Skip to the main content.

2 min read

SUNBURST Back Door knocking on the World’s Front Door

Featured Image

FireEye has uncovered a malicious campaign that gains access to victims via trojanized updates to Orion, SolarWinds’ IT monitoring and management software.

While the fireworks are only visible to us now, the fuse for this malicious campaign was lit in March 2020. SUNBURST is the product of highly evolved cyber criminals that resulted with significant lateral movement and data theft.

Nationwide Damages

The malicious campaign that compromised just one piece of the SolarWinds IT toolkit potentially gained access to multiple entities nationwide including government agencies, telecommunications companies, top accounting firms and big players from the private sector. Unfortunately, this still only represents a small piece of the extraordinary array of possible SolarWinds’ customers.

SUNBURST Backdoor: ‘update is available, click here to download’

In the spring of 2020 IT staff got a pop up notification from a trusted popular software provider to install a new update and so with one click around 18,000 customers across various government and private organizations downloaded the update and with that the silent game began.

Little did they know that the new update came with a Trojan, secret malicious code, that stayed in their system silently for a couple of weeks, just observing while the victims carried on with their hardworking jobs oblivious to the threat. When the time was just right, SUNBURST sprang into action inside thousands of computer networks in government, technology and telecom organisations across North America, Europe, Asia and the Middle East opening the door for its creator to enter as well. According to BBC the damages are not yet known, but for months the professional cyber criminal team could spy and keep on stealing information of different organisations worldwide.


DFIR Guide

Download our DFIR Guide and learn more how you can elevate your incident response processes.



SUNBURST: It’s time to take an initiative

Attacks of this nature don’t just affect the infected organisations, they also deal a blow to the entire cyber-security space by undermining trust in our solutions and planting seeds of doubt in users’ minds.

At Binalyze, our core mission is to help our users and the DFIR community to respond faster. As part of this mission we have decided to give support to SUNBURST damaged entities and we hope that this initiative will be supported by other cyber security vendors and professionals.

Today we are releasing a version of Binalyze AIR with the codename SUNBURST that will enable anyone to identify their exposure to the attack and pinpoint their network vulnerability in under an hour.

This version is available FREE OF CHARGE for 15-days and 25,000 endpoints to help all organizations potentially affected by SUNBURST.

Heads up for the DFIR community

To investigate this SUNBURST breach it will take a lot of time, research and financial resources, just when we were getting ready for the Christmas and New Year holidays. Now instead of planning a cosy vacation you have to respond to the biggest breach of the year and plan your DFIR strategies and methods, working hours of overtime trying to manage breach damages.

Binalyze is the fastest evidence collection, triage, and IR investigation platform that now also contains the YARA Rules for SUNBURST thanks to our colleagues at FireEye. We are here to give support to any DFIR community member requesting it that has clients damaged by the hack to help speed up the investigation process and ease your workload.

Over the next few days, we will post videos and blogs sharing DFIR methods and tactics that we believe will be useful to the DFIR community. If you have or had a trojanized version of SolarWinds Orion on your infrastructure, Stroz Friedberg have released this excellent document with advice for a risk-based approach to the situation. Click here for more details.

We are all striving for a safer cyber world and taking our part in this global effort.

Stay safe.

Enhancing India's DFIR Capabilities: Binalyze and Cyphy Tech Security Announce New Partnership

Enhancing India's DFIR Capabilities: Binalyze and Cyphy Tech Security Announce New Partnership

Wednesday, 29 November – Binalyze, a trailblazer in Digital Forensics and Incident Response (DFIR) solutions, is excited to announce a new strategic...

Read More
Experience the power of Binalyze AIR, live at Black Hat Europe

Experience the power of Binalyze AIR, live at Black Hat Europe

It’s almost time for Black Hat Europe in London. For me and my colleagues at Binalyze, this isn’t just any other event. We’ve been working together...

Read More
Four Must-Haves for Efficient Incident Response Analysis & Investigation

Four Must-Haves for Efficient Incident Response Analysis & Investigation

Harnessing the power of insights with Binalyze AIR 4.0

Read More