====== What is it about? ====== The SolarWinds® Orion Platform is a powerful, scalable infrastructure monitoring and management platform. Recently, it was reported that SolarWinds product Orion was compromised by distributing backdoor software on their software update system. **SolarWinds.Orion.Core.BusinessLayer.dll** is a SolarWinds digitally-signed component of the Orion software framework that contains the backdoor that communicates via HTTP to third party servers also the exploit will be dormant for 1-2 weeks. The domain **avsvmcloud[.]com** was the command and control (C&C) server for the backdoor delivered to around 18,000 SolarWinds customers through tainted updates for the SolarWinds Orion app. Here is the workflow of the malware released by FireEye {{:wiki:fireeye_sunburst_malware_workflow.jpg?600 |}} ===== Here are some external links to get started ===== [[https://www.fireeye.com/blog/threat-research.html|FireEye threat research about Sunburst]] [[https://www.fireeye.com/current-threats/sunburst-malware.html|Sunbust malware]] [[https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/|Microsoft security]] [[https://en.wikipedia.org/wiki/Domain_generation_algorithm|Domain generation algorithm]]