{"id":115339,"date":"2020-12-17T15:27:06","date_gmt":"2020-12-17T23:27:06","guid":{"rendered":"\/blogs\/?p=115339"},"modified":"2024-06-24T23:39:33","modified_gmt":"2024-06-25T06:39:33","slug":"additional-analysis-into-the-sunburst-backdoor","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/","title":{"rendered":"Additional Analysis into the SUNBURST Backdoor"},"content":{"rendered":"<h2>Executive Summary<\/h2>\n<p>There has been considerable focus on the recent disclosures associated with SolarWinds, and while existing analysis on the broader campaign has resulted in detection against specific IoCs associated with the Sunburst trojan, the focus within the Advanced Threat Research (ATR) team has been to determine the possibility of additional persistence measures. Our analysis into the backdoor reveals that the level of access lends itself to the assumption that additional persistence mechanisms could have been established and some inferences regarding the intent from adversaries;<\/p>\n<ul>\n<li>An interesting observation was the check for the presence of SolarWinds\u2019 Improvement Client executable and it\u2019s version \u201c3.0.0.382\u201d. The ImprovementClient is a program that can collect considerable information such as count of Orion user accounts by authentication method and data about devices and applications monitored.<\/li>\n<li>Observation of the http routine was the search for certain keywords in the http-traffic that might indicate the adversary was looking into details\/access of Cloud and\/or wireless networks of their victims.<\/li>\n<li>Even if a victim is using a Proxy-server with username and password, the backdoor is capable of retrieving that information and using it to build up the connection towards the C2.<\/li>\n<\/ul>\n<h2>Available Resources<\/h2>\n<p>Although this analysis will focus on the premise that the backdoor supports the feasibility of establishing additional persistence methods we recognize the importance of providing assurance regarding coverage against available indicators. To that end the following resources are available:<\/p>\n<ul>\n<li>KB93861: McAfee coverage for SolarWinds Sunburst Backdoor:<br \/>\n<a href=\"https:\/\/kc.mcafee.com\/corporate\/index?page=content&amp;id=KB93861\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/kc.mcafee.com\/corporate\/index?page=content&amp;id=KB93861\u00a0<\/a><\/li>\n<li>SUNBURST Malware and SolarWinds Supply Chain Compromise : Detailing the protection summary, but also how to use MVISION EDR or MAR to search for SUNBURST: <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sunburst-malware-and-solarwinds-supply-chain-compromise\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sunburst-malware-and-solarwinds-supply-chain-compromise\/\u00a0\u00a0<\/a><\/li>\n<li>MVISION Insights Campaign: SolarWinds Supply Chain Attack Affecting Multiple Global Victims With SUNBURST Backdoor. This resource provides up to date tracking on the prevalence of available indicators based on geography and sector of potential targets: <a href=\"https:\/\/www.mcafee.com\/enterprise\/en-us\/lp\/insights-preview.html#\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.mcafee.com\/enterprise\/en-us\/lp\/insights-preview.html#\u00a0<\/a><\/li>\n<\/ul>\n<p>Additional resources will become available as analysis both conducted by McAfee researchers, and the wider community becomes available.<\/p>\n<h2>Backdoor Analysis<\/h2>\n<p>There exists excellent analysis from many of our industry peers into the SUNBURST trojan, and the intention here is not to duplicate findings but to provide analysis we have not seen previously covered. The purpose is to enable potential victims to better understand the capabilities of the campaign in an effort to consider the possibility that there are additional persistence mechanisms.<\/p>\n<p>For the purposes of this analysis our focus centered upon the file \u201cSolarWinds.Orion.Core.BusinessLayer.dll\u201c, this particular file, as the name suggests, is associated with the SolarWinds ORION software suite and was modified with a class added containing the backdoor \u201cSunBurst\u201d.<\/p>\n<p>A deeper dive into the backdoor reveals that the initial call is to the added class \u201cOrionImprovementBusinessLayer\u201d which has the following functions:<\/p>\n<p>&nbsp;<\/p>\n<p>The class starts with a check to see if the module is running and, if not, it will start the service and thereafter initiate a period of dormancy.