SUNBURST Backdoor Exploits SolarWinds Supply Chain Vulnerability

The SUNBURST backdoor, discovered by FireEye, exploits trojanized updates to SolarWinds Orion software, affecting numerous public and private organizations globally. The attack vector involves a malicious DLL, SolarWinds.Orion.Core.BusinessLayer.dll, which communicates with Command and Control (C2) servers while mimicking legitimate SolarWinds traffic. Initial access was gained through compromised updates from March to May 2020, with the malware remaining dormant for up to two weeks before executing commands. Victims include government, consulting, technology, and telecom sectors across North America, Europe, Asia, and the Middle East. The campaign is attributed to the state-sponsored group APT29, previously known as UNC2452, and has been ongoing since its discovery. FireEye continues to monitor the situation and has notified affected entities.

Key Points: • SUNBURST backdoor exploits trojanized SolarWinds updates, affecting global organizations. • Malware remains dormant for up to two weeks before executing commands and blending in with legitimate traffic. • The campaign is attributed to APT29, a sophisticated state-sponsored actor.