UNC2452 compromised one of the modules in the SolarWinds Orion IT monitoring and management system.
A sophisticated threat actor dubbed UNC2452 compromised one of the modules in the SolarWinds Orion IT monitoring and management System. They planted a backdoor [Sunburst] specifically in DynamicLinkedLibrary named SolarWinds.Orion.Core.BusinessLayer.dll, loaded by following .NET executables [based on system configuration]:
This new campaign uses a “memory-only” dropper named TEARDROP to deploy a modified Cobalt Strike Beacon onto the victim for command and control (C2).
The exact details over when and how this malicious code was introduced to the supply chain is still under investigation. However, reports have surfaced regarding a poorly configured git repo which permitted access to code base and update delivery mechanisms.