<\/p>\n<p>As was detailed by FireEye, this period of sleep can range from minutes up to two weeks. The actual time period of dormancy is dependent on the checks that must be passed from the code, like hash of the Orion process, write-times of files, process running etc. A sleep period of this length of time is unusual and speaks to a very patient adversary.<\/p>\n<p>The most important strings inside the backdoors are encoded with the DeflateStream Class of the .NET&#8217;s\u00a0Compression library together with the base64 encoder. By examining the block-list, we discover findings that warrant further inspection. First entries are the local-IP address ranges and netmasks:<\/p>\n<ul>\n<li>10.0.0.0 255.0.0.0<\/li>\n<li>172.16.0.0 255.240.0.0<\/li>\n<li>192.168.0.0 255.255.0.0<\/li>\n<\/ul>\n<p>Followed by the IPv6 local addresses equivalents:<br \/>\nfc00::,fe00::, fec0::,ffc0::,ff00::,ff00::<\/p>\n<p>Next, there is a list of IP-addresses and their associated subnetmasks. We executed a whois on those IP-addressees to get an idea of whom they might belong to. There is no indication as to the reason that the following IPs have been inserted into the blocklist, although the netmasks implemented in certain entries are \u2018quite\u2019 specific, therefore we have to assume the attackers were intentional in their desire to avoid certain targets.<\/p>\n<p>Assuming that the victim is not within the block list, the sample will then proceed to create the named pipe 583da945-62af-10e8-4902-a8f205c72b2e. This is done to ensure that only one instance of the backdoor is running. We were able to verify this through replication we carried out within our own environment.<\/p>\n<p>When we ran the backdoor, we were able to confirm that this value is hardcoded in the code, and once the dormancy period passed the service is started and named pipe is created. At this point, the backdoor will also create a unique UserID MD5 value for the system it is installed on as depicted within figure 5.<\/p>\n<p>This particular routine will initially read the Device-info of the system but ignore the loopback interfaces (part of the code of the ReadDeviceInfo routine that mentions \u201cSelect * From Win32_NetworkAdapterConfiguration where IPEnabled=true\u201d ). The Device-info will then be combined with the domain name, followed by a value from the registry key (HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography). This information is then used to create an MD5 value of that string.<\/p>\n<p>The module will start the \u2018update\u2019 routine. This routine is a continuous loop designed for verification against, for example, unwanted services that could potentially be used against detection of the backdoor as depicted in figure 6.<\/p>\n<h2>Information Gathering<\/h2>\n<p>The backdoor gathers information from the system. The following information is gathered by a routine called \u201cCollectSystemDescription\u201d, some examples include;<\/p>\n<ul>\n<li>OS version, major \/minor \u2013 is it 32 or 64 bits<\/li>\n<li>Network configs, info on IP, NetBIOS, IPV6 etc.<\/li>\n<li>Host, SID &amp; Username &amp; System directory. In particular the SID for the Administrator account is searched for.<\/li>\n<\/ul>\n<p>There exists other subroutines to collect additional data, for example enumerating the information from the network-adaptors, the backdoor uses the GetNetworkAdapterConfiguration routine. The routine is gathering the following information:<\/p>\n<p>In order to check if certain \u2018unwanted\u2019 services are running, the backdoor enumerates the services, creates a hashlist and compares them with a hard-coded set of these values. The \u2018update\u2019 routine will exit once a \u2018block-listed\u2019 process id discovered. The backdoor will attempt to stop these services by entering a value in the registry for that service that will disable that service. The update routine will check again and continue this process until all unwanted processes are disabled.<br \/>\nAnother capability of the backdoor is to start\/stop tasks:<\/p>\n<p>Other functionalities we observed in the code are:<\/p>\n<ul>\n<li>SetTime<\/li>\n<li>CollectSystemDescription<\/li>\n<li>UploadSystemDescription<\/li>\n<li>GetProcessByDescription<\/li>\n<li>GetFileSystemEntries<\/li>\n<li>WriteFile<\/li>\n<li>FileExists<\/li>\n<li>DeleteFile<\/li>\n<li>GetFileHash<\/li>\n<li>ReadRegistryValue<\/li>\n<li>SetRegistryValue<\/li>\n<li>DeleteRegistryValue<\/li>\n<li>GetRegistrySubKeyAndValueNames<\/li>\n<li>Reboot<\/li>\n<\/ul>\n<p>An interesting observation was the check for the presence of SolarWinds\u2019 Improvement Client executable and it\u2019s version \u201c3.0.0.382\u201d.