How to troubleshoot SolarWinds supply chain APT attacks with one click

SolarWindsThe supply chain APT attack incident was revealed

Recently, the SolarWinds supply chain APT attack incident has attracted the attention of the industry. SolarWinds officially announced that there is malicious code with highly complex backdoor behavior in the affected versions of SolarWinds Orion Platform from 2019.4 HF5 to 2020.2.1 and its related patch packages.

It is reported that the backdoor contains the ability to transfer files, execute files, analyze the system, restart the machine, and disable system services, which puts users who have installed contaminated packages at risk of data leakage.

Because the module has a SolarWinds digital signature certificate, it has a whitelist effect on anti-virus software. It is highly concealed, difficult to detect, and has great harm.

One-click access, emergency troubleshooting

Countermeasures:Monitor the export traffic to see if there is a request packet for the avsvmcloud.com domain name. If so, Investigate the host.

Anheng Cloud DNS Threat Response Cloud Gateway can help users discover SolarWinds vulnerabilities in a timely manner through network behavior detection. The network behavior characteristic of this vulnerability is that the infected host queries the avsvmcloud.com domain name. As long as the DNS query traffic of all the enterprise's devices is monitored, and the avsvmcloud.com domain name related to the solarwinds vulnerability is detected and traced to the source, it can be used as quickly as possible with the lowest cost. Detect and locate the infected host at the cost, and conduct an investigation on the host.

Scan

Scan the QR code or open:

http://dns.anhengcloud.com (click to read the original text)

二天

Add the current network environment exit IP (public network IP), and set the stand-alone DNS configuration or DNS server next hop Point to the DNS node 121.36.198.132 or 119.3.159.107 of the DNS Threat Response Cloud Gateway. After the addition is completed, the current network can be protected and monitored.

After adding the exit IP, there is a default policy that takes effect globally. Users can add custom policies, select the type of malicious domain name to be detected and the protection intensity, and can also customize it. Domain name black and white list.

Three checks

The protection result statistics module can view alarm status from the IP, event and domain name dimensions, and can also view log queries under specified conditions.

The above is the detailed content of How to troubleshoot SolarWinds supply chain APT attacks with one click. For more information, please follow other related articles on the PHP Chinese website!