====== What is it about? ======


The SolarWinds® Orion Platform is a powerful, scalable infrastructure monitoring and management platform.
Recently, it was reported that SolarWinds product Orion was compromised by distributing backdoor software on their software update system.

**SolarWinds.Orion.Core.BusinessLayer.dll** is a SolarWinds digitally-signed component of the Orion software framework that contains the backdoor that communicates via HTTP to third party servers also the exploit will be dormant for 1-2 weeks.

The domain **avsvmcloud[.]com** was the command and control (C&C) server for the backdoor delivered to around 18,000 SolarWinds customers through tainted updates for the SolarWinds Orion app.


Here is the workflow of the malware released by FireEye

{{:wiki:fireeye_sunburst_malware_workflow.jpg?600 |}}



===== Here are some external links to get started =====

[[https://www.fireeye.com/blog/threat-research.html|FireEye threat research about Sunburst]]

[[https://www.fireeye.com/current-threats/sunburst-malware.html|Sunbust malware]]

[[https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/|Microsoft security]]

[[https://en.wikipedia.org/wiki/Domain_generation_algorithm|Domain generation algorithm]]