<\/p>\n<p>The ImprovementClient is a program that can collect the following information (source <a href=\"https:\/\/support.solarwinds.com\/SuccessCenter\/s\/article\/Orion-Improvement-Program?language=en_US\" target=\"_blank\" rel=\"noopener noreferrer\">SolarWinds<\/a>)\u00a0:<\/p>\n<ul>\n<li>The SWID (SolarWinds ID) associated with any SolarWinds commercial licenses installed<\/li>\n<li>The email address provided to the installer during installation<\/li>\n<li>Unique identifier of the downloaded installer<\/li>\n<li>Versions of all Orion products installed<\/li>\n<li>Operating system version<\/li>\n<li>CPU description and count<\/li>\n<li>Physical memory installed and percent used<\/li>\n<li>Time zone<\/li>\n<li>Dates when you logged in to the Orion website<\/li>\n<li>Licensing information of other SolarWinds Orion products locally installed<\/li>\n<li>Row counts for database tables<\/li>\n<li>Count of monitored nodes by polling protocol<\/li>\n<li>Count of Orion user accounts by authentication method<\/li>\n<li>Network discovery scheduling information (not results)<\/li>\n<li>Data about devices and applications monitored:\n<ul>\n<li>Vendor<\/li>\n<li>Model<\/li>\n<li>OS\/Firmware version<\/li>\n<li>Count<\/li>\n<li>Abstract configuration information, such as number of websites hosted<\/li>\n<\/ul>\n<\/li>\n<li>Data about the SolarWinds product:\n<ul>\n<li>Feature usage statistics<\/li>\n<li>Performance statistics<\/li>\n<li>Hardware and OS platform description<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Another observation of the http routine was the search for certain keywords\u00a0in the http-traffic that might indicate the adversary was looking into details\/access of cloud and\/or wireless networks of their victims by using the SolarWinds\u2019 modules that are installed to monitor\/administer these kinds of instances. Managing the network using SolarWinds\u2019 Orion is executed by using a browser and localhost that is hosting the webserver. Reading out the certificate values and search for these keywords in the http-traffic would have gained this information.<\/p>\n<h2>Network \/ DGA<\/h2>\n<p>After all checks and routines have passed, the backdoor will use a domain generating algorithm (hereafter DGA) to generate a domain. Example of the part of the DGA code:<\/p>\n<p>When the domain is successfully reached, the routine called \u2018Update\u2019 contains a part that will act on this and start a new thread firing off the routine \u201cHttpHelper.Initialize\u201d. In the below screenshot we can observe that flow:<\/p>\n<p>The code shows that when the dnsrecord equals the domain and can be reached, the new thread will start in the background.<\/p>\n<p>The \u2018HttpHelper\u2019 class\/routine is responsible for all the C2 communications:<\/p>\n<p>Even if a victim is using a Proxy-server with username and password, the backdoor is capable of retrieving that information and using it to build up the connection towards the C2. It then uses a routine called \u201cIWebProxy GetWebProxy\u201d for that:<\/p>\n<p>The DGA-generated C2s are subdomains of: avsvmcloud[.]com.<br \/>\nAn example of how these domains would look:<\/p>\n<ul>\n<li>02m6hcopd17p6h450gt3.appsync-api.us-west-2.avsvmcloud.com<\/li>\n<li>039n5tnndkhrfn5cun0y0sz02hij0b12.appsync-api.us-west-2.avsvmcloud.com<\/li>\n<li>043o9vacvthf0v95t81l.appsync-api.us-east-2.avsvmcloud.com<\/li>\n<li>04jrge684mgk4eq8m8adfg7.appsync-api.us-east-2.avsvmcloud.com<\/li>\n<li>04r0rndp6aom5fq5g6p1.appsync-api.us-west-2.avsvmcloud.com<\/li>\n<li>04spiistorug1jq5o6o0.appsync-api.us-west-2.avsvmcloud.com<\/li>\n<\/ul>\n<p>Inspecting the CNAME\u2019s from the DGA-generated C2\u2019s we observed the following domain-names:<\/p>\n<ul>\n<li>freescanonline[.]com<\/li>\n<li>deftsecurity[.]com<\/li>\n<li>thedoccloud[.]com<\/li>\n<li>websitetheme[.]com<\/li>\n<li>highdatabase[.]com<\/li>\n<li>incomeupdate[.]com<\/li>\n<li>databasegalore[.]com<\/li>\n<li>panhardware[.]com<\/li>\n<li>Zupertech[.]com<\/li>\n<li>Virtualdataserver[.]com<\/li>\n<li>digitalcollege[.]org<\/li>\n<\/ul>\n<p>In the forementioned HTTP handler code, we discovered paths that might be installed on the C2\u2019s for different functions:<\/p>\n<ul>\n<li>swip\/upd\/<\/li>\n<li>swip\/Events<\/li>\n<li>swip\/Upload.ashx<\/li>\n<\/ul>\n<p>Once the backdoor is connected, depending on the objectives from the adversaries, multiple actions can be executed including the usage of multiple payloads that can be injected into memory. At the time of writing, details regarding the \u2018killswitch\u2019 against the above domain will prevent this particular backdoor from being operational, however for the purpose of this analysis it demonstrates the level of access afforded to attackers. While the efforts to sinkhole the domain are to be applauded, organisations that have been able to identify indicators of SUNBURST within their environment are strongly encouraged to carry out additional measures to provide themselves assurances that further persistent mechanisms have not been deployed.