Shulou(Shulou.com)05/31 Report--

This article shows you how to access and troubleshoot SolarWinds supply chain APT attacks with one click. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

The APT attack in SolarWinds supply chain has been exposed.

Recently, the APT attack on SolarWinds supply chain has attracted the attention of the industry. SolarWinds officially announced that malicious code with highly complex backdoor behavior exists in affected versions of SolarWinds Orion Platform's 2019.4 HF5 to 2020.2.1 and related patch packs.

It is reported that the backdoor includes the ability to transfer files, execute files, analyze the system, restart the machine and disable system services, resulting in the risk of data leakage for users who have installed contaminated packages.

Because the module has SolarWinds digital signature certificate, it has whitelist effect for antivirus software, which is highly hidden, difficult to detect and does great harm.

Click to access, emergency investigation

Response strategy: monitor the egress traffic to see if there is a request packet for the avsvmcloud.com domain name, and if so, troubleshoot the host.

Anheng Cloud DNS threat response Cloud Gateway can help users find SolarWinds vulnerabilities in time through network behavior detection. The network behavior characteristic of this vulnerability is that the successful host queries the avsvmcloud.com domain name. As long as the DNS query traffic of all devices in the enterprise is monitored, and the avsvmcloud.com domain name related to the solarwinds vulnerability is detected and traced, the successful host can be detected and located with the fastest speed and lowest cost, and the host can be investigated.

Sweep

Scan the QR code or open:

Http://dns.anhengcloud.com (click to read the original text)

Er Tian

Add the current network environment egress IP (public network IP), and direct the stand-alone DNS configuration or the next hop of the DNS server to the DNS node 121.36.198.132 or 119.3.159.107 of the DNS threat response cloud gateway. After the addition, you can protect and monitor the current network.

After adding an egress IP, a default policy takes effect globally. Users can add a custom policy to select the type and protection intensity of malicious domain names to be detected, and customize the blacklist and whitelist of domain names.

Three checks

The defense result statistics module can view the alarm situation from the dimensions of IP, event and domain name, and can also view the log query for specified conditions.

The above content is how to access and troubleshoot SolarWinds supply chain APT attacks with one click. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.