TRT Service Bulletin

Fidelis Threat Research Team (TRT) Service Bulletin’s are provided
on an ad-hoc basis to update customers on important changes.

December 15, 2020

EXECUTIVE SUMMARY – SunBurst / SolarWinds

On 13 December 2020, a software supply-chain compromise was reported to have impacted a highly popular SolarWinds’ IT monitoring and infrastructure platform, Orion Platform. The compromise is reported to date back to March 2020, in which software updates were laced with malicious code. Please see the Fidelis Threat Research Team Advisory for additional information.

Fidelis TRT has added intelligence to detect this in your environment. In addition, FireEye has provided, via public posting, a set of SunBurst Countermeasures. The ruleset consists of YARA-language, Suricata/Snort rules, and OpenIOC rules. The Fidelis Threat Research Team (TRT) will be implementing various aspects of the provided FireEye countermeasures.

Those rules exist here.

Fidelis Network®
The Fidelis Threat Research Team has provided the following countermeasures available to Fidelis Network customers based on the publicly posted rules:

  1. IOCs – Threat Intel Feed: (NO Customer Action Required)
    Indicators have already been added to the Fidelis Threat Intel feed. Customers do not need to do anything additional to receive these IOCs. These will be added to as additional information is obtained.
  2. DSI – Insight Rule: FSS_FireEye_Yara_SunburstCountermeasures (NO Customer Action Required)
    The rule FSS_FireEye_Yara_SunburstCountermeasures will be released to customers as of December 14th and will be automatically included in the Insight Policy. Using the Fidelis Insight Feed page, confirm you have package (FSS_Anomalous File Activity) selected and assigned to sensors.
  3. DPI – Suricata Rules: (NO Customer Action Required)
    TRT has implemented the Snort rules provided by FireEye and they have been imported into Fidelis Network as of December 14th. Customers are not required to do any additional importing at this time. If any rules are unwanted the steps in Appendix A can be followed to suppress those rules.
  4. Collector: (NO Customer Action Required)
    TRT has implemented the MD5 IOCs from multiple sources into the feeds that include Fidelis Collector. This will provide customers with an automated search through past Network metadata for these IOCs.

Fidelis Endpoint®
Fidelis Threat Research Team has provided the following countermeasures available to Fidelis Endpoint customers based on the publicly posted rules:

  1. IOCs – Threat Intel Feed (NO Customer Action Required)
    Indicators have already been added to the Fidelis Threat Intel feed. Customers do not need to do anything additional to receive these IOCs. These will be added to as additional information is obtained.
  2. ThreatScan or YaraScan Script Package (Customer Action IS Required)
    Fidelis Endpoint offers the ability to import YARA rules as a package for scanning. Using the Scanning Indicator Library customers can import the YARA file provided by FireEye and run the package. The task can be scheduled, scheduled with recurrence or run on-demand. See Appendix B for instructions.