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Executive Summary There has been considerable focus on the recent disclosures associated with SolarWinds, and while existing analysis on the&#8230;<\/p>\n","protected":false},"author":653,"featured_media":95572,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[3576,961,1359],"class_list":["post-115339","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Additional Analysis into the SUNBURST Backdoor | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Executive Summary There has been considerable focus on the recent disclosures associated with SolarWinds, and while existing analysis on the broader\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Additional Analysis into the SUNBURST Backdoor | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Executive Summary There has been considerable focus on the recent disclosures associated with SolarWinds, and while existing analysis on the broader\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2020-12-17T23:27:06+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-06-25T06:39:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/06\/Picture1-2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"974\" \/>\n\t<meta property=\"og:image:height\" content=\"650\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Christiaan Beek, Cedric Cochin, Raj Samani\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ChristiaanBeek\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Christiaan Beek, Cedric Cochin, Raj Samani\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/\"},\"author\":{\"name\":\"Christiaan Beek\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b5594548f9e30297ea54990aff356e79\"},\"headline\":\"Additional Analysis into the SUNBURST Backdoor\",\"datePublished\":\"2020-12-17T23:27:06+00:00\",\"dateModified\":\"2024-06-25T06:39:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/\"},\"wordCount\":1752,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/06\/Picture1-2.png\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/\",\"name\":\"Additional Analysis into the SUNBURST Backdoor | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/06\/Picture1-2.png\",\"datePublished\":\"2020-12-17T23:27:06+00:00\",\"dateModified\":\"2024-06-25T06:39:33+00:00\",\"description\":\"Executive Summary There has been considerable focus on the recent disclosures associated with SolarWinds, and while existing analysis on the broader\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/06\/Picture1-2.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/06\/Picture1-2.png\",\"width\":974,\"height\":650,\"caption\":\"laptop with a glitching screen\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Additional Analysis into the SUNBURST Backdoor\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b5594548f9e30297ea54990aff356e79\",\"name\":\"Christiaan Beek\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/09179574bcf76b6304ed08e621f59379\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-96x96.png\",\"caption\":\"Christiaan Beek\"},\"description\":\"Christiaan Beek is the Lead Scientist &amp; Sr. Principal Engineer of the Enterprise Office of the CTO. He is leading the strategic threat intelligence research with a focus on inventing new technology, research techniques and models. Visionary and serving leadership is at the core of his day-to-day job, getting the best out of people and collaborate to make the (cyber) world safer and a better place. In previous roles, Beek was Director of Threat Intelligence in McAfee Labs and Director of Incident Response and Forensics at Foundstone, McAfee\u2019s forensic services arm. At Foundstone, he led a team of forensic specialists in Europe, the Middle East, and Africa during major breaches. Beek develops threat intelligence strategy, designs and envision threat intelligence systems and new research techniques. Christiaan speaks regularly at conferences, including BlackHat, RSA, BlueHat and Botconf. Besides contributed to the best-selling security book \\\"Hacking Exposed\\\", he wrote a comic book about Ransomware, is a contributor to the MITRE ATT&amp;CK framework and holds multiple patents.