Solarwinds Supply Chain Attack

FireEye released a great blog post about the SolarWinds supply chain attack:
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

They also published some countermeasures:
https://github.com/fireeye/sunburst_countermeasures

The countermeasures include NIDS rules, network based indicators, file hashes, and yara rules. Each of these are broken out into separate sections below. Each of the sections includes a very quick high-level overview for how you might use those indicators in your Security Onion 16.04 or Security Onion 2.3 deployment.

NIDS Rules

https://github.com/fireeye/sunburst_countermeasures/blob/main/all-snort.rules

This file contains NIDS rules. If you are currently running the Emerging Threats (ET) ruleset, it should be noted that it's possible that these NIDS rules will be merged into the ET ruleset soon. You might want to go ahead and add them manually for immediate coverage. If and when they are added to ET, you may then want to remove your local additions.

UPDATE 2020-12-14 2:38 PM Eastern
The ET ruleset now includes these rules, so ET ruleset users should get these automatically as part of their normal daily download:
http://lists.emergingthreats.net/pipermail/emerging-updates/2020-December/004981.html

Security Onion 16.04

• https://docs.securityonion.net/en/16.04/local-rules.html#adding-local-rules

Security Onion 2.3

• https://docs.securityonion.net/en/2.3/local-rules.html#nids

Network Based Indicators

https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv

This file contains domain names and IP addresses.

Security Onion 16.04

• You might want to retroactively search for these domain names and IP addresses using Kibana.
• You might want to add them to Zeek Intel:
  https://docs.securityonion.net/en/16.04/zeek.html#intel

Security Onion 2.3

• You might want to retroactively search for these domain names and IP addresses using Hunt or Kibana.
• You might want to add them to Zeek Intel:
  https://docs.securityonion.net/en/2.3/zeek.html#intel

File Hashes

https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_Hashes.csv

This file contains file hashes. 

Security Onion 16.04

• You might want to retroactively search for these file hashes using Kibana.
• You might want to add them to Zeek Intel:
  https://docs.securityonion.net/en/16.04/zeek.html#intel

Security Onion 2.3

• You might want to retroactively search for these file hashes using Hunt or Kibana.
• You might want to add them to Zeek Intel:
  https://docs.securityonion.net/en/2.3/zeek.html#intel

Yara Rules

https://github.com/fireeye/sunburst_countermeasures/blob/main/all-yara.yar

This file contains yara rules.

Security Onion 2.3

• These yara rules have already been added to Florian Roth's signature-base Github repo as apt_solarwinds_sunburst.yar, so assuming your Security Onion 2.3 deployment has Internet access, it should have already downloaded apt_solarwinds_sunburst.yar as part of the normal daily download. 
• Going forward, Strelka should scan any newly extracted files using these yara rules. 
• You might want to retroactively scan previously extracted files by copying them to /nsm/strelka/ on a sensor.