On Sunday, December 13 2020, FireEye released information related to a highly evasive attack in the SolarWinds Supply Chain. SolarWinds was the victim of a cyberattack, where malware (SUNBURST) was inserted to the SolarWinds Orion Platform.
Cato Networks recommends the following guidelines to our customers:
- As of December 21, the Cato Cloud and Cato Corporate aren't affected by the SUNBURST malware. We are keeping a close watch on this incident both through public and private channels.
- For Cato customers who have the SolarWinds Orion platform installed, we highly recommend following the SolarWinds Security Advisory. SolarWinds removed the malicious software build from their download site and recommends upgrading to Orion Platform version 2020.2.1 HF 2.
It is also recommended to change all credentials relevant to identities that access the Orion platform or that were used by it.
- Cato customers that use Cato Anti-Malware and Next-Generation Anti-Malware are protected against SUNBURST payload downloads.
- Cato IPS is updated with the latest Indicators of Compromised (IoC) to block SUNBURST C&C communication.
- Cato MDR (Managed Detection and Response) uses Threat Hunting Capabilities to identify unknown threats such as SUNBURST . SUNBURST is a backdoor requiring remote operation and Cato MDR service monitors our customers for lateral movement activities within their networks.
- Cato Security group monitors Cato customers’ networks for any network IoC related to SUNBURST malware and notifies relevant customers with any access to the associated IoCs.
For more details about the SUNBURST malware and the Cato Cloud, read this Cato blog post.