Full-featured SD-WAN Solution Deep Dive

Learn about the capabilities you should expect to find in a full-featured SD-WAN design and how these features operate within the larger Secure SD-WAN architecture.

SD-WAN Growth Report 2020

Futuriom outlines the market trends for SD-WAN in their June 2020 report and provides their predictions for growth and change in the space.

Versa Redefines McLarens F1 Speed Strategy

NTT Communications and Versa Networks provide McLaren with reliability, security, stability, and flexible management of their data traffic flows so they can set up a secure, optimized network connectivity in preparation of race weekend.

 
Versa Secure SD-WAN – Simple, Secure, and Reliable Branch to Multi-Cloud Connectivity

Versa Secure SD-WAN is a single software platform that offers multi-layered security and enables multi-cloud connectivity for Enterprises.

 
Gartner Magic Quadrant for WAN Edge Infrastructure, 2020

Gartner 2020 Magic Quadrant report analyzes the various vendors in the WAN edge market and Versa is positioned as a Leader.

Versa Networks - Explained in 1 minute

Learn about the Versa Secure SD-WAN solution in a high-level, one minute overview.

 
Versa Secure SD-WAN – Simple, Secure, and Reliable Branch to Multi-Cloud Connectivity

Versa Secure SD-WAN is a single software platform that offers multi-layered security and enables multi-cloud connectivity for Enterprises.

The Secure
SD-WAN Blog

Research Lab

The SolarWinds Hack: Understanding SolarStorm’s SUNBURST Backdoor

jayesh-gangadas
By Jayesh Gangadas Patel
Senior Threat Analyst, Versa Networks
December 21, 2020

FireEye recently provided information about the widespread attack campaign registered against components of the SolarWinds Orion platform. The SolarWinds Orion platform has a huge customer base of 300,000 clients and issued this advisory on Sunday, December 20th

In this blog post, we will focus on answering specific questions that organizations may have regarding the SolarWinds attack. 

Some notable points to consider: 

  • Supply chain was the specific target with the compromise of SolarWinds Orion platform
  • As per the recently filed SEC report: of the 300,000 customer base, fewer than 18,000 customers were known to have the trojanized version of the Orion software running
  • In the wake of this highly sophisticated attack, SolarStorm threat actors created a legitimate, digitally signed backdoor, SUNBURST, as a trojanized version of the SolarWinds Orion plug-in
  • The scope of this threat has been observed to deliver multiple payloads, focused mainly on memory-only droppers such as the FireEye-dubbed Teardrop and Cobalt Strike Beacon
  • Command and Control (C&C) traffic pretends traffic coming from a legitimate Orion improvement program
Am I at risk even if I don’t use the the SolarWinds Orion platform?

As of now, the only known component compromised within SolarWinds has been identified as the Orion platform. If your organization does not use the Orion platform, it is not at risk. In addition, only customers running the updated Orion platform between March and June 2020 are likely to be compromised. The affected versions are 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1. For more information about the affected products, please follow the link to the SolarWinds Security Advisory.

How do I detect if my organization has a possible backdoor? 

At the time of writing and based on the signatures and various indicators released thus far, all Versa Networks customers are protected with the specific detectors being released for the SolarWinds Orion platform trojan activity. Please see the list below for released signature detection that detects the vulnerability based on IPS subscription:

1000015902_Backdoor_SUNBURST_Communication_Attempt.rules

1000015903_Backdoor_SUNBURST_Communication_Attempt.rules

1000015905_Backdoor_SUNBURST_Communication_Attempt.rules

1000015906_Backdoor_SUNBURST_Communication_Attempt.rules

1000015907_Backdoor_SUNBURST_Communication_Attempt.rules

1000015908_Backdoor_SUNBURST_Communication_Attempt.rules

1000015909_Backdoor_SUNBURST_Communication_Attempt.rules

1000015910_Backdoor_SUNBURST_Communication_Attempt.rules

1000015911_Backdoor_SUNBURST_Communication_Attempt.rules

1000015912_Backdoor_SUNBURST_Communication_Attempt.rules

1000015913_Backdoor_SUNBURST_Communication_Attempt.rules

1000015914_Backdoor_SUNBURST_Communication_Attempt.rules

1000015915_Backdoor_SUNBURST_Communication_Attempt.rules

1000015916_Backdoor_SUNBURST_Communication_Attempt.rules

1000015917_Backdoor_SUNBURST_Communication_Attempt.rules

1000015918_Backdoor_SUNBURST_Communication_Attempt.rules

1000015919_Backdoor_BEACON_Communication_Attempt.rules

1000015920_Backdoor_BEACON_Communication_Attempt.rules

1000015921_Backdoor_BEACON_Communication_Attempt.rules

1000015922_Backdoor_BEACON_Communication_Attempt.rules

1000015923_Backdoor_BEACON_Communication_Attempt.rules

1000015924_Backdoor_BEACON_Communication_Attempt.rules

1000015925_Backdoor_BEACON_Communication_Attempt.rules

1000015926_Backdoor_BEACON_Communication_Attempt.rules

1000015927_Backdoor_BEACON_Communication_Attempt.rules

1000015928_Backdoor_BEACON_Communication_Attempt.rules

Protective measures will continuously be updated as new details related to this threat activity emerge. Apart from the countermeasures recommended by the Versa Security Team, there are additional steps customers need to take if using any of the above mentioned SolarWinds Orion platforms:

  1. Identify all of the SolarWinds systems inside the organization and work towards an update to the Orion Platform version 2020.2.1 HF2 now available for all customers.
  2. Evaluate guidelines related to the update of SolarWinds systems as per the resources listed below:
Resources

CISA Announcement for SolarWinds

SolarWinds Security Advisory

Secure Orion Platform