0 0

UNC2452

UNC2452 compromised one of the modules in the SolarWinds Orion IT monitoring and management system.

Known Campaigns

Solarwinds (TBD-2020)

A sophisticated threat actor dubbed UNC2452 compromised one of the modules in the SolarWinds Orion IT monitoring and management System. They planted a backdoor [Sunburst] specifically in DynamicLinkedLibrary named SolarWinds.Orion.Core.BusinessLayer.dll, loaded by following .NET executables [based on system configuration]:

  • SolarWinds.BusinessLayerHost.exe
  • SolarWinds.BusinessLayerHostx64.exe.

This new campaign uses a “memory-only” dropper named TEARDROP to deploy a modified Cobalt Strike Beacon onto the victim for command and control (C2).

The exact details over when and how this malicious code was introduced to the supply chain is still under investigation. However, reports have surfaced regarding a poorly configured git repo which permitted access to code base and update delivery mechanisms.

Comments (0)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: