Learn why Netskope debuted as a leader in the 2024 Gartner® Magic Quadrant™️ for Single-Vendor Secure Access Service Edge

Read how innovative customers are successfully navigating today’s changing networking & security landscape through the Netskope One platform.

Get the eBook

Learn about Netskope Partners

Group of diverse young professionals smiling

Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview

Netskope Next Gen SASE Branch converges Context-Aware SASE Fabric, Zero-Trust Hybrid Security, and SkopeAI-powered Cloud Orchestrator into a unified cloud offering, ushering in a fully modernized branch experience for the borderless enterprise.

Learn about Next Gen SASE Branch

Get your complimentary copy of the only guide to SASE design you’ll ever need.

Get the eBook

Learn about NewEdge

Lighted highway through mountainside switchbacks

Learn how we secure generative AI use

Learn about Zero Trust

Choose Netskope GovCloud to accelerate your agency’s transformation.

Learn about Netskope GovCloud

2025 Predictions
In this episode of Security Visionaries, we're joined by Kiersten Todt, President at Wondros and former Chief of Staff for the Cybersecurity and Infrastructure Security Agency (CISA) to discuss predictions for 2025 and beyond.

Play the podcast Browse all podcasts

Read how Netskope can enable the Zero Trust and SASE journey through secure access service edge (SASE) capabilities.

Read the blog

Learn how to navigate the latest advancements in SASE and zero trust and explore how these frameworks are adapting to address cybersecurity and infrastructure challenges

Explore sessions

Learn about the future convergence of networking and security tools in today’s cloud dominant business model.

Learn about SASE

Netskope is proud to participate in Vision 2045: an initiative aimed to raise awareness on private industry’s role in sustainability.

Find out more

Supporting Sustainability Through Data Security

At Netskope, founders and leaders work shoulder-to-shoulder with their colleagues, even the most renowned experts check their egos at the door, and the best ideas win.

Join the team

Go to Customer Solutions

Learn about Training and Certifications

Netskope Threat Coverage: SUNBURST & FireEye Red Team (Offensive Security) Tools

Request Demo

Summary

On Dec 8, 2020, the cybersecurity company FireEye reported that there had been a cyber attack on their systems. As part of this attack, their inventory of Red Team tools was stolen. These tools could potentially be used by a threat actor against unsuspecting victims. On Dec 13, 2020, after further investigation of this attack, FireEye reported that the initial vector came through SolarWinds, an upstream vendor, as a malicious trojanized update of SolarWinds’ Orion IT platform.

FireEye has identified and published the indicators of compromise (IOCs) for both their red team tools and the trojanized update. NSIQ, Netskope’s threat intelligence platform, includes the IOCs published by FireEye, protecting our customers from SUNBURST and the FireEye Red Team tools.

Protection

SolarWinds.Orion.Core.BusinessLayer.dll is the digitally signed component of the Orion framework that contains the backdoor. This plugin was delivered in multiple updates on the SolarWinds website, including:

hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574/SolarWinds-Core-v2019.4.5220-Hotfix5.msp

FireEye has labeled this trojanized version of the plug-in SUNBURST. According to the FireEye report, the threat group responsible for this, SolarStorm (UNC 2452), has successfully used this attack on many companies worldwide. SolarWinds reported that of its 300,000 customers, no more than 18,000 have downloaded the malicious update.

FireEye has shared the countermeasures including Snort, Yara, and ClamAV rules. We are implementing the following updates to incorporate the FireEye countermeasures:

Increasing coverage in our CTEP (IPS) engine for Snort rules
Pushing updated intel based on the published rules for expanded coverage in our threat protection platform

Netskope has ensured coverage for all known threat indicators and payloads shown below and future countermeasures will be implemented as ongoing emergency updates as they become available and will be pushed to production independent of release cycles. Netskope Threat Labs will provide updates as they become available.

SUNBURST IOCs

Domains

As reported by FireEye here

freescanonline[.]com
deftsecurity[.]com
thedoccloud[.]com
avsvmcloud[.]com
zupertech[.]com
panhardware[.]com
databasegalore[.]com
incomeupdate[.]com
highdatabase[.]com
websitetheme[.]com
virtualdataserver[.]com
digitalcollege[.]org
globalnetworkissues[.]com
seobundlekit[.]com
virtualwebdata[.]com

Hashes (MD5)

SUNBURST samples from here

2c4a910a1299cdae2a4e55988a2f102e (SolarWinds.Orion.Core.BusinessLayer.dll)
846e27a652a5e1bfbd0ddd38a16dc865 (SolarWinds.Orion.Core.BusinessLayer.dll)
b91ce2fa41029f6955bff20079468448 (SolarWinds.Orion.Core.BusinessLayer.dll)
56ceb6d0011d87b6e4d7023d7ef85676 (app_web_logoimagehandler.ashx.b6031896.dll)
4f2eb62fa529c0283b28d05ddd311fae (OrionImprovementBusinessLayer.2.cs)
02af7cec58b9a5da1c542b5a32151ba1(CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp)

FireEye Red Team tool IOCs

The Red Team tools IOCs can be found in the FireEye GitHub Repository.

Dagmawi Mulugeta

Dagmawi Mulugeta is a security researcher with interests in cloud security, incident analysis & prediction, exploit development, and large-scale data analysis.