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/christiaanbeek\/\",\"https:\/\/x.com\/ChristiaanBeek\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/christiaan-beek\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Additional Analysis into the SUNBURST Backdoor | McAfee Blog","description":"Executive Summary There has been considerable focus on the recent disclosures associated with SolarWinds, and while existing analysis on the broader","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Additional Analysis into the SUNBURST Backdoor | McAfee Blog","og_description":"Executive Summary There has been considerable focus on the recent disclosures associated with SolarWinds, and while existing analysis on the broader","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2020-12-17T23:27:06+00:00","article_modified_time":"2024-06-25T06:39:33+00:00","og_image":[{"width":974,"height":650,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/06\/Picture1-2.png","type":"image\/png"}],"author":"Christiaan Beek, Cedric Cochin, Raj Samani","twitter_card":"summary_large_image","twitter_creator":"@ChristiaanBeek","twitter_site":"@McAfee","twitter_misc":{"Written by":"Christiaan Beek, Cedric Cochin, Raj Samani","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/"},"author":{"name":"Christiaan Beek","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b5594548f9e30297ea54990aff356e79"},"headline":"Additional Analysis into the SUNBURST Backdoor","datePublished":"2020-12-17T23:27:06+00:00","dateModified":"2024-06-25T06:39:33+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/"},"wordCount":1752,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/06\/Picture1-2.png","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/","name":"Additional Analysis into the SUNBURST Backdoor | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/06\/Picture1-2.png","datePublished":"2020-12-17T23:27:06+00:00","dateModified":"2024-06-25T06:39:33+00:00","description":"Executive Summary There has been considerable focus on the recent disclosures associated with SolarWinds, and while existing analysis on the broader","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/06\/Picture1-2.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/06\/Picture1-2.png","width":974,"height":650,"caption":"laptop with a glitching screen"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/additional-analysis-into-the-sunburst-backdoor\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Additional Analysis into the SUNBURST Backdoor"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/b5594548f9e30297ea54990aff356e79","name":"Christiaan Beek","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/09179574bcf76b6304ed08e621f59379","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-96x96.png","caption":"Christiaan Beek"},"description":"Christiaan Beek is the Lead Scientist &amp; Sr. Principal Engineer of the Enterprise Office of the CTO. He is leading the strategic threat intelligence research with a focus on inventing new technology, research techniques and models. Visionary and serving leadership is at the core of his day-to-day job, getting the best out of people and collaborate to make the (cyber) world safer and a better place. In previous roles, Beek was Director of Threat Intelligence in McAfee Labs and Director of Incident Response and Forensics at Foundstone, McAfee\u2019s forensic services arm. At Foundstone, he led a team of forensic specialists in Europe, the Middle East, and Africa during major breaches. Beek develops threat intelligence strategy, designs and envision threat intelligence systems and new research techniques. Christiaan speaks regularly at conferences, including BlackHat, RSA, BlueHat and Botconf. Besides contributed to the best-selling security book \"Hacking Exposed\", he wrote a comic book about Ransomware, is a contributor to the MITRE ATT&amp;CK framework and holds multiple patents.","sameAs":["https:\/\/www.linkedin.com\/in\/christiaanbeek\/","https:\/\/x.com\/ChristiaanBeek"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/christiaan-beek\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/115339","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/653"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=115339"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/115339\/revisions"}],"predecessor-version":[{"id":195251,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/115339\/revisions\/195251"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/95572"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=115339"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=115339"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=115339"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=115339"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}