Sunburst is a sophisticated malware that was detected in a major supply chain attack in December 2020. The Sunburst backdoor has been tied to Kazuar, another malicious software, due to code resemblance, indicating its high level of complexity. This malware infiltrates systems, often without the user
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Microsoft
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Solorigate Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more